Malware Analysis Report

2025-01-22 15:08

Sample ID 240206-dvemaaecd4
Target bdbe50403b411db0e07511e098bdb9ff.bin
SHA256 373b1baa74d6263bf430ec9ccd99625a0ae5022dce042c9e9a2b1a43f57757a2
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

373b1baa74d6263bf430ec9ccd99625a0ae5022dce042c9e9a2b1a43f57757a2

Threat Level: Known bad

The file bdbe50403b411db0e07511e098bdb9ff.bin was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcurs Rat Executable

Orcus family

Orcus main payload

Orcus

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 03:19

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 03:19

Reported

2024-02-06 03:22

Platform

win7-20231215-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1992 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1992 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1208 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1208 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1208 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1992 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1992 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1992 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1992 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Program Files\Orcus\Orcus.exe
PID 1992 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Program Files\Orcus\Orcus.exe
PID 1992 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Program Files\Orcus\Orcus.exe
PID 2756 wrote to memory of 1592 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2756 wrote to memory of 1592 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2756 wrote to memory of 1592 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2636 wrote to memory of 1556 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2636 wrote to memory of 1556 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2636 wrote to memory of 1556 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2636 wrote to memory of 1556 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1556 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1556 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1556 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1556 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe

"C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v_rnwj6f.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC61.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC60.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2636

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2636

C:\Windows\system32\taskeng.exe

taskeng.exe {6F003D09-5B03-4BF8-96DC-EF18B039EFD2} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 obfuscated.us udp

Files

memory/1992-1-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/1992-2-0x0000000000300000-0x000000000030E000-memory.dmp

memory/1992-0-0x000000001AEE0000-0x000000001AF3C000-memory.dmp

memory/1992-3-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/1992-4-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\v_rnwj6f.cmdline

MD5 fcb66f4cd88219d4470d9eb4189ca40b
SHA1 51e5302b1f9c629097ca43119ad3b5e4c156910c
SHA256 2a84aba5aca929f0067ab7ef7a9c29af59d5487f5e82d8519b46c04c3e3a513a
SHA512 8ba7b172c367d364e388c16bbd3e9fc9bd824305664387f740ed2992923273adec49d04b34b64c7107b51a2092551a38145d000df2b7cabae1cef3ff7d2a81a5

\??\c:\Users\Admin\AppData\Local\Temp\v_rnwj6f.0.cs

MD5 2b14ae8b54d216abf4d228493ceca44a
SHA1 d134351498e4273e9d6391153e35416bc743adef
SHA256 4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA512 5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

\??\c:\Users\Admin\AppData\Local\Temp\CSCC60.tmp

MD5 7b686591ec1c6ade91b6792bd418c91c
SHA1 55a60b9a6000702d70132d6474944f281ae86359
SHA256 fb2399a133544190d7f955f580d2d04943e89d761d9370f77fa503172c8f5be7
SHA512 f07e2b61f9cee0a0e4b200df228c8dfd00745773ff3056acc10aad8d2ea163b9ea73af0f5a0e618c7f680522d7d817a455bed55950dcdb6c9f3de6c4be951b93

memory/1992-17-0x00000000005A0000-0x00000000005B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v_rnwj6f.dll

MD5 3aca15683e3c4eb8d1b6ea0a3d3d3631
SHA1 aa34769ad93b0247aa3854e217e07c68e05b5111
SHA256 54fcb2464172c14b1e6fe6cf893a118f120886c5c50790a5fe64c1fb8435c68a
SHA512 fbd965906553a56769ca3e4dc4a7e9383241a6b3300be9e2d1e7be4615d893e807f6568cd04e068e2b82ac01aab15bf3fe5ca57098167b43cf1e9c39c903c29e

memory/1992-19-0x0000000000320000-0x0000000000332000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Users\Admin\AppData\Local\Temp\RESC61.tmp

MD5 dba980306593c02a7c64edc4daf945e3
SHA1 27c167548d8c623b24095b08c66f56876354d0f5
SHA256 f364ddcb471e44c8fc6cafafbedb2f2240a7f305b10e12cecb223631d13fb83a
SHA512 8a0fbeccd0e2564886ff1c93cc1ac1dc695b04b5b9b2eb38afbeeba5368cb9e853915b167044fd862c5e3700d5f72cbc7782c831b466dc9a8e6f965b63fcfb3e

memory/2704-27-0x00000000000E0000-0x00000000000EC000-memory.dmp

memory/2704-28-0x000007FEEF280000-0x000007FEEFC6C000-memory.dmp

memory/2704-29-0x0000000000370000-0x00000000003F0000-memory.dmp

memory/2732-34-0x0000000000C40000-0x0000000000C4C000-memory.dmp

memory/2704-32-0x000007FEEF280000-0x000007FEEFC6C000-memory.dmp

memory/2732-35-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 c20bff1e83762cb5cf619bf222007ea9
SHA1 791d8570ac2a74e49a3b011ff8264caecf703b61
SHA256 e78e900bd574696060b63b27a233924d1491ec610f7ab3a209d09e2c2c733a7c
SHA512 c12f144f662fa0575eb8a54056e401dda5ac467687002bf0daadeb4c06197a1260f85b84f82c1756d3b5bf7a670961d4ce966898af81b4ed3080ceb270e76caf

