orcus | 67186135fcb9c521054eafaeab47b5c6c92f25a97c35f8178bee5778e4d45636

Analysis

max time kernel
1050s
max time network
1026s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
01/04/2025, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEGR.exe
Size

907KB
MD5

c37aede530770e4960f21ca09f3a8e1c
SHA1

588a47f35d6c90ed47c433da4fdb35309cb8f166
SHA256

67186135fcb9c521054eafaeab47b5c6c92f25a97c35f8178bee5778e4d45636
SHA512

0f880912f868d7a678e01fe6f7ba09889a9d465bb033e9fc5993f59a5144b8c7b75cc1009c000f6d3f3a584d3954c9beb4ce938bc80b1b2aebe78f139dd65dc4
SSDEEP

24576:N3s4MROxnFj3G73MJJXRrZlI0AilFEvxHiWB:N3/Mi1kOhrZlI0AilFEvxHi

Score

10^/10

orcus negr discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

negr

213.209.143.58:2095

Mutex

aab067bbecf6478ca540d713fe8e0084

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000028189-27.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000028189-27.dat	orcus
behavioral1/memory/2068-32-0x0000000000FA0000-0x0000000001088000-memory.dmp	orcus

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	NEGR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	Orcus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	OrcusWatchdog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	Orcus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	OrcusWatchdog.exe

Executes dropped EXE 10 IoCs

pid	Process
2068	Orcus.exe
1600	Orcus.exe
4880	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
4408	Orcus.exe
4640	Orcus.exe
5496	OrcusWatchdog.exe
5548	OrcusWatchdog.exe
1904	Orcus.exe
2984	Orcus.exe

Loads dropped DLL 1 IoCs

pid	Process
2068	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	NEGR.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	NEGR.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	NEGR.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	NEGR.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	Orcus.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	NEGR.exe
File created	C:\Windows\assembly\Desktop.ini	NEGR.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	NEGR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5544	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5544	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe
2068	Orcus.exe
5108	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	Orcus.exe
Token: SeDebugPrivilege	4880	OrcusWatchdog.exe
Token: SeDebugPrivilege	5108	OrcusWatchdog.exe
Token: SeDebugPrivilege	4408	Orcus.exe
Token: SeDebugPrivilege	5496	OrcusWatchdog.exe
Token: SeDebugPrivilege	5548	OrcusWatchdog.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2068	Orcus.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2068	Orcus.exe
2068	Orcus.exe
4408	Orcus.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5476 wrote to memory of 4556	5476	NEGR.exe	83
PID 5476 wrote to memory of 4556	5476	NEGR.exe	83
PID 4556 wrote to memory of 1900	4556	csc.exe	85
PID 4556 wrote to memory of 1900	4556	csc.exe	85
PID 5476 wrote to memory of 2068	5476	NEGR.exe	86
PID 5476 wrote to memory of 2068	5476	NEGR.exe	86
PID 2068 wrote to memory of 4880	2068	Orcus.exe	90
PID 2068 wrote to memory of 4880	2068	Orcus.exe	90
PID 2068 wrote to memory of 4880	2068	Orcus.exe	90
PID 4880 wrote to memory of 5108	4880	OrcusWatchdog.exe	92
PID 4880 wrote to memory of 5108	4880	OrcusWatchdog.exe	92
PID 4880 wrote to memory of 5108	4880	OrcusWatchdog.exe	92
PID 2068 wrote to memory of 1224	2068	Orcus.exe	107
PID 2068 wrote to memory of 1224	2068	Orcus.exe	107
PID 1224 wrote to memory of 5544	1224	cmd.exe	109
PID 1224 wrote to memory of 5544	1224	cmd.exe	109
PID 4408 wrote to memory of 5496	4408	Orcus.exe	111
PID 4408 wrote to memory of 5496	4408	Orcus.exe	111
PID 4408 wrote to memory of 5496	4408	Orcus.exe	111
PID 5496 wrote to memory of 5548	5496	OrcusWatchdog.exe	112
PID 5496 wrote to memory of 5548	5496	OrcusWatchdog.exe	112
PID 5496 wrote to memory of 5548	5496	OrcusWatchdog.exe	112
PID 1224 wrote to memory of 3548	1224	cmd.exe	114
PID 1224 wrote to memory of 3548	1224	cmd.exe	114
PID 1224 wrote to memory of 6112	1224	cmd.exe	115
PID 1224 wrote to memory of 6112	1224	cmd.exe	115
PID 1224 wrote to memory of 4056	1224	cmd.exe	116
PID 1224 wrote to memory of 4056	1224	cmd.exe	116
PID 1224 wrote to memory of 1168	1224	cmd.exe	117
PID 1224 wrote to memory of 1168	1224	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEGR.exe
"C:\Users\Admin\AppData\Local\Temp\NEGR.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5476
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uqq8c9jc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A17.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5A16.tmp"
    3⤵
    PID:1900
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2068 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2068 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{f2ad86b5-cf14-4deb-a41d-0d61f627e1f4}.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      PID:3548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files\Orcus\Orcus.exe""
      4⤵
      PID:6112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      PID:4056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{f2ad86b5-cf14-4deb-a41d-0d61f627e1f4}.bat"
      4⤵
      PID:1168

