Malware Analysis Report

2025-01-22 15:04

Sample ID 240208-spvhwage55
Target file.exe
SHA256 d699d584b651c6da780801cb6c2fb074464ce36e46b287658913d8bb67d2329b
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d699d584b651c6da780801cb6c2fb074464ce36e46b287658913d8bb67d2329b

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus main payload

Orcus family

Orcurs Rat Executable

Manipulates Digital Signatures

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Drops desktop.ini file(s)

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 15:18

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 15:18

Reported

2024-02-08 15:31

Platform

win7-20231215-en

Max time kernel

535s

Max time network

517s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui C:\Windows\SysWOW64\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wintrust.dll C:\Windows\SysWOW64\cmd.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\System3222 = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" C:\Program Files (x86)\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\AM0353~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMD694~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM989B~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM9AF0~1.163\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM3E43~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMB428~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM281C~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM7B95~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMEEEB~1.163\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM5CD3~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMB8AA~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM0112~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMC0AD~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMAB03~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM1464~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM912A~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMFD52~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMF946~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM15B7~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM5043~1.164\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM9934~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM5C97~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMCF3A~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM425B~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMEE05~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMCA4A~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AME19A~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMFA6B~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM1B18~1.163\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AME009~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM131F~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM50D0~1.175\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM6927~1.175\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM076B~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMCCDB~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM71C7~1.163\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMFF91~1.164\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM814E~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM2971~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMC04C~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM0FD6~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMFB84~1.175\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMA45F~1.175\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM28D3~1.163\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMC003~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMDF32~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM3A5B~1.175\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMB6BD~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM082E~1.163\Desktop.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM2473~1.163\desktop.ini C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 4.tcp.eu.ngrok.io N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BITLOC~1\autorun.inf C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\de-DE\runonce.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\L2SecHC.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\tcpip.mof C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\viewprov.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\diskcopy.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\dpwsockx.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\PeerDist.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\ocsetup.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\hcproviders.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\wininet.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\en-US\wscenter.mfl C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\mrinfo.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\icm32.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\iscsium.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\themeui.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\browcli.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\devenum.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\PROFES~1\license.rtf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\oflc.rs.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\wavemsp.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\colorcpl.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\cngprovider.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\apss.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\tvratings.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\xml.xsl C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\WcsPlugInService.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\neth.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\odbcad32.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\sfc.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\MUI\0407\mscorees.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\shacct.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\VaultCredProvider.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\comres.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\raschap.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\WPDSp.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\WMPhoto.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Ribbons.scr.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\loghours.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\ieetwcollectorres.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\dpmodemx.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\fltMC.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\shlwapi.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\MFC42u.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\PeerDistSh.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\wscript.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\DLMANI~1\BITSExtensions-Server-Console-DL.man C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\twext.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\msv1_0.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\accessibilitycpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\WerFault.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\RmClient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\shellstyle.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WINDOW~1\v1.0\it-IT\about_Throw.help.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\TpmInit.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\wsecedit.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\appmgr.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\netbtugc.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\BWContextHandler.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\d2d1.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\diskpart.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\msaatext.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\sdiagprv.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\cmdkey.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WF.msc C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~3\en-US\MpAsDesc.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Acrobat\9.0\REPLIC~1\Security\DIRECT~1.ACR C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\images\dialdot_lrg.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\shuffle_over.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\ko-KR\tipresx.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\Java\JDK17~1.0_8\jre\bin\server\classes.jsa C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\System\ado\msadrh15.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\settings_right_rest.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-first-quarter.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\es-ES\mip.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\modern_h.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\System\OLEDB~1\es-ES\sqlxmlx.rll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\SPECIA~1\whitemask1047.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Travel\btn-back-static.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\ja\System.Data.Entity.Design.Resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\USERAC~1\DEFAUL~1\usertile20.bmp C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\it-IT\wmpnssui.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyBoy\BabyBoyMainBackground.wmv C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\de-DE\flyout.html C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\PLUG_I~1\prc\MYRIAD~1.OTF C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Web.Entity.Resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\es-ES\WMPDMCCore.