Malware Analysis Report

2025-01-22 15:04

Sample ID 240204-y29ffsbhgp
Target file.bin.exe
SHA256 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284

Threat Level: Known bad

The file file.bin.exe was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcus main payload

Orcus

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 20:18

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 20:18

Reported

2024-02-04 20:20

Platform

win7-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.bin.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2376 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2376 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2668 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2796 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2376 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2376 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2376 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Program Files\Orcus\Orcus.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Program Files\Orcus\Orcus.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Program Files\Orcus\Orcus.exe
PID 2992 wrote to memory of 2028 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2992 wrote to memory of 2028 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2992 wrote to memory of 2028 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2992 wrote to memory of 2028 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2552 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2552 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2552 wrote to memory of 1788 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.bin.exe

"C:\Users\Admin\AppData\Local\Temp\file.bin.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zw26fhyn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1259.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1249.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AD24D73C-5E14-47AC-A9A3-3296DAB5DA5B} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2992

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2992

Network

Country Destination Domain Proto
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp

Files

memory/2376-0-0x0000000002170000-0x00000000021CC000-memory.dmp

memory/2376-1-0x0000000000390000-0x000000000039E000-memory.dmp

memory/2376-3-0x00000000021F0000-0x0000000002270000-memory.dmp

memory/2376-2-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

memory/2376-4-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zw26fhyn.cmdline

MD5 176b3f0fb81f02476fac90400534436d
SHA1 5eb409c9455fa80766b1cc089e445af9b39cf8de
SHA256 f9757e942ca4cb5fa2738980ee7ea8e2790eb359fd47c5ac9a26a281cbb16451
SHA512 bc0b5e5fd7acac3452925f4b72a41c84eb1ae1a654e7e463c1be1070ec58d3b1a85397fd2a6bc973f40dcd363a38268f8e774e6b26b24d5fb48cf2ae75a078f5

\??\c:\Users\Admin\AppData\Local\Temp\zw26fhyn.0.cs

MD5 6011503497b1b9250a05debf9690e52c
SHA1 897aea61e9bffc82d7031f1b3da12fb83efc6d82
SHA256 08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434
SHA512 604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

\??\c:\Users\Admin\AppData\Local\Temp\CSC1249.tmp

MD5 9b1f392c6400412799350d1a718fbb8c
SHA1 6230c588f461affeaf16b35acd8ba2d2898ddd3d
SHA256 7567468ec75450cac751eb8e0770e01f1b3af5713880f3b406936478e45e2d94
SHA512 9440a01ad88412dcf520e1c4c5e83d8cfa0e4e0fadf5de73b945212ea2337df29df78b7ec29c2abb4a6d148e3bd72b5665ed1cc14143984be3693f9a6ff3b74b

memory/2376-17-0x0000000002480000-0x0000000002496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zw26fhyn.dll

MD5 c22fd101b2617e06d514ce709423615d
SHA1 b14201e1c33c7c6d10a0ffdbcbddda82fe179785
SHA256 78e93cc132108bd8c498b48793e2f3687608f69beec5ec475fad488d8fb4d4c7
SHA512 58c7b7fe6ec88998f694086fe033da094002faf08ba01c13fd96d3bccf0ff620d81f0186f331d75e8ff9b1da8067583011e49cbb459da78fb676c99362640ba3

C:\Users\Admin\AppData\Local\Temp\RES1259.tmp

MD5 6e83b8ca80aae296c2bcf79a23b76055
SHA1 d9b855ec317535f7360a34b73ba16e95cb4877ce
SHA256 cc76a6e096e3ebb4aa4fc04daa20618b60874bba3c4f800fddc42843374ad018
SHA512 7af12a258d085477ce464bab5acbfa0d89747cb7a0df89a926701b0d2610b7670998c1fe54f29907910782e955450bfc4b135f8ddbd7b43352e194a319ffeb86

memory/2376-19-0x00000000004A0000-0x00000000004B2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/2264-27-0x0000000000320000-0x000000000032C000-memory.dmp

