Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

d673390547...be.exe

windows7-x64

10

d673390547...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 01:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6733905474e09a72f9d54a5f36046e3b98417b2332d4b4f2451981c32cbe3be.exe

  • Size

    920KB

  • MD5

    fab0a2c77bda98e6c958a21680f32a7a

  • SHA1

    6aa4cd576faa20fad993aafe960cfba3f50d177a

  • SHA256

    d6733905474e09a72f9d54a5f36046e3b98417b2332d4b4f2451981c32cbe3be

  • SHA512

    77625408955c571b83172623eec9bba6a715da00192646b71a80a6ce7bff9b237df892672013aef5df45b356c55d8b50d93951aef9562020e2eeecf00c89b64e

  • SSDEEP

    24576:++A4MROxnFt3kcfrrcI0AilFEvxHPUCooN:+YMijFrrcI0AilFEvxHPU

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

192.168.56.1:6969

Mutex

7a0301b502164f309e37ed4746914dc2

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\csgo.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6733905474e09a72f9d54a5f36046e3b98417b2332d4b4f2451981c32cbe3be.exe
    "C:\Users\Admin\AppData\Local\Temp\d6733905474e09a72f9d54a5f36046e3b98417b2332d4b4f2451981c32cbe3be.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:3624
    • C:\Program Files (x86)\Orcus\Orcus.exe
      "C:\Program Files (x86)\Orcus\Orcus.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Users\Admin\AppData\Roaming\csgo.exe
        "C:\Users\Admin\AppData\Roaming\csgo.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 4072
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Users\Admin\AppData\Roaming\csgo.exe
          "C:\Users\Admin\AppData\Roaming\csgo.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 4072
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2984
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:540
  • C:\Program Files (x86)\Orcus\Orcus.exe
    "C:\Program Files (x86)\Orcus\Orcus.exe"
    1⤵
    • Executes dropped EXE
    PID:2816

