Malware Analysis Report

2025-01-22 15:03

Sample ID 240219-zmv5ysda6s
Target ocrus.exe
SHA256 9c7d83f03806a3670794c8093d5be42010765d2789671b132b448c7b04ceade9
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c7d83f03806a3670794c8093d5be42010765d2789671b132b448c7b04ceade9

Threat Level: Known bad

The file ocrus.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus family

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-19 20:50

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 20:50

Reported

2024-02-19 22:14

Platform

win10-20240214-en

Max time kernel

1799s

Max time network

1597s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ocrus.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ocrus.exe

"C:\Users\Admin\AppData\Local\Temp\ocrus.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 4836 /protectFile

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 4836 "/protectFile"

Network

Country Destination Domain Proto
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp

Files

memory/308-0-0x0000000000CF0000-0x0000000000F8A000-memory.dmp

memory/308-1-0x0000000074070000-0x000000007475E000-memory.dmp

memory/308-2-0x0000000003380000-0x000000000338E000-memory.dmp

memory/308-4-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/308-3-0x00000000057B0000-0x000000000580C000-memory.dmp

memory/308-5-0x0000000005D80000-0x000000000627E000-memory.dmp

memory/308-6-0x0000000006320000-0x00000000063B2000-memory.dmp

memory/308-7-0x0000000005D50000-0x0000000005D62000-memory.dmp

memory/308-8-0x0000000005D60000-0x0000000005D68000-memory.dmp

memory/308-12-0x00000000062B0000-0x00000000062D2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 4033130963dce5a5e2fe9d19d0589ce4
SHA1 193daba4a16b7ec13769a8145ec4ef9882ab44be
SHA256 a8bd9d6fcff53b8d0cea4d684429838d71981486086833c97b18e606eee52a14
SHA512 348fba372581b1f3c7987a0d54a10ac19e9b9edface3fcbc081b57757912adbdc08c9f6fbf96a28b3ee368ccb7a01c98d3e5d9aeb6bd6dc9d69b098d58765e73

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 89817519e9e0b4e703f07e8c55247861
SHA1 4636de1f6c997a25c3190f73f46a3fd056238d78
SHA256 f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512 b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

memory/2972-20-0x0000000000260000-0x000000000026C000-memory.dmp

memory/2972-22-0x00007FFE54EE0000-0x00007FFE558CC000-memory.dmp

memory/2972-23-0x00000000009F0000-0x0000000000A00000-memory.dmp

memory/2972-21-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/2972-24-0x0000000002460000-0x000000000249E000-memory.dmp

memory/2972-28-0x00007FFE54EE0000-0x00007FFE558CC000-memory.dmp

memory/4656-30-0x00007FFE54EE0000-0x00007FFE558CC000-memory.dmp

memory/4656-31-0x000000001A7C0000-0x000000001A7D0000-memory.dmp

memory/4656-32-0x000000001ACE0000-0x000000001ADEA000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 1b775d3e637ac0bc98bb2e8832a066e8
SHA1 749253c3429a5c4008b8695bf7bb8663f79282f4
SHA256 9c7d83f03806a3670794c8093d5be42010765d2789671b132b448c7b04ceade9
SHA512 cbc74291f281caa76e5a47a259c6930731d675a494e0e573e0b074f58cd1d8968f01d80cb913563134e3099196468b0f222b963ef66ef62a26d1ec2841fe17f5

memory/308-43-0x0000000074070000-0x000000007475E000-memory.dmp

memory/4836-42-0x0000000074070000-0x000000007475E000-memory.dmp

memory/4836-44-0x0000000005570000-0x0000000005580000-memory.dmp

memory/4836-45-0x0000000005FC0000-0x000000000600E000-memory.dmp

memory/4836-46-0x0000000006010000-0x0000000006028000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 39719d2b56f01c2bf5f12d90d8ad79e0
SHA1 ddfbe84e1a1d4f3b36a1478b11c8d0f126fb1062
SHA256 5d10913c93d1f6c2aa97229f30ed336b0734591b58cda395db43203e383cb2fb
SHA512 ad536266906cff005680a9b1847b9282906add40b6b176fb03365348027e7380816150ad8dcbd36b3df3b0da11ecf19974857f256443757d19354c415ba4b036