memory/2264-28-0x000007FEEE6B0000-0x000007FEEF09C000-memory.dmp

memory/2264-29-0x0000000002180000-0x0000000002200000-memory.dmp

memory/2264-32-0x000007FEEE6B0000-0x000007FEEF09C000-memory.dmp

memory/2788-35-0x000007FEEDCC0000-0x000007FEEE6AC000-memory.dmp

memory/2788-34-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 6b189fdad2da1a54c7495be53995dd31
SHA1 f6a0fc07362de59dffb8c9ee78db35325b6c311c
SHA256 d3c5817feb841079ed570bbd5c4dd0f74b564d18f001a648d8407d8aa9587a3f
SHA512 c25669add23604cd2711acc142cbf7031f6051d14c924d087c5c547289a953de4f045a305aaf22cfec217184a42575466ddbc06fe46eda64ef01433fece4b787

memory/2992-45-0x00000000012C0000-0x00000000013AA000-memory.dmp

memory/2376-44-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

memory/2992-47-0x000000001AF00000-0x000000001AF80000-memory.dmp

memory/2992-46-0x000007FEEDCC0000-0x000007FEEE6AC000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 3e5c7eee76cbabdfd7bae6cbb88237d6
SHA1 d40e049c684bba8a1ddd89c2c73cbbf5d760a0f4
SHA256 90e8884c964a34c85793e1a4180f1f87fd62e87b71595af61a345db09d75e45c
SHA512 60920aa68faa58a59d246a74fe4cde8708fae7d418fce9320e22376193cdada0930bf32f7ee723126fbdbe819429d0f1e926013381b926c0452bf33260c38cff

memory/2992-49-0x00000000005A0000-0x00000000005EE000-memory.dmp

memory/2992-48-0x0000000000480000-0x0000000000492000-memory.dmp

memory/2992-50-0x0000000000D30000-0x0000000000D48000-memory.dmp

memory/2992-51-0x0000000000D50000-0x0000000000D60000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 281e2039ac4d55a34fb7c76e7262cd2f
SHA1 f9b89e896eb0aa2b9ac49fefe6592a9ddc4f3bbc
SHA256 afd03aa7c79c85249e729fb9cf70eaacc1cb7cc47c8a4613856dc6cc91098992
SHA512 318fdee15a205b7f14936d2254aacb8ea0347a5c7639e65facd81e30bfb18416ec0495bbdc14085b3fc139f53f926d490672f8a61aedb37675a7bd46a284b06b

memory/1788-62-0x000007FEEDCC0000-0x000007FEEE6AC000-memory.dmp

memory/1788-63-0x000000001AEC0000-0x000000001AF40000-memory.dmp

memory/2028-61-0x0000000001070000-0x0000000001078000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2012-67-0x0000000074400000-0x0000000074AEE000-memory.dmp

memory/2028-66-0x0000000074400000-0x0000000074AEE000-memory.dmp

memory/2028-64-0x0000000074400000-0x0000000074AEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1B5F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1788-84-0x000007FEEDCC0000-0x000007FEEE6AC000-memory.dmp

memory/2788-85-0x000007FEEDCC0000-0x000007FEEE6AC000-memory.dmp

memory/2992-86-0x000007FEEDCC0000-0x000007FEEE6AC000-memory.dmp

memory/2992-87-0x000000001AF00000-0x000000001AF80000-memory.dmp

memory/2012-88-0x0000000074400000-0x0000000074AEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 20:18

Reported

2024-02-04 20:20

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.bin.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Program Files\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.bin.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4976 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1212 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1212 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4976 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4976 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4976 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Program Files\Orcus\Orcus.exe
PID 4976 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\file.bin.exe C:\Program Files\Orcus\Orcus.exe
PID 4728 wrote to memory of 2412 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4728 wrote to memory of 2412 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4728 wrote to memory of 2412 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2412 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2412 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2412 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.bin.exe

"C:\Users\Admin\AppData\Local\Temp\file.bin.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BCF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4BBE.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 4728

