Malware Analysis Report

2025-01-22 15:09

Sample ID 240211-bp56yada47
Target 6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5
SHA256 6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5

Threat Level: Known bad

The file 6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5 was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcus

Orcus main payload

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-11 01:20

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-11 01:20

Reported

2024-02-11 01:22

Platform

win7-20231215-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2432 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2432 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2920 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2920 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2920 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2432 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2432 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2432 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2432 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Program Files\Orcus\Orcus.exe
PID 2432 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Program Files\Orcus\Orcus.exe
PID 2432 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Program Files\Orcus\Orcus.exe
PID 2820 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2820 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2820 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2492 wrote to memory of 1208 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2492 wrote to memory of 1208 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2492 wrote to memory of 1208 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2492 wrote to memory of 1208 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1208 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1208 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1208 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1208 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe

"C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pxrlhixu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5255.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5254.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {384583E8-C4A1-43D9-84EB-DC1F580CD1D1} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2492

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2492

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.132.159.158:13146 6.tcp.ngrok.io tcp
US 3.132.159.158:13146 6.tcp.ngrok.io tcp
US 3.132.159.158:13146 6.tcp.ngrok.io tcp
US 3.132.159.158:13146 6.tcp.ngrok.io tcp
US 3.132.159.158:13146 6.tcp.ngrok.io tcp
US 3.132.159.158:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp

Files

memory/2432-0-0x000000001AE30000-0x000000001AE8C000-memory.dmp

memory/2432-1-0x0000000000520000-0x000000000052E000-memory.dmp

memory/2432-2-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

memory/2432-3-0x0000000002040000-0x00000000020C0000-memory.dmp

memory/2432-7-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pxrlhixu.cmdline

MD5 1753f09b4f694bc4dbaa35700bd52794
SHA1 e3bc37123a610f0c578f1e75301d057b0bc579aa
SHA256 a5303887241d4cc32cd389d145d50355628ca7aabd058033cd675cae36360dd6
SHA512 bbd28ccd3264b8e40e04babe15abb37299da0ad68c320fc70c43bd0ba2fc5a6f21c2b63182cffcf8542551da9ab3a7326a3b07eeb7096b2ce994dba794b5585a

\??\c:\Users\Admin\AppData\Local\Temp\pxrlhixu.0.cs

MD5 6011503497b1b9250a05debf9690e52c
SHA1 897aea61e9bffc82d7031f1b3da12fb83efc6d82
SHA256 08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434
SHA512 604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

memory/2920-10-0x00000000022C0000-0x0000000002340000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC5254.tmp

MD5 f655af48d949048eb34194bba1325f60
SHA1 d14adb13c120bf0163a62e2197d6ebaf3028c120
SHA256 be6f0fa52b69052b7401595ccfa01622fd0c26931e43295d6a27be21c4922af0
SHA512 32626ce29a18885bbe7619580356c6184f1d1fef03432f1e713db452166254ea096ab330dfb3f088aa012919fc5b1841c7d1f7b176a480a10eb29f34817e30bc

C:\Users\Admin\AppData\Local\Temp\RES5255.tmp

MD5 40badad527f3d6ee8e6b3a9de65c4fe5
SHA1 7f5cfb47b766c9b50f430d3b9239dcced199a2be
SHA256 56311fd53cac044a9a3de4fc8012b959dd9a1390cdf6007507362513f3c7f524
SHA512 7ffa96eb08283c293b34fc9744730b90d6e3ac329066f4d9a6f7056bc4e95e0928bd8dc974dcea0b5d60a0e3b64cf3399e025d0a6e55586212b944495266cec7

