Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

4ee61198bf...c0.exe

windows7-x64

10

4ee61198bf...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 01:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ee61198bf5742ab2497f9034e73299052e4cf8d6f04ef72393f07ff8ca27dc0.exe

  • Size

    917KB

  • MD5

    ee128fdc0c14610f0e94610332c8f189

  • SHA1

    d29af3db2e278549e22fa7b8bd939b581b34150c

  • SHA256

    4ee61198bf5742ab2497f9034e73299052e4cf8d6f04ef72393f07ff8ca27dc0

  • SHA512

    884fd9316c51a91c2fba4222bfed7a4667fffc056715cda7591d49ab26e2c161365451123b667ab6fe4a1269b139aeba6f02ee460173fda7b8cee8e10918e9fd

  • SSDEEP

    24576:2CC4MROxnFi33snrrcI0AilFEvxHPDooW:2KMiocnrrcI0AilFEvxHP

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

live-promotions.gl.at.ply.gg:51701

Mutex

3c04931e3f454403ae52495677e37b6f

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ee61198bf5742ab2497f9034e73299052e4cf8d6f04ef72393f07ff8ca27dc0.exe
    "C:\Users\Admin\AppData\Local\Temp\4ee61198bf5742ab2497f9034e73299052e4cf8d6f04ef72393f07ff8ca27dc0.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Program Files (x86)\Orcus\Orcus.exe
      "C:\Program Files (x86)\Orcus\Orcus.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 3704 /protectFile
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
          "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 3704 "/protectFile"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2500
  • C:\Program Files (x86)\Orcus\Orcus.exe
    "C:\Program Files (x86)\Orcus\Orcus.exe"
    1⤵
    • Executes dropped EXE
    PID:1820