memory/4316-49-0x0000000074070000-0x000000007475E000-memory.dmp

memory/4836-48-0x0000000006230000-0x0000000006248000-memory.dmp

memory/4316-50-0x0000000005120000-0x0000000005130000-memory.dmp

memory/4836-52-0x0000000006400000-0x0000000006410000-memory.dmp

memory/4836-51-0x00000000065F0000-0x00000000067B2000-memory.dmp

memory/4836-53-0x00000000067E0000-0x00000000067EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 9e8929ba18a468f54f2557bc35a1485e
SHA1 d72208f50b927c90e9dbf793dcee5800e90953dc
SHA256 7df93c106f06bbabef542fce32e73f6a6db6181d99599967764d2ee5bcef70fc
SHA512 5a298399ce80f37b4ae9b353ef0726a9ed62145f22d765297642659d05b0ced1b280d087de43d5bb158c363ba4140da472f4845cbecec4e3df900d325a16a5d7

memory/4236-61-0x0000000000C80000-0x0000000000C88000-memory.dmp

memory/4236-62-0x0000000074070000-0x000000007475E000-memory.dmp

memory/4236-66-0x0000000074070000-0x000000007475E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 605f809fab8c19729d39d075f7ffdb53
SHA1 c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA256 6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA512 82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

memory/4908-67-0x0000000074070000-0x000000007475E000-memory.dmp

memory/4316-69-0x0000000074070000-0x000000007475E000-memory.dmp

memory/4656-70-0x00007FFE54EE0000-0x00007FFE558CC000-memory.dmp

memory/4656-71-0x000000001A7C0000-0x000000001A7D0000-memory.dmp

memory/4836-72-0x0000000074070000-0x000000007475E000-memory.dmp

memory/4908-73-0x0000000074070000-0x000000007475E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-19 20:50

Reported

2024-02-19 22:14

Platform

win10v2004-20231215-en

Max time kernel

1800s

Max time network

1441s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ocrus.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ocrus.exe

"C:\Users\Admin\AppData\Local\Temp\ocrus.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 1688 /protectFile

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 1688 "/protectFile"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 162.177.78.104.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.179.17.96.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp

Files

memory/1700-0-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1700-1-0x0000000000E00000-0x000000000109A000-memory.dmp

memory/1700-2-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/1700-3-0x0000000001B90000-0x0000000001B9E000-memory.dmp

memory/1700-4-0x0000000005AB0000-0x0000000005B0C000-memory.dmp

memory/1700-5-0x00000000061B0000-0x0000000006754000-memory.dmp

memory/1700-6-0x00000000060E0000-0x0000000006172000-memory.dmp

memory/1700-7-0x0000000005A10000-0x0000000005A22000-memory.dmp

memory/1700-8-0x0000000005BD0000-0x0000000005BD8000-memory.dmp

memory/1700-12-0x0000000006070000-0x0000000006092000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 4033130963dce5a5e2fe9d19d0589ce4
SHA1 193daba4a16b7ec13769a8145ec4ef9882ab44be
SHA256 a8bd9d6fcff53b8d0cea4d684429838d71981486086833c97b18e606eee52a14
SHA512 348fba372581b1f3c7987a0d54a10ac19e9b9edface3fcbc081b57757912adbdc08c9f6fbf96a28b3ee368ccb7a01c98d3e5d9aeb6bd6dc9d69b098d58765e73

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 89817519e9e0b4e703f07e8c55247861
SHA1 4636de1f6c997a25c3190f73f46a3fd056238d78
SHA256 f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512 b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