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:1600

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
  "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 4408 /protectFile
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5496
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 4408 "/protectFile"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5548

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:4640

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:1904

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
c37aede530770e4960f21ca09f3a8e1c

SHA1
588a47f35d6c90ed47c433da4fdb35309cb8f166

SHA256
67186135fcb9c521054eafaeab47b5c6c92f25a97c35f8178bee5778e4d45636

SHA512
0f880912f868d7a678e01fe6f7ba09889a9d465bb033e9fc5993f59a5144b8c7b75cc1009c000f6d3f3a584d3954c9beb4ce938bc80b1b2aebe78f139dd65dc4

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Orcus.exe.log

Filesize
1KB

MD5
88e705d993fb58c58244d5fbe479357b

SHA1
61fabea0cef7669bdfdeac5bf70feb785b189f84

SHA256
b099fc470f8b499739b76738582088be63f9414f57b058f8fb6b8a3ae2ceaead

SHA512
89392c103f772f50fe90a0f8a1ecf893a17fcdf14ae697f17c9bca3abeed266ba3a7869332f1ca9dc282668dee7b6058eea2b63f46192126587b64f8b504d1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

Filesize
425B

MD5
8c7889bde41724ce3db7c67e730677f6

SHA1
485891cc9120cb2203a2483754dbd5e6ea24f28e

SHA256
83c70bfcb1b41892c9c50cabe9bc2d96b2f7420b28545afabd32f682ac62d0ad

SHA512
b7c3aab27fc924dcaef78987b492931e164b9e30b813c532fe87e1d40001ed1861c4b5ddbdd85cd2278681a22e32eee816877f4f63cecaa9972976d87e38f5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5A17.tmp

Filesize
1KB

MD5
3a67a82e95949e18a195d2686acb7c6a

SHA1
06ffaa24a2ec12967edc9bee53e0ce1b9693e2fc

SHA256
11f14d895591b079863d4608e08d0f739cb9e2ad3794b1f8ed676e24f8412b45

SHA512
05fb21050aac28cc0bc861717d6071e17da35afc7816f19c75345860ce840ce92f43aa57b8e8836cdfd09e5dedb964dbd5322dac2fac2bd3b8f645ca239636db

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqq8c9jc.dll

Filesize
76KB

MD5
4f32d6662aed7c51a0305457a6af863e

SHA1
21c7822cdad01b5deb4176ca0fb66ad99dd4035e

SHA256
0d3fb74a51f31f5bbca4015672499e0d6e7fbdfa642462c08e172fc1545ea87a

SHA512
bd84a1a9f8c668c8d2044023fe61f7c8d1d8a3984d28360a272dcce68210dc23b790e7881e02720d787fd22e227012807f6e14073a91c232070f5d0ff11f0756

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f2ad86b5-cf14-4deb-a41d-0d61f627e1f4}.bat

Filesize
171B

MD5
d3d7b84f373b90fb73f73630f2d26ea9

SHA1
88fb651d289b4000ba800e618ee5a611090bee33

SHA256
fa51210ac2136b7b092475b774070f50f19729a3db098d5111f2cdc3f0ca82cc

SHA512
c8f4b60a8d80ecbb7f7f4b1c05517ecd45d1877366bea24cc71d20649f8a45077bb223390451667fbf3ca348ccbe1f760ca1606099dd9d73877655a6ad22fbb9

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_aab067bbecf6478ca540d713fe8e0084\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_aab067bbecf6478ca540d713fe8e0084\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_aab067bbecf6478ca540d713fe8e0084\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_aab067bbecf6478ca540d713fe8e0084\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_aab067bbecf6478ca540d713fe8e0084\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_aab067bbecf6478ca540d713fe8e0084\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5A16.tmp

Filesize
676B

MD5
a4172b0fbcd799f678979ff3d6c514b5

SHA1
4e9b9e2bfbe6e322e25527909270ecb933d221e8

SHA256
8e43ca54151006644f5e9af9d0a70e3737534da6381058294ccef9971f2a4be5

SHA512
ef1e41db02ce4bb257420f082b8675b288ee6736196d22d05a1a77763b9e5e0a58b8c0bc0a29856f7c321cf483cee3a356668a0b61a2fd707c563d4d6a3ece1a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uqq8c9jc.0.cs