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\images\back_lrg.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\rtscom.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI54FB~1\fr-FR\wmplayer.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\de-DE\css\picturePuzzle.css C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\TYPESU~1\Unicode\Mappings\Mac\CYRILLIC.TXT C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\it-IT\ShapeCollector.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\System\msadc\de-DE\msdaprsr.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\System.WorkflowServices.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\boxed-join.avi C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\images\rssLogo.gif C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_thunderstorm.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\UIAutomationClientsideProviders.resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\images\calendar_double.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\System\OLEDB~1\msdatt.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Stacking\NavigationRight_ButtonGraphic.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\images\16-on-black.gif C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\30.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\TipTsf.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\settings_divider_right.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\USERAC~1\DEFAUL~1\usertile17.bmp C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\System\fr-FR\wab32res.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\TipRes.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\ja-JP\js\RSSFeeds.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\ja-JP\settings.html C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\fr-FR\js\currency.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\it\System.Data.Linq.Resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\images\add_down.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\TipRes.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\System\msadc\en-US\msaddsr.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Pets_image-frame-ImageMask.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\it\PresentationFramework.resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Management.Instrumentation.Resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\main\base_rtl.xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Data.Services.Design.resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-full.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\System\msadc\msaddsr.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\logo.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI54FB~1\fr-FR\WMPMediaSharing.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\rtscom.dll.mui C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Help\mui\0409\applocker_help.CHM C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM30D3~1.163\wait_rl.cur C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM8A3F~1.163\MSHDC~1.INF C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMBEF1~2.163\Amd64\EP0LVP1Q.GPD C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SERVIC~2\NETWOR~1\NTUSER~1.BLF C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM49E6~1.163\DO177C~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM3FB7~1.163\USKRS~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM9EAA~1.163\Amd64\IF7000.GPD C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\Backup\AM42E0~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.CPU.xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMCAA7~1.163\rasctrs.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM15C8~1.163\CNBP_3~4.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMB677~1.163\TTYUI.HLP C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM7256~1.163\Amd64\KYKM2540.GPD C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AMA9A6~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM93A1~1.163\SECLOG~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM7201~1.175\sqmapi.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\Backup\AM5ED1~1.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\FileMaps\$$3D40~1.CDF C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AMED3F~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM039D~1.163\DIAGPE~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM5E70~1.163\RelPost.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM5719~1.163\CNFRAC.ICC C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\Backup\AM70B0~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AM5423~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SERVIC~1\Packages\MIC541~1.CAT C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM5B26~2.163\PROVSV~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM2B7A~1.163\RE5002~1.XML C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM21AD~1.163\POLICY~1.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\Backup\AMF97F~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM8EF3~1.163\IMJPCAC.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM30E4~1.175\SPCINS~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\Backup\AM7DE1~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AME7C1~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\diasymreader.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\v3.0\WINDOW~1\ja\SMDiagnostics.resources.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM6EB5~1.163\WINSOC~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM22B0~1.163\prnlx00a.inf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\FileMaps\$$_SYS~3.CDF C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AMBDBE~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM8030~1.175\MIF9BA~1.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM8E53~1.175\SED6FA~1.XRM C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM3192~1.163\MULTID~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AM9FE9~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\POLICY~1\ja-JP\WindowsRemoteManagement.adml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMAF2B~1.175\MICROS~1.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\Backup\AMCB2B~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMCA53~1.163\NFSNPD~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AME4BD~1.175\NL18CC~1.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMEEFC~1.163\interop.mfl C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMCD99~1.163\Amd64\FXUCCM01.INI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AM13A7~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\POLICY~1\PerformancePerftrack.admx C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM6F09~1.164\F12.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMF9FC~2.163\NDISUI~1.INF C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AMD416~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AMFF60~1.163\MSADP3~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\Backup\X861BA~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AM2413~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AM2D94~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AMC29E~1.MAN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM40E4~2.163\WCSPLU~1.MUI C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\AM2EC8~1.164\IEADVP~1.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\winsxs\MANIFE~2\AMFD6D~1.MAN C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Sys322.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1416 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1416 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1416 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1416 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1416 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1416 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1416 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2736 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2736 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2736 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2736 wrote to memory of 2604 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 3048 wrote to memory of 2020 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 3048 wrote to memory of 2020 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 3048 wrote to memory of 2020 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 3048 wrote to memory of 2020 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2736 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2736 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2736 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2736 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 3048 wrote to memory of 2560 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2560 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2560 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2560 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2896 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2896 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2896 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 2232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2896 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Windows\SysWOW64\WerFault.exe
PID 2896 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Windows\SysWOW64\WerFault.exe
PID 2896 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Windows\SysWOW64\WerFault.exe
PID 2896 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {92230B5E-56A3-4D1C-8A16-4C4F56C88D55} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\Sys322.exe

"C:\Users\Admin\AppData\Roaming\Sys322.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 3048 /protectFile