C:\Users\Admin\AppData\Local\Temp\pxrlhixu.dll

MD5 0be400fac7cee3ce4978d97181c71890
SHA1 ad4f8846291168c036a09e4b8debb4c62fb4407f
SHA256 df210332c5dde1fbaa9c44e11915c5bdfd196ba8fda4ea3313c8ddcc306b30c9
SHA512 79bd147bcb078c1cb26c889163b5bb71309651f7f9954712601ea921eaad74d27a3b3129f7658a2b8b6ee548bacbdd39b89f6292a741eb32bc1987ff1bcc953f

memory/2432-18-0x000000001AEA0000-0x000000001AEB6000-memory.dmp

memory/2432-20-0x00000000008E0000-0x00000000008F2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2608-28-0x0000000001100000-0x000000000110C000-memory.dmp

memory/2608-29-0x000007FEEE7F0000-0x000007FEEF1DC000-memory.dmp

memory/2608-30-0x000000001B2C0000-0x000000001B340000-memory.dmp

memory/2608-33-0x000007FEEE7F0000-0x000007FEEF1DC000-memory.dmp

memory/2768-35-0x000007FEEDE00000-0x000007FEEE7EC000-memory.dmp

memory/2768-36-0x0000000001020000-0x00000000010A0000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 e51b12e9e7c6ae07bc88254dff2e4aec
SHA1 f59c3eb0b5b071e5e369d56decceba6b64dd8004
SHA256 6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5
SHA512 3667d834a70289df92e6d566543ab10cafa4a5701578cd8472231bcfd4b7fb1efe98487af236389e24a38ad3ecc6459790c60d188256448071ee387e384a7797

C:\Program Files\Orcus\Orcus.exe

MD5 dc97b2a3cd4142d3cebbe81b4cb702f6
SHA1 eeae097a58c9c21f7547068f370647195a8275af
SHA256 beb5ec1df6e831132da876e313388b04f8c6f63e0775ae539e909d12c62ede48
SHA512 59099fd5fc99b994849c1eabd0a1741257ced13ab199172f0aae0b3226e25bea4b19120b2dd642e2df59ca2ebb8a9a5d4a966d948ff747aea559f73ac7edbdef

memory/2492-47-0x0000000000840000-0x000000000092A000-memory.dmp

memory/2492-46-0x000007FEEDE00000-0x000007FEEE7EC000-memory.dmp

memory/2432-45-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

memory/2492-48-0x000000001AF60000-0x000000001AFE0000-memory.dmp

memory/2492-49-0x00000000007E0000-0x000000000082E000-memory.dmp

memory/2492-50-0x0000000002290000-0x00000000022A8000-memory.dmp

memory/2492-51-0x00000000022B0000-0x00000000022C0000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 0a31ca75bb6bcd3f1f21f2b78eff97c5
SHA1 271d700002a54866ad7cea6f0f753b4f1a3724a5
SHA256 1b0e8b87bc1dce78dd901897bebfe992c7d11103238bd3d643cde8ec3754fa7d
SHA512 2d94b68c6ce4c6d9c49d3640027f5795bc93220e6194420cfe5c0756dab12a6d5823d95bae7c523f982a7a5140f9f5f56356e5f97ba1a2570f7368d4efe00eb6

memory/2952-53-0x000007FEEDE00000-0x000007FEEE7EC000-memory.dmp

memory/2952-54-0x000000001ACA0000-0x000000001AD20000-memory.dmp

memory/2492-55-0x000000001AF60000-0x000000001AFE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1208-64-0x0000000000320000-0x0000000000328000-memory.dmp

memory/1208-65-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2504-67-0x0000000074180000-0x000000007486E000-memory.dmp

memory/1208-68-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2768-69-0x000007FEEDE00000-0x000007FEEE7EC000-memory.dmp

memory/2952-70-0x000007FEEDE00000-0x000007FEEE7EC000-memory.dmp

memory/2768-71-0x0000000001020000-0x00000000010A0000-memory.dmp

memory/2492-72-0x000007FEEDE00000-0x000007FEEE7EC000-memory.dmp

memory/2492-73-0x000000001AF60000-0x000000001AFE0000-memory.dmp

memory/2492-74-0x000000001AF60000-0x000000001AFE0000-memory.dmp

memory/2504-75-0x0000000074180000-0x000000007486E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-11 01:20