memory/3444-26-0x00000000009A0000-0x00000000009AC000-memory.dmp

memory/3444-27-0x0000000002B40000-0x0000000002B52000-memory.dmp

memory/3444-28-0x00007FFCF4AE0000-0x00007FFCF55A1000-memory.dmp

memory/3444-29-0x0000000002BA0000-0x0000000002BDC000-memory.dmp

memory/3444-30-0x000000001B590000-0x000000001B5A0000-memory.dmp

memory/3444-34-0x00007FFCF4AE0000-0x00007FFCF55A1000-memory.dmp

memory/836-36-0x00007FFCF4AE0000-0x00007FFCF55A1000-memory.dmp

memory/836-37-0x000000001A510000-0x000000001A520000-memory.dmp

memory/836-38-0x000000001B1E0000-0x000000001B2EA000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 1b775d3e637ac0bc98bb2e8832a066e8
SHA1 749253c3429a5c4008b8695bf7bb8663f79282f4
SHA256 9c7d83f03806a3670794c8093d5be42010765d2789671b132b448c7b04ceade9
SHA512 cbc74291f281caa76e5a47a259c6930731d675a494e0e573e0b074f58cd1d8968f01d80cb913563134e3099196468b0f222b963ef66ef62a26d1ec2841fe17f5

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 a13877eda100d58a34055452648244d5
SHA1 9517a4b7530c1278e8e1398bf36fb872a4d3d408
SHA256 667197d2a5da5dcd4514eb5e2c8e9754926adfbfdd2a91d1aca95d51fd95a4a8
SHA512 62757b00cff1228647b1e8556e88571f4ad97d1cf866b76e4dc093e7adc5b07ac46ac5b211747ec4ffaec831151d5ce561a67fc1d9288b670caea181608ad6c2

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 36300a272bea2f04ab36939aa62afad2
SHA1 311dfa71ac4f80049b2ae94cbc83621f04963381
SHA256 91aabb88392fb92f6abdcf1c1f41543a4f582b20c589dacb5aa07715b9233de3
SHA512 3fbf056f659df378ff20203d94200fd147b703e8328ee4eede93f622d94a3872d28aacc5fb6466814f73d6c2d5ac5efc1bca193948ba12ef4fa3e41022e1be47

memory/1688-54-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1700-55-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1688-56-0x0000000005900000-0x0000000005910000-memory.dmp

memory/1688-57-0x0000000005E30000-0x0000000005E7E000-memory.dmp

memory/1688-58-0x0000000005EA0000-0x0000000005EB8000-memory.dmp

memory/1688-60-0x00000000066B0000-0x00000000066C8000-memory.dmp

memory/2768-61-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/2768-62-0x00000000059B0000-0x00000000059C0000-memory.dmp

memory/1688-63-0x0000000006A60000-0x0000000006C22000-memory.dmp

memory/1688-64-0x0000000006870000-0x0000000006880000-memory.dmp

memory/1688-65-0x00000000068D0000-0x00000000068DA000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 9e8929ba18a468f54f2557bc35a1485e
SHA1 d72208f50b927c90e9dbf793dcee5800e90953dc
SHA256 7df93c106f06bbabef542fce32e73f6a6db6181d99599967764d2ee5bcef70fc
SHA512 5a298399ce80f37b4ae9b353ef0726a9ed62145f22d765297642659d05b0ced1b280d087de43d5bb158c363ba4140da472f4845cbecec4e3df900d325a16a5d7

memory/888-80-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/888-79-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/888-85-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4928-84-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/2768-87-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/836-88-0x00007FFCF4AE0000-0x00007FFCF55A1000-memory.dmp

memory/836-89-0x000000001A510000-0x000000001A520000-memory.dmp

memory/1688-90-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1688-91-0x0000000005900000-0x0000000005910000-memory.dmp

memory/4928-92-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orcus.exe.log

MD5 ba71d411be25c92286958e8ae96f2fef
SHA1 190b17f8d279fafc2e623b946b10bc93c8b62318
SHA256 8feca0b44c553447057c876cf7e27302487ab0bc78a700cf70cc27511d1d1e52
SHA512 d32100028efe1284e298fe6816f832f1a65bf3aacf435608c9e9770d1509f049dea5a9917963284f4095011b664bb8d39b447f1f249d2025d59957e3799e9649

memory/1384-95-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1384-96-0x0000000005620000-0x0000000005630000-memory.dmp

memory/1384-97-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3664-99-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3664-100-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3212-103-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/3212-102-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3212-104-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3304-106-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3304-107-0x0000000005930000-0x0000000005940000-memory.dmp