C:\Users\Admin\AppData\Roaming\Sys322.exe

"C:\Users\Admin\AppData\Roaming\Sys322.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 3048 "/protectFile"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\{498b2b4f-a2e5-46da-adc0-5ecc1674a6bf}.bat""

C:\Users\Admin\AppData\Roaming\Sys322.exe

"C:\Users\Admin\AppData\Roaming\Sys322.exe" /launchClientAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 2896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 840

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 18.198.77.177:15428 4.tcp.eu.ngrok.io tcp

Files

memory/1416-0-0x0000000001040000-0x000000000112A000-memory.dmp

memory/1416-1-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/1416-2-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

memory/1416-3-0x00000000001D0000-0x00000000001DE000-memory.dmp

memory/1416-4-0x00000000003F0000-0x000000000044C000-memory.dmp

memory/1416-5-0x0000000000510000-0x0000000000522000-memory.dmp

\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2052-14-0x0000000001200000-0x000000000120C000-memory.dmp

memory/2052-15-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2052-16-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2052-19-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2700-22-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

memory/2700-21-0x0000000001320000-0x000000000132C000-memory.dmp

memory/2700-23-0x0000000000BF0000-0x0000000000C70000-memory.dmp

\Program Files (x86)\Orcus\Orcus.exe

MD5 12ad4c2b63d32b4579f03992e362f8ef
SHA1 c38692667cdfd7f2b8bc67f3d7165f72fba74552
SHA256 d699d584b651c6da780801cb6c2fb074464ce36e46b287658913d8bb67d2329b
SHA512 c03c47ce05435eeed509021cd844a0530480b9cef30a60d0b7c1c4914b7b425edf86ef78be0e2929d198c5561e69445605d02a10a73a66ba11183f079f500ca0

memory/3048-34-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/1416-36-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/3048-35-0x00000000011D0000-0x00000000012BA000-memory.dmp

memory/3048-37-0x0000000004B10000-0x0000000004B50000-memory.dmp

memory/3048-38-0x0000000000C20000-0x0000000000C6E000-memory.dmp

memory/3048-39-0x0000000000D50000-0x0000000000D68000-memory.dmp

memory/3048-40-0x0000000000E90000-0x0000000000EA0000-memory.dmp

memory/2604-44-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2604-45-0x0000000001080000-0x00000000010C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sys322.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2020-54-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2020-53-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2896-56-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2020-57-0x0000000074C30000-0x000000007531E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab28C7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2604-74-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2700-75-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

memory/3048-76-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/3048-77-0x0000000004B10000-0x0000000004B50000-memory.dmp

memory/2896-78-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/1648-80-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/1648-81-0x0000000000960000-0x00000000009A0000-memory.dmp

memory/1648-82-0x0000000074C30000-0x000000007531E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{498b2b4f-a2e5-46da-adc0-5ecc1674a6bf}.bat

MD5 12888c690be6b5a4d468481b3c141167
SHA1 8f684102864ba7e9951024447c4894052af708fe
SHA256 10661b06e91d2a6dfb39f59e22a9ee88b6629db80e85b1f4f0f03eb197447236
SHA512 e7e95e6f66fc12714b399a135d6b127535d69a949005db29dc4af4b70c0fb8ff5243f873ad8318559817d055a517233635efcff78102b633e52ea84468caaf05

\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\SharpDX.dll

MD5 ffb4b61cc11bec6d48226027c2c26704
SHA1 fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA512 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

memory/3048-95-0x0000000005260000-0x00000000052A4000-memory.dmp

memory/3048-102-0x0000000005480000-0x00000000054CA000-memory.dmp

\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\SharpDX.Direct3D11.dll

MD5 98eb5ba5871acdeaebf3a3b0f64be449
SHA1 c965284f60ef789b00b10b3df60ee682b4497de3
SHA256 d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512 a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\SharpDX.Direct3D9.dll

MD5 934da0e49208d0881c44fe19d5033840
SHA1 a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA256 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512 de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

memory/3048-109-0x0000000005670000-0x00000000056CA000-memory.dmp

memory/3048-116-0x0000000000F10000-0x0000000000F36000-memory.dmp

\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\SharpDX.DXGI.dll

MD5 2b44c70c49b70d797fbb748158b5d9bb
SHA1 93e00e6527e461c45c7868d14cf05c007e478081
SHA256 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512 faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