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.90.14.23.in-addr.arpa
    IN PTR
    Response
    82.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    live-promotions.gl.at.ply.gg
    Orcus.exe
    Remote address:
    8.8.8.8:53
    Request
    live-promotions.gl.at.ply.gg
    IN A
    Response
    live-promotions.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8L_FPr0SW5GJrtDtjBdSakzVUCUz6EGM19I2MzuobIOWv1JQ4yhw9OXGhiSrnzipVBbnwiSkW5h7_558bLuOc8zsuPVuvI64uIUzwTeywL4ow235gDVbaCRoIGCWuIG9KHXasxcP3bpb6iZQm4_JmrFOrTihx7soiihcnpkjS7d690z5-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D374a0f3f1df71576bd2f69047f62e593&TIME=20240508T113234Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8L_FPr0SW5GJrtDtjBdSakzVUCUz6EGM19I2MzuobIOWv1JQ4yhw9OXGhiSrnzipVBbnwiSkW5h7_558bLuOc8zsuPVuvI64uIUzwTeywL4ow235gDVbaCRoIGCWuIG9KHXasxcP3bpb6iZQm4_JmrFOrTihx7soiihcnpkjS7d690z5-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D374a0f3f1df71576bd2f69047f62e593&TIME=20240508T113234Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=089529691A9B63B02DDA3DE41BBC6285; domain=.bing.com; expires=Sun, 22-Jun-2025 01:13:09 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: DD02D61DD35346C6934376A5848D8396 Ref B: LON04EDGE0722 Ref C: 2024-05-28T01:13:09Z
    date: Tue, 28 May 2024 01:13:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8L_FPr0SW5GJrtDtjBdSakzVUCUz6EGM19I2MzuobIOWv1JQ4yhw9OXGhiSrnzipVBbnwiSkW5h7_558bLuOc8zsuPVuvI64uIUzwTeywL4ow235gDVbaCRoIGCWuIG9KHXasxcP3bpb6iZQm4_JmrFOrTihx7soiihcnpkjS7d690z5-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D374a0f3f1df71576bd2f69047f62e593&TIME=20240508T113234Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8L_FPr0SW5GJrtDtjBdSakzVUCUz6EGM19I2MzuobIOWv1JQ4yhw9OXGhiSrnzipVBbnwiSkW5h7_558bLuOc8zsuPVuvI64uIUzwTeywL4ow235gDVbaCRoIGCWuIG9KHXasxcP3bpb6iZQm4_JmrFOrTihx7soiihcnpkjS7d690z5-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D374a0f3f1df71576bd2f69047f62e593&TIME=20240508T113234Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=089529691A9B63B02DDA3DE41BBC6285; _EDGE_S=SID=196BCFCFE6B76EDE100FDB42E71D6F1B
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=u2339xjr7esRrAmF3IAXxhNYt8beQ-86DbUHUre9P14; domain=.bing.com; expires=Sun, 22-Jun-2025 01:13:09 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C18A39B4D82B4B2398BBB3E733168E8F Ref B: LON04EDGE0722 Ref C: 2024-05-28T01:13:09Z
    date: Tue, 28 May 2024 01:13:09 GMT
  • flag-nl
    GET
    https://www.bing.com/aes/c.gif?RG=cc55513055fc4b5fa5b31d29c578b761&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113234Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
    Remote address:
    23.62.61.97:443
    Request
    GET /aes/c.gif?RG=cc55513055fc4b5fa5b31d29c578b761&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113234Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=089529691A9B63B02DDA3DE41BBC6285
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 381C2A5996194DD4948CB329AC850FB0 Ref B: DUS30EDGE0813 Ref C: 2024-05-28T01:13:09Z
    content-length: 0
    date: Tue, 28 May 2024 01:13:09 GMT
    set-cookie: _EDGE_S=SID=196BCFCFE6B76EDE100FDB42E71D6F1B; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=089529691A9B63B02DDA3DE41BBC6285; path=/; httponly; expires=Sun, 22-Jun-2025 01:13:09 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.5d3d3e17.1716858789.4934a3d
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.97:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=089529691A9B63B02DDA3DE41BBC6285; _EDGE_S=SID=196BCFCFE6B76EDE100FDB42E71D6F1B; MSPTC=u2339xjr7esRrAmF3IAXxhNYt8beQ-86DbUHUre9P14; MUIDB=089529691A9B63B02DDA3DE41BBC6285
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Tue, 28 May 2024 01:13:10 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.5d3d3e17.1716858790.4934ac0
  • flag-us
    DNS
    97.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.61.62.23.in-addr.arpa
    IN PTR
    Response
    97.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-97deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 627437
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 12D0A1A796E2493CAB55D2AE104CB958 Ref B: LON04EDGE1220 Ref C: 2024-05-28T01:14:48Z
    date: Tue, 28 May 2024 01:14:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 792794
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FE376CED152D4917B66F9E5A13675A16 Ref B: LON04EDGE1220 Ref C: 2024-05-28T01:14:48Z
    date: Tue, 28 May 2024 01:14:47 GMT
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8L_FPr0SW5GJrtDtjBdSakzVUCUz6EGM19I2MzuobIOWv1JQ4yhw9OXGhiSrnzipVBbnwiSkW5h7_558bLuOc8zsuPVuvI64uIUzwTeywL4ow235gDVbaCRoIGCWuIG9KHXasxcP3bpb6iZQm4_JmrFOrTihx7soiihcnpkjS7d690z5-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D374a0f3f1df71576bd2f69047f62e593&TIME=20240508T113234Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    tls, http2
    2.5kB
     8.9kB
     19
    15

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8L_FPr0SW5GJrtDtjBdSakzVUCUz6EGM19I2MzuobIOWv1JQ4yhw9OXGhiSrnzipVBbnwiSkW5h7_558bLuOc8zsuPVuvI64uIUzwTeywL4ow235gDVbaCRoIGCWuIG9KHXasxcP3bpb6iZQm4_JmrFOrTihx7soiihcnpkjS7d690z5-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D374a0f3f1df71576bd2f69047f62e593&TIME=20240508T113234Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8L_FPr0SW5GJrtDtjBdSakzVUCUz6EGM19I2MzuobIOWv1JQ4yhw9OXGhiSrnzipVBbnwiSkW5h7_558bLuOc8zsuPVuvI64uIUzwTeywL4ow235gDVbaCRoIGCWuIG9KHXasxcP3bpb6iZQm4_JmrFOrTihx7soiihcnpkjS7d690z5-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D374a0f3f1df71576bd2f69047f62e593&TIME=20240508T113234Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