memory/3304-108-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3044-125-0x00000159FE260000-0x00000159FE270000-memory.dmp

memory/3044-141-0x00000159FE850000-0x00000159FE851000-memory.dmp

memory/3044-142-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-143-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-144-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-145-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-146-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-147-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-148-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-149-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-150-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-151-0x00000159FE880000-0x00000159FE881000-memory.dmp

memory/3044-152-0x00000159FE4A0000-0x00000159FE4A1000-memory.dmp

memory/3044-153-0x00000159FE490000-0x00000159FE491000-memory.dmp

memory/3044-155-0x00000159FE4A0000-0x00000159FE4A1000-memory.dmp

memory/3044-158-0x00000159FE490000-0x00000159FE491000-memory.dmp

memory/3044-161-0x00000159FE3D0000-0x00000159FE3D1000-memory.dmp

memory/3044-173-0x00000159FE5D0000-0x00000159FE5D1000-memory.dmp

memory/3044-175-0x00000159FE5E0000-0x00000159FE5E1000-memory.dmp

memory/3044-176-0x00000159FE5E0000-0x00000159FE5E1000-memory.dmp

memory/3044-177-0x00000159FE6F0000-0x00000159FE6F1000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 3b51d66b0ed9fa823623534dcd22a54a
SHA1 5a0bfa06dcfcc4d1f5c465b8492d9e3e784afde4
SHA256 c81fc8732a2627422cf531a1fc83f3bca0722699a29473c053a56b45629b1d48
SHA512 f608b31a12c998af4980831f50c7e40ec6d5a7c0c380cb0355e292fbd7743568659867c2650df023c5f48303c87831b18bc496bf18e955d305252fd91b57082f

memory/1896-180-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1896-181-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/1896-182-0x0000000074520000-0x0000000074CD0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-19 20:50

Reported

2024-02-19 22:14

Platform

win11-20240214-en

Max time kernel

1800s

Max time network

1502s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ocrus.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\ocrus.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ocrus.exe

"C:\Users\Admin\AppData\Local\Temp\ocrus.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 2400 /protectFile

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 2400 "/protectFile"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp

Files

memory/4808-0-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/4808-1-0x0000000000210000-0x00000000004AA000-memory.dmp

memory/4808-2-0x0000000005060000-0x0000000005070000-memory.dmp

memory/4808-3-0x0000000004EC0000-0x0000000004ECE000-memory.dmp

memory/4808-4-0x0000000004EF0000-0x0000000004F4C000-memory.dmp

memory/4808-5-0x0000000005620000-0x0000000005BC6000-memory.dmp

memory/4808-6-0x0000000005550000-0x00000000055E2000-memory.dmp

memory/4808-7-0x00000000054D0000-0x00000000054E2000-memory.dmp

memory/4808-8-0x00000000054F0000-0x00000000054F8000-memory.dmp

memory/4808-12-0x00000000055F0000-0x0000000005612000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 4033130963dce5a5e2fe9d19d0589ce4
SHA1 193daba4a16b7ec13769a8145ec4ef9882ab44be
SHA256 a8bd9d6fcff53b8d0cea4d684429838d71981486086833c97b18e606eee52a14
SHA512 348fba372581b1f3c7987a0d54a10ac19e9b9edface3fcbc081b57757912adbdc08c9f6fbf96a28b3ee368ccb7a01c98d3e5d9aeb6bd6dc9d69b098d58765e73

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 89817519e9e0b4e703f07e8c55247861
SHA1 4636de1f6c997a25c3190f73f46a3fd056238d78
SHA256 f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512 b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

memory/2592-26-0x0000000000280000-0x000000000028C000-memory.dmp

memory/2592-27-0x00007FFEC2730000-0x00007FFEC31F2000-memory.dmp

memory/2592-28-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/2592-29-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/2592-30-0x000000001AF20000-0x000000001AF5C000-memory.dmp

