Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
292s -
max time network
302s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
28/10/2024, 08:30
Behavioral task
behavioral1
Sample
xd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
xd.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
xd.exe
Resource
win11-20241007-en
General
-
Target
xd.exe
-
Size
3.0MB
-
MD5
b8006a0ea8243be30ddbc2009aa05d93
-
SHA1
81df425e729edd90c7b7e50b995803da783557ef
-
SHA256
6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2
-
SHA512
4535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4
-
SSDEEP
49152:6zTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmNMrZEu:6zTtODUKTslWp2MpbfGGilIJPypSbxE8
Malware Config
Extracted
orcus
89.23.100.155:1337
1ff7891fa0904651aeca5ed123954333
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/2252-24-0x000000001CB20000-0x000000001CB2A000-memory.dmp disable_win_def -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Orcus.exe -
Orcus family
-
Orcus main payload 2 IoCs
resource yara_rule behavioral2/files/0x00290000000450bb-438.dat family_orcus behavioral2/files/0x00290000000450ad-451.dat family_orcus -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Orcus.exe -
Orcurs Rat Executable 3 IoCs
resource yara_rule behavioral2/memory/2252-198-0x00000000216F0000-0x00000000219EE000-memory.dmp orcus behavioral2/files/0x00290000000450bb-438.dat orcus behavioral2/files/0x00290000000450ad-451.dat orcus -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation xd.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation Orcus.exe -
Executes dropped EXE 1 IoCs
pid Process 2764 Orcus.exe -
Loads dropped DLL 1 IoCs
pid Process 2764 Orcus.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xd.exe -
pid Process 2072 powershell.exe 1200 powershell.exe 1140 powershell.exe 2548 powershell.exe 1824 powershell.exe 4372 powershell.exe 3064 powershell.exe 4468 powershell.exe 936 powershell.exe 2280 powershell.exe 936 powershell.exe 3744 powershell.exe 440 powershell.exe 2496 powershell.exe 4596 powershell.exe 760 powershell.exe 1684 powershell.exe 3876 powershell.exe 2644 powershell.exe 2276 powershell.exe 1912 powershell.exe 3340 powershell.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" Orcus.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 api.ipify.org 38 api.ipify.org -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe xd.exe File created C:\Program Files\Orcus\Orcus.exe.config xd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Orcus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Orcus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Orcus.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1516 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3100 powershell.exe 3100 powershell.exe 2276 powershell.exe 4468 powershell.exe 936 powershell.exe 3744 powershell.exe 2276 powershell.exe 2276 powershell.exe 2280 powershell.exe 2280 powershell.exe 2072 powershell.exe 2072 powershell.exe 2548 powershell.exe 2548 powershell.exe 1912 powershell.exe 1912 powershell.exe 1140 powershell.exe 1140 powershell.exe 440 powershell.exe 440 powershell.exe 1200 powershell.exe 1200 powershell.exe 936 powershell.exe 936 powershell.exe 3744 powershell.exe 3744 powershell.exe 2072 powershell.exe 4468 powershell.exe 4468 powershell.exe 2280 powershell.exe 1912 powershell.exe 2548 powershell.exe 1140 powershell.exe 1200 powershell.exe 440 powershell.