orcus | 3786d314f4e3906400b24657ed15fca047576eba9cf17630246db69503fdbea3

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OrcusRAT-main.zip
Size

25.0MB
MD5

4ebe8621171038676189cbc5e7053d9f
SHA1

2e3a3b97163d1e8af1e41c36f9495062fb4b1934
SHA256

3786d314f4e3906400b24657ed15fca047576eba9cf17630246db69503fdbea3
SHA512

e0091ae9f3acddc7e8d11b89a60debc3dab57b8af57bde4a3f538b2283eae398a1adec8224bf5fd2d0be61be015fc2a79c49b06cf786945073e1cc87d66be356
SSDEEP

786432:DFrAoo07VJxiSdlBx4IVwXuOHKW3kijZk:hrA+xJBgIEuMUiNk

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x00090000000164de-7.dat	orcus
behavioral1/memory/2580-15-0x00000000003F0000-0x000000000142E000-memory.dmp	orcus
behavioral1/memory/2308-817-0x0000000000950000-0x000000000198E000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2580	Orcus.Administration.exe
2308	Orcus.Administration.exe

Loads dropped DLL 46 IoCs

pid	Process
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe
2308	Orcus.Administration.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	2580	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdiagnhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdiagnhost.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01ea0445859db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f48590e9dcc6b541b88f2ec87975341300000000020000000000106600000001000020000000e7b1f9f2901f7f6a13badcea4ae74cf2cbaad508cf77e68b080f410405b14258000000000e80000000020000200000006069385d7b922ec70aa1f67d37d09a79a4b16a3c118a451dca7cb8dc5578deb290000000e97d6f283395dc2fb11d4093fa0337e44346875bf1d29c086aa5af85cf2b4319f8cf73395860d17dacf45ad291b6535fb14ef005e2147aa14b4adc9bbd4f7ce29add3203551940151e946c6d6a1b6e230feec5b2088168a1aa014c4b455e4c0028606fa9d75ecc721f3395f003ffa1779a8a79a21bbef6cdf0e85ca275feec3bacdf7b7ffde08974e83dcb6403d4ae0e40000000c440d6d6d2d58281e577c104446423303b2702d2c6376264e11cd5c0c04043babb23983d2575e915d097104d8c1a4f7a82eb64af4913d861d62932d7a9f24145	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441573215"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7AAF3301-C54B-11EF-91D0-C60424AAF5E1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f48590e9dcc6b541b88f2ec879753413000000000200000000001066000000010000200000000e2ec7847f68ee8fd8846a001764d8a4a1e6b4292ec97f9b3930d02d2d83d901000000000e800000000200002000000010b1bb146ecc63e7d87950550a8ae011ecf01bbcd9957958fb587fa0fd8b4cf5200000007833a14f90f8cfed2b3ff6fa438ad75689918828dc9e3cbdbf710a81e1d95692400000002c1c5ba6ef3504eafdd14082db3ab360d1454b19a02da673c4ad9aa542349671ac9e34f6989ec3d434237db78b6f96339d8b3c96887f1f4bccf4460b670b96d2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A527F8B1-C54B-11EF-91D0-C60424AAF5E1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	7zFM.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Orcus.Administration.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Orcus.Administration.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2136	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2136	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2136	7zFM.exe
Token: 35	2136	7zFM.exe
Token: SeSecurityPrivilege	2136	7zFM.exe
Token: SeSecurityPrivilege	2136	7zFM.exe
Token: SeSecurityPrivilege	2136	7zFM.exe
Token: SeSecurityPrivilege	2136	7zFM.exe
Token: SeDebugPrivilege	2308	Orcus.Administration.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2136	7zFM.exe
2136	7zFM.exe
2136	7zFM.exe
2136	7zFM.exe
2136	7zFM.exe
2136	7zFM.exe
2136	7zFM.exe
2384	iexplore.exe
2472	iexplore.exe
2516	msdt.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2384	iexplore.exe
2384	iexplore.exe
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2472	iexplore.exe
2472	iexplore.exe
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2580	2136	7zFM.exe	28
PID 2136 wrote to memory of 2580	2136	7zFM.exe	28
PID 2136 wrote to memory of 2580	2136	7zFM.exe	28
PID 2136 wrote to memory of 2580	2136	7zFM.exe	28
PID 2580 wrote to memory of 2956	2580	Orcus.Administration.exe	29
PID 2580 wrote to memory of 2956	2580	Orcus.Administration.exe	29
PID 2580 wrote to memory of 2956	2580	Orcus.Administration.exe	29
PID 2580 wrote to memory of 2956	2580	Orcus.Administration.exe	29
PID 2384 wrote to memory of 2256	2384	iexplore.exe	34
PID 2384 wrote to memory of 2256	2384	iexplore.exe	34
PID 2384 wrote to memory of 2256	2384	iexplore.exe	34
PID 2384 wrote to memory of 2256	2384	iexplore.exe	34
PID 2308 wrote to memory of 2472	2308	Orcus.Administration.exe	37
PID 2308 wrote to memory of 2472	2308	Orcus.Administration.exe	37
PID 2308 wrote to memory of 2472	2308	Orcus.Administration.exe	37
PID 2308 wrote to memory of 2472	2308	Orcus.Administration.exe	37
PID 2472 wrote to memory of 1460	2472	iexplore.exe	38
PID 2472 wrote to memory of 1460	2472	iexplore.exe	38
PID 2472 wrote to memory of 1460	2472	iexplore.exe	38
PID 2472 wrote to memory of 1460	2472	iexplore.exe	38
PID 1460 wrote to memory of 2516	1460	IEXPLORE.EXE	40
PID 1460 wrote to memory of 2516	1460	IEXPLORE.EXE	40
PID 1460 wrote to memory of 2516	1460	IEXPLORE.EXE	40
PID 1460 wrote to memory of 2516	1460	IEXPLORE.EXE	40