C:\Users\Admin\AppData\LocalLow\MICROS~1\CRYPTN~1\MetaData\943080~1

MD5 ed6dacae95f4fe79741659d53f2e719b
SHA1 7d510cf109f62deb9a4b294ee9a105e00d90d62c
SHA256 ca8f8753d31a32ba700635c8cd1c587ce435878a1b654d51069eacd3ee7ec10b
SHA512 fccfa86f677d7cea7bf13fdf400f3081a7d772f38920cbbd2e5914cc91aa1453436ba23ca11356b6b5cfed3fc40f473a33929c1b171db9eedd832ca7b2b75c33

C:\Users\Admin\AppData\Roaming\ASystem\LIB_01~1\TURBOJ~1.DLL

MD5 9a27bfdd0fa06e1b42e64e150a58fd3e
SHA1 bc66f567791528160df80521813a530b00136f7b
SHA256 d6d5fd47f18954e0addd8e2ddb360e4dcc4bf88ee9a2afdffbcd70dfdc68f1d8
SHA512 cff99b270af9e6b76da100be307da763cb72bec54b94d0813adfd94db8a9af2e2a158d132412b3b6034b793ff399eaf575ed502a71fde6520fb3b62f9595ac88

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\TurboJpegWrapper.dll

MD5 ac6acc235ebef6374bed71b37e322874
SHA1 a267baad59cd7352167636836bad4b971fcd6b6b
SHA256 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA512 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

memory/3048-129-0x0000000007160000-0x00000000072B4000-memory.dmp

memory/3048-130-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2232-133-0x00000000714F0000-0x0000000071A9B000-memory.dmp

memory/2232-134-0x00000000714F0000-0x0000000071A9B000-memory.dmp

memory/2232-135-0x0000000001F80000-0x0000000001FC0000-memory.dmp

memory/2012-141-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Windows\SysWOW64\WINDOW~1.INS

MD5 362ce475f5d1e84641bad999c16727a0
SHA1 6b613c73acb58d259c6379bd820cca6f785cc812
SHA256 1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA512 7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

memory/2232-143-0x00000000714F0000-0x0000000071A9B000-memory.dmp

memory/2232-144-0x0000000001F80000-0x0000000001FC0000-memory.dmp

memory/2012-145-0x0000000000650000-0x0000000000651000-memory.dmp

memory/2232-146-0x00000000714F0000-0x0000000071A9B000-memory.dmp

memory/2896-152-0x0000000074C30000-0x000000007531E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 15:18

Reported

2024-02-08 15:32

Platform

win10v2004-20231222-en

Max time kernel

353s

Max time network

376s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Sys322.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System3222 = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" C:\Program Files (x86)\Orcus\Orcus.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 4.tcp.eu.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Sys322.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4944 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4944 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4944 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 4944 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 4944 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 372 wrote to memory of 3272 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 372 wrote to memory of 3272 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 372 wrote to memory of 3272 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 3272 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 3272 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 3272 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\Sys322.exe C:\Users\Admin\AppData\Roaming\Sys322.exe
PID 372 wrote to memory of 1388 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 1388 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 1388 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 372 wrote to memory of 404 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 404 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 404 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 404 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 404 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 404 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 404 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 404 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 404 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 404 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 404 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\Sys322.exe

"C:\Users\Admin\AppData\Roaming\Sys322.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 372 /protectFile

C:\Users\Admin\AppData\Roaming\Sys322.exe

"C:\Users\Admin\AppData\Roaming\Sys322.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 372 "/protectFile"

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UndoAdd.jpeg" /ForceBootstrapPaint3D

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{386365d9-0e24-4dd9-86b1-ec6db5d8375a}.bat""

C:\Windows\SysWOW64\reg.exe

reg delete HKCR/.exe

C:\Windows\SysWOW64\reg.exe

reg delete HKCR/.dll

C:\Windows\SysWOW64\reg.exe

reg delete HKCR/*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{b64d9d2d-7a9e-41c8-b1f6-90d0ea20240e}.bat""