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.90.14.23.in-addr.arpa
    IN PTR
    Response
    82.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8WTtPCI8LWz6aeFyptcjj1zVUCUxCuII5swrZF6VDtv4BbUCLBIgWzBizECutd0Je0PTnurED4E6UOLg6B80i59I-bFlUXV9nEliRYBCctOZ2AXSsWqw68tgMLMOpDMNf-ybthVHKo1NAeyx52wkaG8L042nUL1f4tFMe2gCm2MSA5s7W%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D19d50ef27e62109db377689adb0d095f&TIME=20240611T192917Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321&muid=C1FAC51E94ABDC02D5235673D6AE25E6
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8WTtPCI8LWz6aeFyptcjj1zVUCUxCuII5swrZF6VDtv4BbUCLBIgWzBizECutd0Je0PTnurED4E6UOLg6B80i59I-bFlUXV9nEliRYBCctOZ2AXSsWqw68tgMLMOpDMNf-ybthVHKo1NAeyx52wkaG8L042nUL1f4tFMe2gCm2MSA5s7W%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D19d50ef27e62109db377689adb0d095f&TIME=20240611T192917Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321&muid=C1FAC51E94ABDC02D5235673D6AE25E6 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=33B43335D88B63F61E03279DD930629E; domain=.bing.com; expires=Sat, 19-Jul-2025 01:05:33 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2EBE1A06CCA54EAFA207976E1ADF8555 Ref B: LON04EDGE0915 Ref C: 2024-06-24T01:05:33Z
    date: Mon, 24 Jun 2024 01:05:33 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8WTtPCI8LWz6aeFyptcjj1zVUCUxCuII5swrZF6VDtv4BbUCLBIgWzBizECutd0Je0PTnurED4E6UOLg6B80i59I-bFlUXV9nEliRYBCctOZ2AXSsWqw68tgMLMOpDMNf-ybthVHKo1NAeyx52wkaG8L042nUL1f4tFMe2gCm2MSA5s7W%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D19d50ef27e62109db377689adb0d095f&TIME=20240611T192917Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321&muid=C1FAC51E94ABDC02D5235673D6AE25E6
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8WTtPCI8LWz6aeFyptcjj1zVUCUxCuII5swrZF6VDtv4BbUCLBIgWzBizECutd0Je0PTnurED4E6UOLg6B80i59I-bFlUXV9nEliRYBCctOZ2AXSsWqw68tgMLMOpDMNf-ybthVHKo1NAeyx52wkaG8L042nUL1f4tFMe2gCm2MSA5s7W%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D19d50ef27e62109db377689adb0d095f&TIME=20240611T192917Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321&muid=C1FAC51E94ABDC02D5235673D6AE25E6 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=33B43335D88B63F61E03279DD930629E; _EDGE_S=SID=3942ED2094A3670D16C4F98895006644
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=MvIrD9N0JehD8uBZTwrOpdKiNvqBlpx_Ej75AC5GlN4; domain=.bing.com; expires=Sat, 19-Jul-2025 01:05:33 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E428FAC55F5A45CAB7219D6E7527DDA0 Ref B: LON04EDGE0915 Ref C: 2024-06-24T01:05:33Z
    date: Mon, 24 Jun 2024 01:05:33 GMT
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://www.bing.com/aes/c.gif?RG=0417aa179a134ee58552e2fef1d77b0b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T192917Z&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321
    Remote address:
    23.62.61.194:443
    Request
    GET /aes/c.gif?RG=0417aa179a134ee58552e2fef1d77b0b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T192917Z&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=33B43335D88B63F61E03279DD930629E
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2B1547925C8D49CCB5E059F6CA417AAE Ref B: AMS04EDGE1720 Ref C: 2024-06-24T01:05:33Z
    content-length: 0
    date: Mon, 24 Jun 2024 01:05:33 GMT
    set-cookie: _EDGE_S=SID=3942ED2094A3670D16C4F98895006644; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=33B43335D88B63F61E03279DD930629E; path=/; httponly; expires=Sat, 19-Jul-2025 01:05:33 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.be3d3e17.1719191133.bb0a220
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.61.62.23.in-addr.arpa
    IN PTR
    Response
    194.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239382024609_1CYOH0B0B4OJCVK1C&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239382024609_1CYOH0B0B4OJCVK1C&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 682798
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FC2E2C72DC8343F092493842742D4D76 Ref B: LON04EDGE1112 Ref C: 2024-06-24T01:07:16Z
    date: Mon, 24 Jun 2024 01:07:15 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 351304
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6AA0DEC4036C4E30A2A4B8DB05BB26AD Ref B: LON04EDGE1112 Ref C: 2024-06-24T01:07:16Z
    date: Mon, 24 Jun 2024 01:07:15 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 218874
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7C2644387778486DA76F9054BDC33CF7 Ref B: LON04EDGE1112 Ref C: 2024-06-24T01:07:16Z
    date: Mon, 24 Jun 2024 01:07:15 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239382024608_138693VD99KTS9T95&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239382024608_138693VD99KTS9T95&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 664406
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 90B1F1887E294D948A004ADD707640CE Ref B: LON04EDGE1112 Ref C: 2024-06-24T01:07:16Z
    date: Mon, 24 Jun 2024 01:07:15 GMT
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    211.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.143.182.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8WTtPCI8LWz6aeFyptcjj1zVUCUxCuII5swrZF6VDtv4BbUCLBIgWzBizECutd0Je0PTnurED4E6UOLg6B80i59I-bFlUXV9nEliRYBCctOZ2AXSsWqw68tgMLMOpDMNf-ybthVHKo1NAeyx52wkaG8L042nUL1f4tFMe2gCm2MSA5s7W%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D19d50ef27e62109db377689adb0d095f&TIME=20240611T192917Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321&muid=C1FAC51E94ABDC02D5235673D6AE25E6
    tls, http2
    3.3kB
     9.1kB
     21
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8WTtPCI8LWz6aeFyptcjj1zVUCUxCuII5swrZF6VDtv4BbUCLBIgWzBizECutd0Je0PTnurED4E6UOLg6B80i59I-bFlUXV9nEliRYBCctOZ2AXSsWqw68tgMLMOpDMNf-ybthVHKo1NAeyx52wkaG8L042nUL1f4tFMe2gCm2MSA5s7W%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D19d50ef27e62109db377689adb0d095f&TIME=20240611T192917Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321&muid=C1FAC51E94ABDC02D5235673D6AE25E6