Reported

2024-02-11 01:22

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Program Files\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4980 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4276 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4276 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4980 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4980 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4980 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Program Files\Orcus\Orcus.exe
PID 4980 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe C:\Program Files\Orcus\Orcus.exe
PID 4004 wrote to memory of 4556 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4004 wrote to memory of 4556 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4004 wrote to memory of 4556 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4556 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4556 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4556 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe

"C:\Users\Admin\AppData\Local\Temp\6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hggmtln7.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7020.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC701F.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 4004

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 4004

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 1.177.141.3.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 3.141.177.1:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.142.211:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 211.142.141.3.in-addr.arpa udp
US 3.141.142.211:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 3.141.142.211:13146 6.tcp.ngrok.io tcp
US 3.141.142.211:13146 6.tcp.ngrok.io tcp
US 3.141.142.211:13146 6.tcp.ngrok.io tcp
US 3.141.142.211:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.210.37:13146 6.tcp.ngrok.io tcp
US 8.8.8.8:53 37.210.141.3.in-addr.arpa udp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
US 3.141.210.37:13146 6.tcp.ngrok.io tcp

Files

memory/4980-0-0x00007FFCD0070000-0x00007FFCD0A11000-memory.dmp

memory/4980-1-0x00007FFCD0070000-0x00007FFCD0A11000-memory.dmp

memory/4980-2-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/4980-3-0x000000001B5A0000-0x000000001B5FC000-memory.dmp

memory/4980-6-0x000000001B780000-0x000000001B78E000-memory.dmp

memory/4980-7-0x000000001BC80000-0x000000001C14E000-memory.dmp

memory/4980-8-0x000000001C1F0000-0x000000001C28C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\hggmtln7.cmdline

MD5 8f9cfa00ffc4a899bd2ad7a77bf5aea8
SHA1 d3c0d6d1bb72f8b968ed87c0017b10960183e87d
SHA256 38a34e4244dd729e7076304fee351aef094915297ab7b04d0f88ed88f53d147c
SHA512 3d692d11249641cb7d25508a9076afad9d7459aab42505aae4bf3a7dbf9e6d2c40103b1c5cb049ca07343a5856fd5d48ac1a860555492eed506dd3ad7edc1663

\??\c:\Users\Admin\AppData\Local\Temp\hggmtln7.0.cs

MD5 cfbaf1d4b042caaa137e37e8d53ec567
SHA1 73f790fa2ac5077c9a1930145a20eec415e43a63
SHA256 e5f6c52c956253350e8289e5b1ec15b59442de100df0410c180dcfbcb1b7a4e7
SHA512 c442924a8039b7cfb13a712086ddd4b6bb9752930348de0e4194803b58b4941bb88162fceb97cab2295b877b462e845e53ec1338fa5c51951d4645d68d5faecb

memory/4276-14-0x0000000000B40000-0x0000000000B50000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC701F.tmp

MD5 e4c02a9e9374479ee37165abbdc02680
SHA1 caf9be2f59151adac445866ad8d0b06ea89dbbc1
SHA256 9ff0f0797580b91782524ac9a1d692c971c8a80f10ad6121a5308e947f2f5824
SHA512 66c6e4bcbb0fbcdf666cdc090e735e54288024e55eaea9c20858eb2c4e98bde6bd6ade0f61477e9f2b135c19412303595cccccf17e3b15ed7097aa3d83e4b213

C:\Users\Admin\AppData\Local\Temp\RES7020.tmp

MD5 7276e64b645a913eb294f55d9e4ee48e
SHA1 0fb21922dc09e5455c029fbd3108c153af740774
SHA256 2382990c8b899f538f60065eecb8811ae30b7c2bbb330ae05a96a16e0ce5b29d
SHA512 f4e1763b5d94292c1a91a4c00e405624aab7158ff15f9d335ef6ae60db6a7b29d007d6d7fea4f279fba29f87583af18249e35ff199b9580f631530a868a77cba