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\OrcusRAT-main.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\7zO858BEFE6\Orcus.Administration.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO858BEFE6\Orcus.Administration.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 544
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2256

C:\Users\Admin\Desktop\Orcus.Administration.exe
"C:\Users\Admin\Desktop\Orcus.Administration.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://lite.ip2location.com/sign-up
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2472 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\msdt.exe
      -modal 1442272 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFD99D.tmp -ep NetworkDiagnosticsWeb
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:2516

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1948

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
fbaabf27698b0731c4dc661a08d5e401

SHA1
bcfc76e1c58eb8238d4546f12f998abbb14c07b9

SHA256
5ad0ca6ad1c76c555f8cdf14e5e85bb59e2b1b77a7242636b46a50755dc1fa2f

SHA512
f4da904e2f754f6daf29d8c89f9df5e341337aa8e8593dc5ebd7160d6b43daf6137607175a6a0d257694b4d5fd06fb5764d502cf4b7dc725644fe960074e1294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cd15aa1f296c5165b048a4ad8a1f436

SHA1
9abde1da5ddeb967b7d19f4a11c787cdfc84c14e

SHA256
50a69ba2e005623a99564904233edccf4d15b4452651f129e70ec771bd49c2d8

SHA512
e362cc3ccc46c4c3c40c17b318af24b4fc26802d35aecefc522d478b036f46ed677532473f0cf69625bab95d6bcb54fe602b0fca1c41036325edb90e94af92f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27ac5c2878f5d503b84529cb7d49413b

SHA1
8bec321d0009a8d21b04b7e8cec963919748e973

SHA256
03cea1b21c23123695885067a16bbcb01f842e0f00220d00be2aefeaf18c4588

SHA512
65153715ccf377b632f0d665020708f5586d5ef132f10acb711e933184acf3cb40c6e713cca1f10a99c38910cb5c31bbe3d5919a0bae5e21b678a5ac1a917752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4386248584268f583073cf1660102ced

SHA1
5f1281b7f8bf9b5921538b1b82acd76deb6fa5a4

SHA256
fb23c27af08c7aef9d6db4731ff64f55b81df56e1cdce2659fd7424d1ed2a031

SHA512
84c7bcdba678c0dad918010b3299abfaf31f2cafed7ec5258227168591079c87770d72bb6645aa2168bc21520d8ddfbeee8cbd54d356c819260612faf1753ace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f5a53bb7d1eff7c7836c9f1bac23526

SHA1
3482fb7737f8ac73d2a624162300e26dcd01c849

SHA256
3d909c1698ddd1db74227efdf2856d924f9af450975aeb968e658bed6f9d9990

SHA512
927246c5274f5e3036d2f9b4a328f4aa6013a5113097650492372864c7cf41374b660bf1c850881ca9005a84c6244a1b605c4c4a36cdfd5ca4b540d88fe5dff8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
276132709c1930614fabdd5a5604dc55