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 4728

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rx0_tnzf.cmdline"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 210.210.13.103.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp

Files

memory/4976-1-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/4976-0-0x00007FFE61500000-0x00007FFE61EA1000-memory.dmp

memory/4976-2-0x000000001B710000-0x000000001B76C000-memory.dmp

memory/4976-6-0x000000001B900000-0x000000001B90E000-memory.dmp

memory/4976-3-0x00007FFE61500000-0x00007FFE61EA1000-memory.dmp

memory/4976-8-0x000000001C350000-0x000000001C3EC000-memory.dmp

memory/4976-7-0x000000001BDE0000-0x000000001C2AE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rx0_tnzf.0.cs

MD5 457190f349c99de86bcdbb08316bcbf8
SHA1 716a01c540c0b73cea241335010ef5272a3d7800
SHA256 3f9196d9e3f32ead068c40f8e38c844e9f7fc059adaf757af20ed93bfa7f1023
SHA512 4a16206798269ee168abc92f78974bab8f83f2034769b5a653bbda7f6ebd41b0b18d5b78896566f54bdf312b52825cf5c512c304469972e1f554ccc104fbcb79

memory/4976-22-0x000000001CA10000-0x000000001CA26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rx0_tnzf.dll

MD5 3bc8f8445e46344722bf9d2aa0a896ad
SHA1 a228cf62fd49064d33720e5a87a7622ebed50f3a
SHA256 3fe6dc1cf8c7cc501be5d83d6c7e85e7aea797d6d646f4311a7260a3bc2e3879
SHA512 3e51f3abb0491f4f2853a1384a61181223522f0de165748cb609cd962f7e2b045547bd9d9376bbc6e35a90366330f940d6a7f13581faf8451b391012e1d39bc6

C:\Users\Admin\AppData\Local\Temp\RES4BCF.tmp

MD5 90961861148ff51035b61bc270d0499d
SHA1 69f9c41db4a6d9a1c9c8c3222907b66bee7b50fd
SHA256 a607e8bf55bc34b10bec3e5fa5db41342f8dfb4b187a5723b03951921286517d
SHA512 63e9b1200fbc64ad2ade5acc3053abfa998f605c8a3cd952263a8bfe6fe0760b5f7a185e1d3d252f0c1b98c4cd3397e4069084671ba93947449860efb6be7e83

memory/4976-24-0x000000001B660000-0x000000001B672000-memory.dmp

memory/4976-25-0x000000001CA50000-0x000000001CA70000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4BBE.tmp

MD5 7cc487ee0f8a84ec59a3248184fe83fe
SHA1 932b08a6805e146972be583c168ff8b7c66ed2e9
SHA256 7e9634f0f083c679bd0509510a80b7b7fb86e8fed6a9e6f988f3e9a1142c5b86
SHA512 bfb743238f37799806ad5268e89c2bd3d8df4e7b09aa20745f2fd65b4aaeae8c27450bd4013448c4915770ca79a5ee778d68e594701ceae36fd31b58e91440ec

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4756-39-0x0000000000A00000-0x0000000000A0C000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/4756-41-0x000000001B7F0000-0x000000001B800000-memory.dmp

memory/4756-43-0x0000000002B20000-0x0000000002B5C000-memory.dmp

memory/4756-42-0x0000000001480000-0x0000000001492000-memory.dmp

memory/4756-40-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

memory/976-49-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

memory/976-50-0x00000000197F0000-0x0000000019800000-memory.dmp

memory/976-51-0x0000000019E50000-0x0000000019F5A000-memory.dmp

memory/4756-47-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 d7601356b62960846e32b42d84ed5cc8
SHA1 4e08f3a2d3a3bdf9fa2769c332a62c1348059445
SHA256 733f563601decd2810f13bfa501225e97ff57c9882cf966c8387a5a0efd33364
SHA512 df6f742f79695de1041f3a2e81020ba290b3e80c117e64e46615404fa704604615319bf0727f9f2f6e3bb0f1863a4226333a9082de1f2c94a9a9cf9a7a9cf945