C:\Users\Admin\AppData\Local\Temp\hggmtln7.dll

MD5 82a46931380affb6c2131f9e33d8d69d
SHA1 c54486b792eeaa6652fd01c0114f9567eea8fc9f
SHA256 3b8f9706b8b95d0558bb95d519201419a927ab29edcfef73be0cc804daf94b81
SHA512 0302c3d56b0a53aee3c0a861951688aaa810bbb52cb3d43be538de53b0c4f795922a746d5c711de960266b11be07d5115bab5d2cc9eebba65c5273ecbded08ff

memory/4980-22-0x000000001C8A0000-0x000000001C8B6000-memory.dmp

memory/4980-24-0x000000001B4F0000-0x000000001B502000-memory.dmp

memory/4980-25-0x000000001C8E0000-0x000000001C900000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/488-39-0x0000000000F60000-0x0000000000F6C000-memory.dmp

memory/488-40-0x00007FFCCD680000-0x00007FFCCE141000-memory.dmp

memory/488-41-0x000000001BB70000-0x000000001BB80000-memory.dmp

memory/488-42-0x0000000001840000-0x0000000001852000-memory.dmp

memory/488-43-0x0000000003070000-0x00000000030AC000-memory.dmp

memory/488-47-0x00007FFCCD680000-0x00007FFCCE141000-memory.dmp

memory/3004-49-0x00007FFCCD680000-0x00007FFCCE141000-memory.dmp

memory/3004-50-0x000000001A170000-0x000000001A180000-memory.dmp

memory/3004-51-0x000000001A590000-0x000000001A69A000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 e51b12e9e7c6ae07bc88254dff2e4aec
SHA1 f59c3eb0b5b071e5e369d56decceba6b64dd8004
SHA256 6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5
SHA512 3667d834a70289df92e6d566543ab10cafa4a5701578cd8472231bcfd4b7fb1efe98487af236389e24a38ad3ecc6459790c60d188256448071ee387e384a7797

memory/4980-67-0x00007FFCD0070000-0x00007FFCD0A11000-memory.dmp

memory/4004-69-0x0000000000720000-0x000000000080A000-memory.dmp

memory/4004-68-0x00007FFCCD680000-0x00007FFCCE141000-memory.dmp

memory/4004-70-0x000000001B450000-0x000000001B460000-memory.dmp

memory/4004-71-0x0000000000FF0000-0x0000000001002000-memory.dmp

memory/4004-72-0x000000001B3E0000-0x000000001B42E000-memory.dmp

memory/4004-74-0x0000000002A70000-0x0000000002A88000-memory.dmp

memory/1220-75-0x00007FFCCD680000-0x00007FFCCE141000-memory.dmp

memory/1220-76-0x0000000002C60000-0x0000000002C70000-memory.dmp

memory/4004-77-0x000000001C730000-0x000000001C8F2000-memory.dmp

memory/4004-78-0x000000001B440000-0x000000001B450000-memory.dmp

memory/4004-79-0x000000001B450000-0x000000001B460000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/4556-93-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4556-94-0x0000000000260000-0x0000000000268000-memory.dmp

memory/4556-98-0x00000000749C0000-0x0000000075170000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/4284-99-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/1220-101-0x00007FFCCD680000-0x00007FFCCE141000-memory.dmp

memory/3004-102-0x00007FFCCD680000-0x00007FFCCE141000-memory.dmp

memory/3004-103-0x000000001A170000-0x000000001A180000-memory.dmp

memory/4004-104-0x00007FFCCD680000-0x00007FFCCE141000-memory.dmp

memory/4004-105-0x000000001B450000-0x000000001B460000-memory.dmp

memory/4004-106-0x000000001B450000-0x000000001B460000-memory.dmp

memory/4284-107-0x00000000749C0000-0x0000000075170000-memory.dmp