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2748 powershell.exe 2748 powershell.exe 1824 powershell.exe 2496 powershell.exe 4372 powershell.exe 936 powershell.exe 936 powershell.exe 4596 powershell.exe 4596 powershell.exe 760 powershell.exe 760 powershell.exe 3340 powershell.exe 3340 powershell.exe 4372 powershell.exe 4372 powershell.exe 3064 powershell.exe 3064 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1516 vlc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3100 powershell.exe Token: SeIncreaseQuotaPrivilege 3100 powershell.exe Token: SeSecurityPrivilege 3100 powershell.exe Token: SeTakeOwnershipPrivilege 3100 powershell.exe Token: SeLoadDriverPrivilege 3100 powershell.exe Token: SeSystemProfilePrivilege 3100 powershell.exe Token: SeSystemtimePrivilege 3100 powershell.exe Token: SeProfSingleProcessPrivilege 3100 powershell.exe Token: SeIncBasePriorityPrivilege 3100 powershell.exe Token: SeCreatePagefilePrivilege 3100 powershell.exe Token: SeBackupPrivilege 3100 powershell.exe Token: SeRestorePrivilege 3100 powershell.exe Token: SeShutdownPrivilege 3100 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeSystemEnvironmentPrivilege 3100 powershell.exe Token: SeRemoteShutdownPrivilege 3100 powershell.exe Token: SeUndockPrivilege 3100 powershell.exe Token: SeManageVolumePrivilege 3100 powershell.exe Token: 33 3100 powershell.exe Token: 34 3100 powershell.exe Token: 35 3100 powershell.exe Token: 36 3100 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 3744 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeIncreaseQuotaPrivilege 2276 powershell.exe Token: SeSecurityPrivilege 2276 powershell.exe Token: SeTakeOwnershipPrivilege 2276 powershell.exe Token: SeLoadDriverPrivilege 2276 powershell.exe Token: SeSystemProfilePrivilege 2276 powershell.exe Token: SeSystemtimePrivilege 2276 powershell.exe Token: SeProfSingleProcessPrivilege 2276 powershell.exe Token: SeIncBasePriorityPrivilege 2276 powershell.exe Token: SeCreatePagefilePrivilege 2276 powershell.exe Token: SeBackupPrivilege 2276 powershell.exe Token: SeRestorePrivilege 2276 powershell.exe Token: SeShutdownPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeSystemEnvironmentPrivilege 2276 powershell.exe Token: SeRemoteShutdownPrivilege 2276 powershell.exe Token: SeUndockPrivilege 2276 powershell.exe Token: SeManageVolumePrivilege 2276 powershell.exe Token: 33 2276 powershell.exe Token: 34 2276 powershell.exe Token: 35 2276 powershell.exe Token: 36 2276 powershell.exe Token: SeIncreaseQuotaPrivilege 3744 powershell.exe Token: SeSecurityPrivilege 3744 powershell.exe Token: SeTakeOwnershipPrivilege 3744 powershell.exe Token: SeLoadDriverPrivilege 3744 powershell.exe Token: SeSystemProfilePrivilege 3744 powershell.exe Token: SeSystemtimePrivilege 3744 powershell.exe Token: SeProfSingleProcessPrivilege 3744 powershell.exe Token: SeIncBasePriorityPrivilege 3744 powershell.exe Token: SeCreatePagefilePrivilege 3744 powershell.exe Token: SeBackupPrivilege 3744 powershell.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2764 Orcus.exe 1516 vlc.exe 1516 vlc.exe 1516 vlc.exe 1516 vlc.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2764 Orcus.exe 1516 vlc.exe 1516 vlc.exe 1516 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1516 vlc.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2252 wrote to memory of 4296 2252 xd.exe 83 PID 2252 wrote to memory of 4296 2252 xd.exe 83 PID 4296 wrote to memory of 4756 4296 csc.exe 85 PID 4296 wrote to memory of 4756 4296 csc.exe 85 PID 2252 wrote to memory of 3100 2252 xd.exe 86 PID 2252 wrote to memory of 3100 2252 xd.exe 86 PID 2252 wrote to memory of 2276 2252 xd.exe 89 PID 2252 wrote to memory of 2276 2252 xd.exe 89 PID 2252 wrote to memory of 4468 2252 xd.exe 91 PID 2252 wrote to memory of 4468 2252 xd.exe 91 PID 2252 wrote to memory of 3744 2252 xd.exe 92 PID 2252 wrote to memory