SHA1
9b102ef638388e7560ac29277833e7272308643d

SHA256
d7d1a7c7f0c4e0c99d4328699ec1a566d14377057cb7d76d7d7c0febd2b14f2b

SHA512
d84aede9ad3c03c291e6f099e2330825abd4fa06456e72698ed3c3634274986d7a6ef9175b7fdfd76a5899a157dcca165a8d98a9cd920e6a2aa5e87769c987f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4458f754ee74b7aea2aedcdafee15af

SHA1
7159cd831b3a337bea352bd2b579dbdc114099dd

SHA256
8f69d4b17a7a564a90df97b58d86aac1026e66aebfe3e8d04ec199a6c57b8ad1

SHA512
3a6906ab9d21578e9455142ed1b70dcd15da2c3e6e11a7dab136475a25e2b88ff76be31469369c0f63f31d95913283d38bb0fd3f1db66e10ce31040e51a14662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2739b6770507037afc195c62f42833c

SHA1
3ba6d76b7f2a9f47854366fb7dcf69048b6669bc

SHA256
aa8257b0896bb3073b80b2b009928c97eef40e9d0215dafda9286c540613ec60

SHA512
6a858f1aba85b5df62316aae81c4bd0a2ee95e98ade48a19e3301f4d59ed51b95e7ab647ac8e95e0cd8c55c2dfe78f334af6ca3a173aba4f4476f4a01bd390aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63e6f3b598d70287a6483113a7b335a8

SHA1
2cdca09b3b58ae7d7779495ba44f851bb7815d30

SHA256
681c6a79b999b7443abd64b93aa0426ec97b34fb37dab0925604d3cb7bb32a6d

SHA512
2567e5f295ac7deb2c7ad79e9a078aeb50b142d93c4b53f26fec9d1e1685715176278c4c90ee897c9fd33d33d1b3e85408dfbb012fc3d277470378d8e6cd1660

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8543520238870551f09d25f05dd68b5

SHA1
f60e03b23a30d1403d416cf137a9252913209301

SHA256
96b19b3faeccb7b5c60ce6e701b291d923e812b3e33d8ea3d63729b5520755d1

SHA512
465bd3420f6874ce3eff872be3cd882c4587ffd598352fd4170b42396b267e6dde4f96bca28d50f6a2afc3f48e7e20cad004750d6d413d998c9ac0c5bb6f99bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dec5eb4ca54bead4339b285fbc454b25

SHA1
9b976847698b9716b7405ca4fe0df7c4814284f9

SHA256
0cec74aa17d51718864f3bb0d8f0ff2c4936c82849230c91353f33db7c1e6994

SHA512
a051f23fa3dee05e4f574fe6cf5f504e72910962b348142216e52032d5e6f194e01dad4360bb52b8e8a6ef36946fde3e13daadbf72cac595c13fc01bf61ca7dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97393f230f3188b8ac7385cb22a89ec4

SHA1
c9a224e52d4801480b1d5494e93ab5798959574f

SHA256
6a4707737d9f92ccf0f98c34e666f0d97bcb1010320f1b6d51234b098a21ced4

SHA512
47bb472309f9a8da3882e20284113a5b37e67dfe5c5ca471ca9176aa449a494f37519db19570dc78aa2aea6f4357cbd7732182a13e52f484e42ac6fa9e84ebbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6739dabecdfc185ee68f3c8874a3635b

SHA1
ac471848c3fe2a859bc54d9f79529aca44d45c3f

SHA256
f5cf924611793c4a0718b4d3f881eeeb15fe885367875b33efbe63f25a119287

SHA512
754f1e78a51eb8e2853f0e707e0cfa882495b9ad9b090ea7921b4e60abb2370a57eb0cff011402d8d446d425085317111fed364e40ec2b35bb5d4f7235e54b10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41a1491090adb4e6af0949e7005c0b1e

SHA1
9fbd2e2225f5725ba1999517dd16a0a76f4d6618

SHA256
7f1e9782585612279791d1657228f59dab4d30e5fd4d7f15719121aa0193cba5

SHA512
93bf08f0175ebfcd30b391a98fc0e0948d77766c814641729e1cb00f3e737cfabee20476edf1156bfc671267e7ba522b1140b0a7887d13265d197bcafa08c45d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb24ca290429e95400c7fb05151d4570

SHA1
990d139ae54335189527146a9fae1795207d3bdf

SHA256
91d96a96648000f835ea69aaf1897ec2b5d73016552c84c2af8411cb8b9a02d7

SHA512
4c46283c05c98973eb35fe6bc3ac156aaef7a4aad7a320ca4d4e1b0b0c75d3ee9b058cd310cfdf8a1cdbaf4665d947b910d7f6fcc8bb991044a76f1497c22563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
913483f2243892d2394fc47249dd89e3