memory/2592-34-0x00007FFEC2730000-0x00007FFEC31F2000-memory.dmp

memory/2392-36-0x00007FFEC2730000-0x00007FFEC31F2000-memory.dmp

memory/2392-37-0x0000000019DD0000-0x0000000019DE0000-memory.dmp

memory/2392-38-0x000000001A2F0000-0x000000001A3FA000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 1b775d3e637ac0bc98bb2e8832a066e8
SHA1 749253c3429a5c4008b8695bf7bb8663f79282f4
SHA256 9c7d83f03806a3670794c8093d5be42010765d2789671b132b448c7b04ceade9
SHA512 cbc74291f281caa76e5a47a259c6930731d675a494e0e573e0b074f58cd1d8968f01d80cb913563134e3099196468b0f222b963ef66ef62a26d1ec2841fe17f5

memory/4808-55-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/2400-54-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/2400-56-0x00000000057B0000-0x00000000057C0000-memory.dmp

memory/2400-57-0x0000000005CA0000-0x0000000005CEE000-memory.dmp

memory/2400-58-0x0000000005D10000-0x0000000005D28000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 5b6bea913fc19ce411fe64b8cdfe276e
SHA1 9c95427bbf517848631cff42c820c2260f7bc835
SHA256 92af7a2b5f3fb73bb6f3fb2fb7934c8d8a5e785ff429824deb3a965681714e02
SHA512 d56a212b70bf907aab23dcb464d1cc6b246ce382495b6e7f83eb9ea0155b7af3fe629525ae74057f2db03551413d405a51ac7c120c5e0cd7af6ccafda860d2ac

memory/2400-60-0x0000000006530000-0x0000000006548000-memory.dmp

memory/2400-62-0x0000000006700000-0x0000000006710000-memory.dmp

memory/2400-63-0x00000000068E0000-0x0000000006AA2000-memory.dmp

memory/3848-61-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/2400-64-0x0000000006830000-0x000000000683A000-memory.dmp

memory/3848-65-0x0000000003170000-0x0000000003180000-memory.dmp

memory/2400-68-0x00000000057B0000-0x00000000057C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 9e8929ba18a468f54f2557bc35a1485e
SHA1 d72208f50b927c90e9dbf793dcee5800e90953dc
SHA256 7df93c106f06bbabef542fce32e73f6a6db6181d99599967764d2ee5bcef70fc
SHA512 5a298399ce80f37b4ae9b353ef0726a9ed62145f22d765297642659d05b0ced1b280d087de43d5bb158c363ba4140da472f4845cbecec4e3df900d325a16a5d7

memory/3300-80-0x0000000000320000-0x0000000000328000-memory.dmp

memory/3300-81-0x0000000075110000-0x00000000758C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 bb27934be8860266d478c13f2d65f45e
SHA1 a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA256 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA512 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

memory/4868-86-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/3300-85-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/3848-88-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/2392-89-0x00007FFEC2730000-0x00007FFEC31F2000-memory.dmp

memory/2392-90-0x0000000019DD0000-0x0000000019DE0000-memory.dmp

memory/2400-91-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/2400-92-0x00000000057B0000-0x00000000057C0000-memory.dmp

memory/2400-93-0x00000000057B0000-0x00000000057C0000-memory.dmp

memory/4868-94-0x0000000075110000-0x00000000758C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orcus.exe.log

MD5 c633b120a153417c1fadc6c3e4a1fd3d
SHA1 a436da6a5e16cebd9046ba3589d810396942ae79
SHA256 e35e20683114fe6ad0c8ff5ff3ff12bae50a80e199961939282fbe891b94ae6e
SHA512 36d4085d7420374f03e92a2632ac813270ecbf61b8cd4e0463fd014d8a64fa18511c9ff0c7b9d649a138c17bf8c07b496a845bc7e5b12d7b44d6cf1234d68f07

memory/412-97-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/412-98-0x0000000003110000-0x0000000003120000-memory.dmp

memory/412-99-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/3328-101-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/3328-102-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/800-104-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/800-105-0x0000000001660000-0x0000000001670000-memory.dmp

memory/800-106-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/3200-108-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/3200-109-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/2716-111-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/2716-112-0x0000000001100000-0x0000000001110000-memory.dmp

memory/2716-113-0x0000000075110000-0x00000000758C1000-memory.dmp