memory/4976-67-0x00007FFE61500000-0x00007FFE61EA1000-memory.dmp

memory/4728-68-0x0000000000480000-0x000000000056A000-memory.dmp

memory/4728-70-0x000000001B440000-0x000000001B450000-memory.dmp

memory/4728-69-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

memory/4728-71-0x00000000027E0000-0x00000000027F2000-memory.dmp

memory/4728-72-0x000000001B1D0000-0x000000001B21E000-memory.dmp

memory/4728-74-0x000000001B370000-0x000000001B388000-memory.dmp

memory/1380-76-0x0000000002C40000-0x0000000002C50000-memory.dmp

memory/4728-77-0x000000001B390000-0x000000001B3A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 ee25658b21c76273d2941e1d22d46a42
SHA1 9a408590703de5ec603cdd9880768e1291c7e102
SHA256 d6ee97f5616473b9a65a764f47c4266c7ef53c36563644494b95df19c127230d
SHA512 47cfdaba8b415c843342891f612905ad14ff79aea9747b72951a1e65f5eff8cd6f4f68e37358e06969bcdc63477011b68a3287ba3b48204d1f704998af2b4551

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1380-75-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

memory/2412-92-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/2412-91-0x00000000007E0000-0x00000000007E8000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 80670cd4af923ee42b9fd671c2ee3710
SHA1 32f054f68dc037ec67e544847f7da0ab631e9c2a
SHA256 121ca01585ba0b775476f0f82a18ee07497a1243b0813cc5539b96e894264e0c
SHA512 c83702b5b7a7b43bff245633541ab67589530e0379a7c745808330edb3430f07d5fd92fff093d1fc62a6adaf31ef56e1508db219eff508918a3e69fa145ded21

C:\Program Files\Orcus\Orcus.exe

MD5 22757c5a042451184cca0d0e212bb337
SHA1 1bbaf1e09b6f2573332c0729859ceb38b5b37902
SHA256 84ec3ca982cdbda3ff4454be520c762dc841a16eabcfe143c369bdca90726ec4
SHA512 cd5f4b871522f74f4e3330c41048aa3f3b578f2ef4c4e8ab5f9e92f1abce8330753b92da5ec18d96cfc106372a7104afe4c926112dfc2ce8bbc20b6503b4058d

memory/4160-97-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/2412-96-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

C:\Program Files\Orcus\Orcus.exe

MD5 13548c85de46215be1616c25787b8fd0
SHA1 7e759bf01c2f6be569124c0a331d1ab850ba53c0
SHA256 9c710bb79b245c372805993d02b94c823cbdf2aa1a972f37b85d8e9b14cadcae
SHA512 92cabf754b9bff252f3be724d1488e0ed0a08eec5bb70ae9f284f21c1db4cd98fac1990e52fae2709bb1a8b04c40b88ab7290aae2542ebb5945e19db89a7ff04

memory/1212-14-0x0000000002430000-0x0000000002440000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rx0_tnzf.cmdline

MD5 78d6bc417ce7fad724ca814eb5a756ff
SHA1 559f7b4bce918887e95d124624bc6d31d2ef9b54
SHA256 81a3a0031bdc3f5296b16ee165265c32f99bf0f9733efcc287ed41de67c9578f
SHA512 e1a79fbaa5135f3622a9e8d4a72966b22a73f462d087f4e142840c70430f1279c8eeba7b8b796bc5400f9f9d125122030a27686e722a8a5a9dd105ed6d0d3117

memory/4728-100-0x000000001D410000-0x000000001D5D2000-memory.dmp

memory/1380-102-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

memory/976-103-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

memory/976-104-0x00000000197F0000-0x0000000019800000-memory.dmp

memory/4728-105-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

memory/4728-106-0x000000001B440000-0x000000001B450000-memory.dmp

memory/4160-107-0x00000000745B0000-0x0000000074D60000-memory.dmp