Filesize
208KB

MD5
4a003b62899ea203855da800856621ce

SHA1
5834ca88e46b09b9b0dcfcd9ea940da317ec1d1e

SHA256
6440636bb348ae2874c7732e69360fc861a3ca1f40dc01542eca38ed5da9938c

SHA512
ebf14b15bb08f3abbeb2191d22014189cccb6ebb49e508898afc4cbbd45d6895538312ae4f7620b9f7e63b62e1bb4316a6d4cd69fd1effd11ab989c02a20d2bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uqq8c9jc.cmdline

Filesize
349B

MD5
c70799609362889488236dc0dfd833f8

SHA1
1f6dd3f93dfe1587358ec6d24b0c3f0194aa09d7

SHA256
dad442a10e1beec284177ed4c5e625d012ffe359825c21a8dc341388d6ddf9f3

SHA512
3fecc366c11bce83a89418ee0158615694b1512b4601ef55139fc8516b8836d04a574b0b68c6bc244f7718f2db2143f48ce0261ab67800fe7fe99b85f63be832

Download Submit
memory/2068-83-0x000000001D370000-0x000000001D3CA000-memory.dmp

Filesize
360KB

Download
memory/2068-67-0x000000001D510000-0x000000001D554000-memory.dmp

Filesize
272KB

Download
memory/2068-32-0x0000000000FA0000-0x0000000001088000-memory.dmp

Filesize
928KB

Download
memory/2068-153-0x00000000660C0000-0x000000006615C000-memory.dmp

Filesize
624KB

Download
memory/2068-33-0x0000000003290000-0x00000000032A2000-memory.dmp

Filesize
72KB

Download
memory/2068-34-0x000000001BC10000-0x000000001BC5E000-memory.dmp

Filesize
312KB

Download
memory/2068-36-0x000000001BC90000-0x000000001BCA8000-memory.dmp

Filesize
96KB

Download
memory/2068-37-0x000000001C310000-0x000000001C320000-memory.dmp

Filesize
64KB

Download
memory/2068-38-0x000000001C4F0000-0x000000001C6B2000-memory.dmp

Filesize
1.8MB

Download
memory/2068-108-0x00000000660C0000-0x000000006615C000-memory.dmp

Filesize
624KB

Download
memory/2068-99-0x000000001D6C0000-0x000000001D814000-memory.dmp

Filesize
1.3MB

Download
memory/2068-60-0x000000001C480000-0x000000001C492000-memory.dmp

Filesize
72KB

Download
memory/2068-61-0x000000001D2B0000-0x000000001D2EC000-memory.dmp

Filesize
240KB

Download
memory/2068-62-0x000000001D400000-0x000000001D50A000-memory.dmp

Filesize
1.0MB

Download
memory/2068-64-0x00007FF9A0723000-0x00007FF9A0725000-memory.dmp

Filesize
8KB

Download
memory/2068-30-0x00007FF9A0723000-0x00007FF9A0725000-memory.dmp

Filesize
8KB

Download
memory/2068-91-0x000000001C860000-0x000000001C886000-memory.dmp

Filesize
152KB

Download
memory/2068-75-0x000000001C810000-0x000000001C85A000-memory.dmp

Filesize
296KB

Download
memory/4408-155-0x0000000002D00000-0x0000000002D12000-memory.dmp

Filesize
72KB

Download
memory/4556-16-0x00007FF9A3590000-0x00007FF9A3F31000-memory.dmp

Filesize
9.6MB

Download
memory/4556-21-0x00007FF9A3590000-0x00007FF9A3F31000-memory.dmp

Filesize
9.6MB

Download
memory/4880-55-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/5476-7-0x000000001CB20000-0x000000001CFEE000-memory.dmp

Filesize
4.8MB

Download
memory/5476-8-0x000000001BB90000-0x000000001BC2C000-memory.dmp

Filesize
624KB

Download
memory/5476-23-0x000000001D600000-0x000000001D616000-memory.dmp

Filesize
88KB

Download
memory/5476-3-0x00007FF9A3590000-0x00007FF9A3F31000-memory.dmp

Filesize
9.6MB

Download
memory/5476-25-0x0000000001460000-0x0000000001472000-memory.dmp

Filesize
72KB

Download
memory/5476-6-0x000000001BAE0000-0x000000001BAEE000-memory.dmp

Filesize
56KB

Download
memory/5476-2-0x000000001BA00000-0x000000001BA5C000-memory.dmp

Filesize
368KB

Download
memory/5476-31-0x00007FF9A3590000-0x00007FF9A3F31000-memory.dmp

Filesize
9.6MB

Download
memory/5476-0-0x00007FF9A3845000-0x00007FF9A3846000-memory.dmp

Filesize
4KB

Download
memory/5476-1-0x00007FF9A3590000-0x00007FF9A3F31000-memory.dmp

Filesize
9.6MB

Download