memory/1992-45-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2636-46-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

memory/2636-44-0x00000000011C0000-0x00000000012AA000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 c705999739ed0db21d95ea849bb2a6a7
SHA1 5616da9d06f8fd0b4f75d9a3ae155310dda152be
SHA256 837e602008829475e9512f2da0d4a6c5f9cb161d0df6522a016f9f9697bc0fb4
SHA512 bda3b74d3c3c70082e9da03a655ebc748e523861960f46c357fe5ced17560925923adadb66027db755571fc5f5c1be7334683afdcedc9db323f7d7b0097658fc

memory/2636-47-0x000000001B2D0000-0x000000001B350000-memory.dmp

memory/2636-48-0x0000000000C40000-0x0000000000C8E000-memory.dmp

memory/2636-49-0x0000000000CB0000-0x0000000000CC8000-memory.dmp

memory/2636-50-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 3b4c984843b0ba72431e3b3f12bee682
SHA1 8317ce08a460cc7750808d3ce6f9d7b898b73651
SHA256 428e1c1668aa9cbeb5ecea55d36843cafad40d61b5fa5fb299a4b714601d211f
SHA512 4bc52c52096519b32f49d30a62c14d6de7b36535c3c70a9515486f4de63301dd4af53ab7976086d073addc6c60c72bf3da7a755cdc0bf55558120826c620c9a6

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1556-61-0x0000000000C90000-0x0000000000C98000-memory.dmp

memory/1592-60-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

memory/1556-62-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/1556-65-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/1792-66-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/1592-63-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/1592-67-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

memory/2732-68-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

memory/2636-69-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

memory/2636-70-0x000000001B2D0000-0x000000001B350000-memory.dmp

memory/1792-71-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 03:19

Reported

2024-02-06 03:22

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Program Files\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4040 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4040 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1844 wrote to memory of 5076 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1844 wrote to memory of 5076 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4040 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4040 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4040 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Program Files\Orcus\Orcus.exe
PID 4040 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe C:\Program Files\Orcus\Orcus.exe
PID 2680 wrote to memory of 832 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2680 wrote to memory of 832 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2680 wrote to memory of 832 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 832 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 832 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 832 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe

"C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1czizdxl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54F7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC54F6.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2680

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2680

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 obfuscated.us udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp

Files

memory/4040-0-0x00007FF9ADEA0000-0x00007FF9AE841000-memory.dmp

memory/4040-2-0x000000001BCE0000-0x000000001BD3C000-memory.dmp

memory/4040-1-0x0000000001740000-0x0000000001750000-memory.dmp

memory/4040-5-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

memory/4040-6-0x00007FF9ADEA0000-0x00007FF9AE841000-memory.dmp

memory/4040-7-0x000000001C460000-0x000000001C92E000-memory.dmp

memory/4040-8-0x000000001C930000-0x000000001C9CC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1czizdxl.cmdline

MD5 1af98284600f36e5183aaa7bf7cc5bc8
SHA1 16e9ee9ea433ea551b6a77ca37534c4d43d306d2
SHA256 b9fe93fe272b84da08a68c7eb9012737d90b1166975d27e8d8b25176d534a67d
SHA512 08fa13ca1bbde3509b5ccad8639414d2519e320f6cdab54c89d8eef9bf768b95091fe91d0b1b460b5ee02015b8058da3deeaa3144f615e3db4d0871328455f25

\??\c:\Users\Admin\AppData\Local\Temp\1czizdxl.0.cs

MD5 3311d4c7ce60d3f026d3a46566efb616
SHA1 86d54f8e98fde711a34235ee59dd2a9452ff0ad7
SHA256 8919c9c518f7e06a63f878128142f23b4c6508d17233b271ef8f428dc0019f14
SHA512 5640ac4cd9b192b41d2283030c4c2b04061ecdd4a0eb153b9aff41267b0b184996553c7f5f5e28fd6cb711e4c6871e8e37fe73d44bd960995c5536705987986d

memory/1844-14-0x0000000000960000-0x0000000000970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES54F7.tmp

MD5 5a9f1059cf02252db22710e92a3df00d
SHA1 ee9b74576b40d3f8b9d8a9fdeb72193da41f97c0
SHA256 5905218e7199e4b8d4ac15f22b29f78dc63431e6457f5c14081c21b342322d89
SHA512 6ef22001d04777867dbedd262bdd69a6aec03752bae85d44743d0f8b8d08d4cf63d76a26db42c370b9b65192ede92f635c0fd627f8a148f02f62ec85ac6eb64a

memory/4040-22-0x000000001CFF0000-0x000000001D006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1czizdxl.dll

MD5 3c93720aac3f691a5089dcf42e0d3b05
SHA1 d41009296d612e33e48d2eec5e1209da8fa508eb
SHA256 6792cb2838e50aff66d1bce236bd219915728c206f1b959eecffc2e06607b9e7
SHA512 68d530d59002436753e8353887a1c02906b5f791115d29ef2beb1abc3907c9e66908937617e2629d8e3a7dd37543b91120a1a2589f95e4bd39fb37bcc9280df9