C:\Windows\SysWOW64\reg.exe

reg delete HKCR/.exe

C:\Windows\SysWOW64\reg.exe

reg delete HKCR/.dll

C:\Windows\SysWOW64\reg.exe

reg delete HKCR/*

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.253.86:15428 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.253.127.3.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/4944-0-0x0000000000EB0000-0x0000000000F9A000-memory.dmp

memory/4944-1-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4944-2-0x0000000005990000-0x00000000059A0000-memory.dmp

memory/4944-3-0x0000000001950000-0x000000000195E000-memory.dmp

memory/4944-4-0x0000000005820000-0x000000000587C000-memory.dmp

memory/4944-5-0x0000000005F50000-0x00000000064F4000-memory.dmp

memory/4944-6-0x00000000059A0000-0x0000000005A32000-memory.dmp

memory/4944-7-0x0000000005980000-0x0000000005992000-memory.dmp

memory/4944-8-0x0000000005EB0000-0x0000000005ED2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2836-22-0x0000000000320000-0x000000000032C000-memory.dmp

memory/2836-23-0x00007FF9DAB30000-0x00007FF9DB5F1000-memory.dmp

memory/2836-24-0x0000000000C00000-0x0000000000C12000-memory.dmp

memory/2836-25-0x0000000002550000-0x000000000258C000-memory.dmp

memory/2836-29-0x00007FF9DAB30000-0x00007FF9DB5F1000-memory.dmp

memory/1596-31-0x00007FF9DAB30000-0x00007FF9DB5F1000-memory.dmp

memory/1596-32-0x0000000001270000-0x0000000001280000-memory.dmp

memory/1596-33-0x000000001AB90000-0x000000001AC9A000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 12ad4c2b63d32b4579f03992e362f8ef
SHA1 c38692667cdfd7f2b8bc67f3d7165f72fba74552
SHA256 d699d584b651c6da780801cb6c2fb074464ce36e46b287658913d8bb67d2329b
SHA512 c03c47ce05435eeed509021cd844a0530480b9cef30a60d0b7c1c4914b7b425edf86ef78be0e2929d198c5561e69445605d02a10a73a66ba11183f079f500ca0

memory/4944-49-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/372-50-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/372-51-0x0000000005790000-0x00000000057A0000-memory.dmp

memory/372-53-0x0000000005D10000-0x0000000005D5E000-memory.dmp

memory/372-52-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/372-55-0x00000000065D0000-0x00000000065E8000-memory.dmp

memory/100-56-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/372-57-0x0000000006790000-0x00000000067A0000-memory.dmp

memory/372-58-0x0000000006EF0000-0x00000000070B2000-memory.dmp

memory/372-59-0x0000000006910000-0x000000000691A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Sys322.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/3272-73-0x0000000000D00000-0x0000000000D08000-memory.dmp

memory/3272-74-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4800-77-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/3272-78-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/372-81-0x0000000007A90000-0x0000000007AF6000-memory.dmp

memory/100-83-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/372-84-0x0000000008130000-0x0000000008748000-memory.dmp

memory/372-85-0x0000000007B10000-0x0000000007B22000-memory.dmp

memory/372-86-0x0000000007B70000-0x0000000007BAC000-memory.dmp

memory/372-87-0x0000000007BB0000-0x0000000007BFC000-memory.dmp

memory/372-88-0x0000000007D30000-0x0000000007E3A000-memory.dmp

memory/1596-89-0x00007FF9DAB30000-0x00007FF9DB5F1000-memory.dmp

memory/1596-90-0x0000000001270000-0x0000000001280000-memory.dmp

memory/372-91-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/372-92-0x0000000005790000-0x00000000057A0000-memory.dmp

memory/4800-93-0x0000000074AF0000-0x00000000752A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\CSCore.dll

MD5 dde3ec6e17bc518b10c99efbd09ab72e
SHA1 a2306e60b74b8a01a0dbc1199a7fffca288f2033
SHA256 60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8
SHA512 09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

memory/372-98-0x00000000016A0000-0x0000000001726000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\OpusWrapper.dll

MD5 bf0ef47bea0139b87d42a449a0240101
SHA1 37b65cd6830088707be692d4602b10062a46b91a
SHA256 07ec44bca9b44de3b22f9d212db3ecc5191201e27e4310d7bb2b199deffbab5a
SHA512 830c5b380c844a8490cf482ef4ca4821b6185f5fd204c3edf21de0b449727448835b9cbfb103eb74aa91f05abb7390ed1c0ed5e815a7101d9127fc38382daa8a

memory/372-105-0x0000000007E40000-0x0000000007F1A000-memory.dmp

memory/372-108-0x0000000005790000-0x00000000057A0000-memory.dmp

memory/372-110-0x0000000040000000-0x000000004043E000-memory.dmp

memory/372-117-0x0000000040000000-0x000000004049D000-memory.dmp

memory/372-123-0x0000000040000000-0x00000000400C3000-memory.dmp

memory/372-128-0x0000000040000000-0x000000004034B000-memory.dmp

memory/372-134-0x0000000040000000-0x0000000040A99000-memory.dmp

memory/372-140-0x0000000040000000-0x0000000040007000-memory.dmp

memory/372-148-0x0000000006770000-0x000000000677C000-memory.dmp

memory/372-153-0x0000000040000000-0x0000000040032000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\SharpDX.dll