of 3744 2252 xd.exe 92 PID 2252 wrote to memory of 936 2252 xd.exe 95 PID 2252 wrote to memory of 936 2252 xd.exe 95 PID 2252 wrote to memory of 2280 2252 xd.exe 97 PID 2252 wrote to memory of 2280 2252 xd.exe 97 PID 2252 wrote to memory of 2072 2252 xd.exe 99 PID 2252 wrote to memory of 2072 2252 xd.exe 99 PID 2252 wrote to memory of 1912 2252 xd.exe 101 PID 2252 wrote to memory of 1912 2252 xd.exe 101 PID 2252 wrote to memory of 2548 2252 xd.exe 103 PID 2252 wrote to memory of 2548 2252 xd.exe 103 PID 2252 wrote to memory of 1200 2252 xd.exe 105 PID 2252 wrote to memory of 1200 2252 xd.exe 105 PID 2252 wrote to memory of 1140 2252 xd.exe 107 PID 2252 wrote to memory of 1140 2252 xd.exe 107 PID 2252 wrote to memory of 440 2252 xd.exe 109 PID 2252 wrote to memory of 440 2252 xd.exe 109 PID 2252 wrote to memory of 2764 2252 xd.exe 115 PID 2252 wrote to memory of 2764 2252 xd.exe 115 PID 2764 wrote to memory of 2748 2764 Orcus.exe 116 PID 2764 wrote to memory of 2748 2764 Orcus.exe 116 PID 2764 wrote to memory of 2496 2764 Orcus.exe 119 PID 2764 wrote to memory of 2496 2764 Orcus.exe 119 PID 2764 wrote to memory of 1824 2764 Orcus.exe 121 PID 2764 wrote to memory of 1824 2764 Orcus.exe 121 PID 2764 wrote to memory of 4372 2764 Orcus.exe 123 PID 2764 wrote to memory of 4372 2764 Orcus.exe 123 PID 2764 wrote to memory of 936 2764 Orcus.exe 125 PID 2764 wrote to memory of 936 2764 Orcus.exe 125 PID 2764 wrote to memory of 3064 2764 Orcus.exe 127 PID 2764 wrote to memory of 3064 2764 Orcus.exe 127 PID 2764 wrote to memory of 3340 2764 Orcus.exe 129 PID 2764 wrote to memory of 3340 2764 Orcus.exe 129 PID 2764 wrote to memory of 4596 2764 Orcus.exe 131 PID 2764 wrote to memory of 4596 2764 Orcus.exe 131 PID 2764 wrote to memory of 760 2764 Orcus.exe 133 PID 2764 wrote to memory of 760 2764 Orcus.exe 133 PID 2764 wrote to memory of 1684 2764 Orcus.exe 135 PID 2764 wrote to memory of 1684 2764 Orcus.exe 135 PID 2764 wrote to memory of 3876 2764 Orcus.exe 137 PID 2764 wrote to memory of 3876 2764 Orcus.exe 137 PID 2764 wrote to memory of 2644 2764 Orcus.exe 139 PID 2764 wrote to memory of 2644 2764 Orcus.exe 139 -
System policy modification 1 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" Orcus.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xd.exe"C:\Users\Admin\AppData\Local\Temp\xd.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2252 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5lkc5msd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FC0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FAF.tmp"3⤵PID:4756
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 63⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 03⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 63⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 63⤵
- Command and Scripting Interpreter: PowerShell
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true3⤵
- Command and Scripting Interpreter: PowerShell
PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
PID:2644
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TraceFormat.au"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1516
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5b8006a0ea8243be30ddbc2009aa05d93
SHA181df425e729edd90c7b7e50b995803da783557ef
SHA2566895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2
SHA5124535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD50f1bf4207c100442afb6f174495b7e10
SHA177ab64a201e4c57bbda4f0c3306bee76e9513b44
SHA256c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d
SHA51229bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94
-
Filesize
1KB
MD55e22dd1cda88782a1f52f76e748ef957