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8WTtPCI8LWz6aeFyptcjj1zVUCUxCuII5swrZF6VDtv4BbUCLBIgWzBizECutd0Je0PTnurED4E6UOLg6B80i59I-bFlUXV9nEliRYBCctOZ2AXSsWqw68tgMLMOpDMNf-ybthVHKo1NAeyx52wkaG8L042nUL1f4tFMe2gCm2MSA5s7W%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D19d50ef27e62109db377689adb0d095f&TIME=20240611T192917Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321&muid=C1FAC51E94ABDC02D5235673D6AE25E6

    HTTP Response

    204
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 23.62.61.194:443
    https://www.bing.com/aes/c.gif?RG=0417aa179a134ee58552e2fef1d77b0b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T192917Z&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321
    tls, http2
    1.5kB
     5.5kB
     17
    15

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=0417aa179a134ee58552e2fef1d77b0b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T192917Z&adUnitId=11730597&localId=w:C1FAC51E-94AB-DC02-D523-5673D6AE25E6&deviceId=6896198597095321

    HTTP Response

    200
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.4kB
     6.9kB
     17
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239382024608_138693VD99KTS9T95&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    67.9kB
     2.0MB
     1447
    1440

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239382024609_1CYOH0B0B4OJCVK1C&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239382024608_138693VD99KTS9T95&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.5kB
     6.9kB
     18
    14
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.4kB
     6.9kB
     17
    13
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    260 B
     5
  • 192.168.56.1:6969
    Orcus.exe
    104 B
     2
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    82.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    82.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    4.159.190.20.in-addr.arpa

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    194.61.62.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    194.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     170 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53
    211.143.182.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    211.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Orcus\Orcus.exe
    Filesize

    920KB

    MD5

    fab0a2c77bda98e6c958a21680f32a7a

    SHA1

    6aa4cd576faa20fad993aafe960cfba3f50d177a

    SHA256

    d6733905474e09a72f9d54a5f36046e3b98417b2332d4b4f2451981c32cbe3be

    SHA512

    77625408955c571b83172623eec9bba6a715da00192646b71a80a6ce7bff9b237df892672013aef5df45b356c55d8b50d93951aef9562020e2eeecf00c89b64e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csgo.exe.log
    Filesize

    425B

    MD5

    4eaca4566b22b01cd3bc115b9b0b2196

    SHA1

    e743e0792c19f71740416e7b3c061d9f1336bf94

    SHA256

    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

    SHA512

    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\csgo.exe
    Filesize

    9KB

    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe
    Filesize

    21KB

    MD5

    e6fcf516d8ed8d0d4427f86e08d0d435

    SHA1

    c7691731583ab7890086635cb7f3e4c22ca5e409

    SHA256

    8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

    SHA512

    c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe.config
    Filesize

    357B

    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • memory/540-34-0x000000001AB80000-0x000000001AC8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/540-33-0x00007FFFF8803000-0x00007FFFF8805000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2144-50-0x0000000074E90000-0x0000000075640000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2144-5-0x0000000006000000-0x00000000065A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2144-8-0x0000000005E50000-0x0000000005E58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2144-7-0x0000000005A30000-0x0000000005A42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2144-6-0x0000000005940000-0x00000000059D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2144-1-0x0000000000D40000-0x0000000000E2C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2144-9-0x0000000005EA0000-0x0000000005EC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2144-2-0x00000000032C0000-0x00000000032CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2144-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2144-3-0x0000000074E90000-0x0000000075640000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2144-4-0x00000000057A0000-0x00000000057FC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/3624-23-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3624-31-0x00007FFFF83E0000-0x00007FFFF8EA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3624-30-0x00007FFFF83E0000-0x00007FFFF8EA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3624-26-0x000000001BAE0000-0x000000001BB1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3624-25-0x000000001B960000-0x000000001B972000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3624-24-0x00007FFFF83E3000-0x00007FFFF83E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3652-71-0x0000000000720000-0x0000000000728000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4072-51-0x0000000005650000-0x0000000005662000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4072-52-0x00000000061E0000-0x000000000622E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/4072-53-0x00000000063A0000-0x00000000063B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4072-55-0x0000000006750000-0x0000000006912000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4072-56-0x0000000006580000-0x0000000006590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4072-57-0x0000000006A80000-0x0000000006A8A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.