\??\c:\Users\Admin\AppData\Local\Temp\CSC54F6.tmp

MD5 b86b55ee570e968955b90d041d070d5e
SHA1 b3bd6d4892f63959d794a6d50d3380098745aeed
SHA256 eb0308cac4533eec1f1cc560a75505d7bbefa465f0dd37fee5e3be1c5e530096
SHA512 9ffba8b018a252f036ec56e239ddb0bcb49cd6a2e4f66cadaf420b69f0b858c65b11103ad9dbc7ed7b60c1fbdf5d2482afae3ba0559159f9f7e3a2883a52c46e

memory/4040-24-0x0000000001710000-0x0000000001722000-memory.dmp

memory/4040-25-0x000000001D030000-0x000000001D050000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/1152-39-0x0000000000F60000-0x0000000000F6C000-memory.dmp

memory/1152-40-0x00007FF9AB2F0000-0x00007FF9ABDB1000-memory.dmp

memory/1152-42-0x000000001BBF0000-0x000000001BC00000-memory.dmp

memory/1152-41-0x0000000003010000-0x0000000003022000-memory.dmp

memory/1152-43-0x0000000003070000-0x00000000030AC000-memory.dmp

memory/1152-47-0x00007FF9AB2F0000-0x00007FF9ABDB1000-memory.dmp

memory/2324-49-0x00007FF9AB2F0000-0x00007FF9ABDB1000-memory.dmp

memory/2324-50-0x000000001AC00000-0x000000001AD0A000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 47762042c5aa2d592308ad42713b491a
SHA1 429329a90b36fa500d6849167fc87f9bdf0a2144
SHA256 059bb4329da629cd52210265abbb05ad356c1911cf2c9624801bdbb99734d713
SHA512 3751a3321be43d92086df8fac3587db483f7eabe97f838f87b23fa8ebb896c2d4764bb1e265a092784d9fc1301339efcb5f65425f9fd03cc2cb6cac9a0d06f1e

C:\Program Files\Orcus\Orcus.exe

MD5 16c76b56eba386c7449f918e0c32d9a7
SHA1 54b54afbfe6028aa8c0776a80d318d423533604c
SHA256 bdb97088a355dc2bcb80128f066c23fda038366522e4060d408258f6badb4381
SHA512 0169513ba8db048a66ddb5c3aa294282fa7591817e65374a592e3341020e2c7aaf9005841cbbd93ea37a3b04307e7ad61c17877af016c5397446ad95d0aa7ebb

C:\Program Files\Orcus\Orcus.exe

MD5 de4f011cac5e5cca525735c0cf19b75f
SHA1 7d9440464d1c85cf7adc7a2b8e19b3b5d5b2efa4
SHA256 767d6e358ea50c63f49aceadd7664010069c321f73d9b61ea7d4c293e8cd5793
SHA512 84612b663c5351f748591549baa4b505355f6976d080bbfd25e442fbdf4a8c94d35de6cbf2d01a9012e09fa018cddc2e4d601270e1b27d1f34fd6322de75451d

memory/2680-67-0x00007FF9AB2F0000-0x00007FF9ABDB1000-memory.dmp

memory/4040-66-0x00007FF9ADEA0000-0x00007FF9AE841000-memory.dmp

memory/2680-68-0x00000000005B0000-0x000000000069A000-memory.dmp

memory/2680-69-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/2680-71-0x000000001B210000-0x000000001B25E000-memory.dmp

memory/2680-70-0x000000001B200000-0x000000001B212000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 453f7e4d8361011ab8bd9862a699baf9
SHA1 36a809b6e4a0e2d4b0cf6ea612201b9519883b21
SHA256 3e24007b45ba07caad6ce50d36f018d39c00c72e63e0ba294e2883a5e367a85e
SHA512 58a909803351c54aa2b0fec3a96cbcbc11e4e2e2f16fd98a5521ea094b560a1e4c9c261f6ac4ee1a6170727eae9a6ab787c796858f5bca5d737fc98046dbd831

memory/2680-73-0x000000001B2A0000-0x000000001B2B8000-memory.dmp

memory/4364-78-0x000000001B5C0000-0x000000001B5D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/832-90-0x0000000000700000-0x0000000000708000-memory.dmp

memory/832-91-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/2680-75-0x000000001C3B0000-0x000000001C3C0000-memory.dmp

memory/4364-74-0x00007FF9AB2F0000-0x00007FF9ABDB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/1280-96-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/832-95-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/4364-98-0x00007FF9AB2F0000-0x00007FF9ABDB1000-memory.dmp

memory/2324-99-0x00007FF9AB2F0000-0x00007FF9ABDB1000-memory.dmp

memory/2324-100-0x000000001A6E0000-0x000000001A6F0000-memory.dmp

memory/2680-101-0x00007FF9AB2F0000-0x00007FF9ABDB1000-memory.dmp

memory/2680-102-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/1280-103-0x00000000746D0000-0x0000000074E80000-memory.dmp