SHA13231826619a06fa541e2bfb21da445bd7013b5ac
SHA25673302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec
SHA51275039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
3.0MB
MD50aa6a14b26944d7f9ff50bfcc3e9e0c9
SHA1de21f62e9ea5618fa793ce3593c6c57e26bdedad
SHA256b92a6bfcff5ad36cb34871413e4b046bd5d4d2c573ab86b6aaade7f4e23e380a
SHA512f7c202588f071cbef074b36d7cc3a0aeda7c27af02e20268ba5750803a0ba5c990ce7f50b9f9d32b047110c1ab9e5d9fb65e2f1992c3d8f92b0ea84ddd96103b
-
Filesize
76KB
MD541acbbd858c29fa59d1da4bfb774b571
SHA1336672c7334e1fbe2480ad8d4638be284fec63c6
SHA25656d0810ff10aeea43882ae50f5a6d95d1a7ac6fa42728d9ff33c9c14d6cc9ec1
SHA512079e974886d7cfd819108e47b0936672e3fb359d58e3a987b28dad58fbbff177b5cd8f59dd73265443459620d44565e5a7b5686db56026d748c211b42f0ca34f
-
Filesize
1KB
MD53cd7fbc44added6ced8aacd4e4ac5226
SHA168c239a6911cfecd74ae6367ec7473a511fd78d6
SHA2564dc3edc82ccf2af480f43c74ad8c8293efcad948823895b6158789d6659ce762
SHA512748938616f1dcc50de6afb073f83e21e5f25a1ccd3d7fbf1b6e0719a11ba6c664742f9f02668dde43037f9e86eba7c0ca2a40165a2b25579c3f1bb937ed486fa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\AForge.Video.DirectShow.dll
Filesize60KB
MD517ed442e8485ac3f7dc5b3c089654a61
SHA1d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA5129118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2
-
Filesize
20KB
MD50bd34aa29c7ea4181900797395a6da78
SHA1ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0
-
Filesize
519KB
MD594a312a6fcec0e78808bcea3d8ff67f5
SHA1fe760487d13f9a6f5f359036561105d4aca88a1f
SHA256e835139171eb0d63b6b4e02b0997cac040c02d295648a275d4c8d28b234c8e94
SHA512ecdedeee1ee4e35e4fbd2dea3a4dd8b0805166a9610a63affbfb673f2644588eacecba6b3a5a0052c202ab14c321800997512abc318d36a50b00cc86dc83ec1c
-
Filesize
125KB
MD52b44c70c49b70d797fbb748158b5d9bb
SHA193e00e6527e461c45c7868d14cf05c007e478081
SHA2563762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0
-
Filesize
271KB
MD598eb5ba5871acdeaebf3a3b0f64be449
SHA1c965284f60ef789b00b10b3df60ee682b4497de3
SHA256d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2
-
Filesize
338KB
MD5934da0e49208d0881c44fe19d5033840
SHA1a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA25602da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59
-
Filesize
247KB
MD5ffb4b61cc11bec6d48226027c2c26704
SHA1fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA51248aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9
-
Filesize
1.3MB
MD5ac6acc235ebef6374bed71b37e322874
SHA1a267baad59cd7352167636836bad4b971fcd6b6b
SHA256047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA51272ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081
-
Filesize
662KB
MD5b36cc7f7c7148a783fbed3493bc27954
SHA144b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2
-
Filesize
208KB
MD52b016afb119e25cb3fe81d09b1a1bb0c
SHA10d3374f0b9ffbe63f84209072274b675357b58fe
SHA25625e9cc663d0269ce91d304c06c13a574d7b65a2328cb6a9221dd20d57fc7e543
SHA51211cfc789fbac7b96f0c8239ce1b05cb61be62c2d3f25b10d7f1938d3bd90ddcee7d81567842790f2600f7c81f49f85d5391be8408ceecb7cf45156ab1b355b59
-
Filesize
349B
MD5677000c9e7636e08bd6883f22893b9e9
SHA1395e53f0227b096d9d83840ef81e8c58d7a4f2e0
SHA2565a9d1fb9890f74e5eac08c58ba9896e4c3f29115894ca1476b4a9f95a6eb7121
SHA5121ae832f135802183e363c7458007273d509f03c18f8b8ad0154bbbee12ad09bf5df7e5b6617c4809a0af1b561d24fb20cf0b941630b2e504cfeeb5e8f76b4ee1
-
Filesize
676B
MD56d8dacc69ca5107a33d76083cdda6435
SHA1e9631dd07bff5b37a637d69e2e9e9068d669dd5d
SHA256bfb18b109bdd2cfc8ad87c1d6fc55b7c128a5a083bcd157c725d5fc805d3212d
SHA51280eb1fb3e76a195ef5d6af15562df867f66f430b497226432654d0af3e81d6002f9d204591d0040b0fd58bf63df1a9a31b02cbba2bc79923f131f7a4dc41da6c