MD5 ffb4b61cc11bec6d48226027c2c26704
SHA1 fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA512 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

memory/372-228-0x0000000007450000-0x0000000007494000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\SharpDX.Direct3D11.dll

MD5 98eb5ba5871acdeaebf3a3b0f64be449
SHA1 c965284f60ef789b00b10b3df60ee682b4497de3
SHA256 d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512 a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

memory/372-235-0x00000000074A0000-0x00000000074EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\SharpDX.Direct3D9.dll

MD5 934da0e49208d0881c44fe19d5033840
SHA1 a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA256 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512 de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

memory/372-242-0x00000000074F0000-0x000000000754A000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\SharpDX.DXGI.dll

MD5 2b44c70c49b70d797fbb748158b5d9bb
SHA1 93e00e6527e461c45c7868d14cf05c007e478081
SHA256 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512 faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

memory/372-249-0x0000000001450000-0x0000000001476000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\TurboJpegWrapper.dll

MD5 ac6acc235ebef6374bed71b37e322874
SHA1 a267baad59cd7352167636836bad4b971fcd6b6b
SHA256 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA512 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

memory/372-256-0x00000000092C0000-0x0000000009414000-memory.dmp

memory/372-282-0x0000000001430000-0x000000000143C000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\AForge.Video.DirectShow.dll

MD5 17ed442e8485ac3f7dc5b3c089654a61
SHA1 d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256 666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA512 9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

memory/372-289-0x0000000007F20000-0x0000000007F36000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\x86\turbojpeg.dll

MD5 82898ed19da89d7d44e280a3ced95e9b
SHA1 eec0af5733c642eac8c5e08479f462d1ec1ed4db
SHA256 5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29
SHA512 ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\DirectoryInfoEx.dll

MD5 314955d214bb02847e7f8607a16ec550
SHA1 c471e2948d0cd1d4a11902a134735f00cd78c0c1
SHA256 82fd40348eb630313d5032910d021ebd982fdde086fbe73ba8947a6d2cb40357
SHA512 0ea2457db279159c1983455eee50a69305a151c012b9948950d038c101efc08a00da1f456a76a4351770684783c2e01a536ea194bb7f586865865d90d6dbb8de

memory/372-513-0x0000000008890000-0x00000000088CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\ShellLibrary.dll

MD5 20aa983bd64aa1f8a37d9e61961eabec
SHA1 48dfd92883f6b60252ab01e57f8de75d21edf173
SHA256 ace8dc565164e7612ed3f964a5d16bdcdda0aac7185ba3639b3b7c6064ca1124
SHA512 27560fc2983cde678bc3367563c05452004db9dc2523e30ed43ecc413e1ead0eb5d77152f17bd17c58dfe48b2ff7c1c413b6b4da483a664bab3167e74dc3486d

memory/372-520-0x0000000008850000-0x0000000008866000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\ICSharpCode.SharpZipLib.dll

MD5 c8164876b6f66616d68387443621510c
SHA1 7a9df9c25d49690b6a3c451607d311a866b131f4
SHA256 40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d
SHA512 44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

memory/372-527-0x00000000078A0000-0x00000000078D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{386365d9-0e24-4dd9-86b1-ec6db5d8375a}.bat

MD5 0788759f44355b956cae8668aa85bf99
SHA1 b6d6596cacdab8a732df173911e231460788ddc9
SHA256 22c41c5bf7d98874fc676bd6a14718093f180a9d20f4c70b8601a4144f1ab26c
SHA512 06e461beba4a4140a54b8ed14bace096630d30647ec437cf0e58009706a8785b03fff51cf1da857001d482c08ec5d80fc85331ca6bd029a2228040b34fa3e3bf

memory/372-653-0x000000000AF20000-0x000000000AFCA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orcus.exe.log

MD5 0672db2ef13237d5cb85075ff4915942
SHA1 ad8b4d3eb5e40791c47d48b22e273486f25f663f
SHA256 0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519
SHA512 84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

memory/3400-770-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/3400-771-0x0000000005430000-0x0000000005440000-memory.dmp

memory/3400-772-0x0000000074AF0000-0x00000000752A0000-memory.dmp