    HTTP Response

    204
  • 23.62.61.97:443
    https://www.bing.com/aes/c.gif?RG=cc55513055fc4b5fa5b31d29c578b761&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113234Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
    tls, http2
    1.4kB
     5.3kB
     16
    10

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=cc55513055fc4b5fa5b31d29c578b761&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113234Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

    HTTP Response

    200
  • 23.62.61.97:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.6kB
     6.3kB
     17
    11

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.1kB
     16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    52.8kB
     1.5MB
     1084
    1080

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    260 B
     5
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    208 B
     4
  • 147.185.221.19:51701
    live-promotions.gl.at.ply.gg
    Orcus.exe
    52 B
     1
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    82.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    82.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    live-promotions.gl.at.ply.gg
    dns
    Orcus.exe
    74 B
     90 B
     1
    1

    DNS Request

    live-promotions.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    97.61.62.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    97.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     173 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Orcus\Orcus.exe
    Filesize

    917KB

    MD5

    ee128fdc0c14610f0e94610332c8f189

    SHA1

    d29af3db2e278549e22fa7b8bd939b581b34150c

    SHA256

    4ee61198bf5742ab2497f9034e73299052e4cf8d6f04ef72393f07ff8ca27dc0

    SHA512

    884fd9316c51a91c2fba4222bfed7a4667fffc056715cda7591d49ab26e2c161365451123b667ab6fe4a1269b139aeba6f02ee460173fda7b8cee8e10918e9fd

    Download Submit

  • C:\Program Files (x86)\Orcus\Orcus.exe.config
    Filesize

    357B

    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log
    Filesize

    425B

    MD5

    4eaca4566b22b01cd3bc115b9b0b2196

    SHA1

    e743e0792c19f71740416e7b3c061d9f1336bf94

    SHA256

    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

    SHA512

    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    Filesize

    9KB

    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Orcus\err_3c04931e3f454403ae52495677e37b6f.dat
    Filesize

    1KB

    MD5

    7dcb3cd9e246bd465dd87833d0ce2950

    SHA1

    e96b8ff8d547192b0e53131ae3176e04ec6bf988

    SHA256

    71bd5fd4c97f6be5361dd23d0a455af33e5666b96b6a25f4bd985a80a1817824

    SHA512

    d1ea6f4398055a4512a4d18b0683ee67a72efdb4ad8ceaf84dbcd8fde4e86a12a352c9c684d4db632ee89bf0b1a02958080ef683fc5d2fb3c2a2559e5743d3ef

    Download Submit

  • memory/1820-40-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1820-42-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1820-62-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3204-57-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3704-43-0x0000000007920000-0x000000000792A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3704-33-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3704-64-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3704-63-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3704-41-0x0000000007370000-0x0000000007380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3704-38-0x00000000071C0000-0x00000000071D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3704-37-0x00000000069C0000-0x0000000006A0E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3704-34-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4424-5-0x0000000005A30000-0x0000000005FD4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4424-9-0x00000000057C0000-0x00000000057C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4424-4-0x0000000005140000-0x000000000519C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/4424-10-0x0000000005850000-0x00000000058B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4424-3-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4424-15-0x00000000060F0000-0x00000000061FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4424-14-0x00000000059C0000-0x0000000005A0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4424-0-0x000000007539E000-0x000000007539F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4424-13-0x0000000005980000-0x00000000059BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4424-32-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4424-6-0x00000000052A0000-0x0000000005332000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4424-2-0x0000000002A30000-0x0000000002A3E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4424-8-0x0000000005460000-0x0000000005468000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4424-1-0x00000000007E0000-0x00000000008CA000-memory.dmp

    Filesize

    936KB

    Download

  • memory/4424-7-0x0000000005450000-0x0000000005462000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4424-12-0x0000000005920000-0x0000000005932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4424-11-0x0000000006600000-0x0000000006C18000-memory.dmp

    Filesize

    6.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.