SHA1
5936e264a3db524f544195ee58602958390e501e

SHA256
955773acf2f30254a4ee75fb6ea402ccba6bde624c967a5eae1b9e0092d54e67

SHA512
0e447ada1f109cde27a4ebfd22e9d4d6f8864ee7d88a8fa42046ee908d0edbe82000c2ede8ebfda5379b4dc1c3a4c875df28dc935ef68c324c56811d5ba5e3ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae6a08b73981e831aa4309c1aecc6fc0

SHA1
c37d575c067d157a0d7a499839e5aa76f46b6510

SHA256
f6da35b305b0be496cfd33618224a52dca68048b15fba8a09b82f24e99ae86e9

SHA512
8e7a1ca50163e56cd5ee071ac5407f645065f17024ba851c22d554eb664d99af9a7072dbf404d3fb49e49cc9fef05cdc82798be90d129f60406b90c4b38f16fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f3a7cc0c8029310e96a8710f3eb3cde

SHA1
8fc3f0c826c4c1537c315104730e7d4fe89f4cee

SHA256
5ff4550cf51b8bb9b9239f2cdc4dd9e121029583ce4aaf40063a4c07b2adcee4

SHA512
c8a1dca8cf20401d22722016035a91c43795653650ffa134cdec1abcaf87f7ee0ec033fab41a437dd13d626b479124f2cd167be63f92ee6925dc904599a9adf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
399a7e270a9fcb2133c4549d1a6a07b4

SHA1
dc46f4f7e71926f1e2a8cb6a00f13af41f765a93

SHA256
b26f3c7b4212539181de60e4005f1c7494b23b4718733df20fa8c54dee649a3f

SHA512
7378c4a224ab34fcc712d9394562635a7e92a3061d38ea2e04600299a35920213800041d86040ebe7f45695319bc8f68f8ad4a38a8cc17552177354105b80ef9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd4b4599c5687f8ec6f34956a1e1e0c3

SHA1
a3ebf2e71cc70df8579e124f0bb5da119b48e950

SHA256
4cfd814b6ec8ff241c308b57ad717781530485dc4bd1c5cdc7ac41f175c2e18e

SHA512
2efda582834cb6023b261b2fffb7e6fc8dd27f967d2391a3db4dbb89136f385c7af04f2904a92654ccc262dc9c8d1c18bdabdc36989e0733600d25ff595c5d66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5311d17abf68bbbe3a9166ef1c78ca72

SHA1
eee0d67e7217ba7b1a026759fa4168f29082b55d

SHA256
f5c1184a69b828616fc3f6ae65df720aa43b1c14d3a3c582387a94ed2304a521

SHA512
13f662d25be24a679b8da226ff714743bab048d9efe777566c64f294484f64fed841aa264af46034006db2f31b69af5c285cd51f6dc7f1255879fcaf86195eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a6154acae7ec05697a969e804c0301e3

SHA1
190dd0e0c964a37f792762c28a2d1bbc94aee3ff

SHA256
79e09909bb1fd110c1c8904bddc900cf0e77d4e73bee0fc4d355cb190e8e3636

SHA512
d39b16681c512577977f6a8537e5840f47e924c3bb0ae80785e06d26b1ecd7edf6b95323c587cf73cc0ed1999223e32fec99e4c18e03c1702c8c71e192e62667

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024122818.000\NetworkDiagnostics.0.debugreport.xml

Filesize
65KB

MD5
a312519c59ce57a3b92195c736e58590

SHA1
18df506dda045361fd6d2d1fa237c90ecb64e0bc

SHA256
ac7bd76b43e3b52d721df4db40567d209a9afa578f43cc66edc0baa0e83539ff

SHA512
6b09c88668601e99e08705fed10785a3e21a21d8f2562f9ab2c79c6ce04532c2179956d3485437c7785cd915349cfd1229bee2294d3cd4f5d861800c40a7ec6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
5KB

MD5
3b5b3bf55b4de009efa35c3c380e0f3b

SHA1
96508ec759fc2a527f1f184c174b79a9a8be1889

SHA256
28f5827ed9d7b5ee1220872867d02f503ab74f9ee451077d56dc066ca76df8a2

SHA512
55c2fcb7c0b9da8a4214a76f2d00e69f5a6137f3a878714f6abbfe8d5996e9af7304d61091ef6c53f0c7ce08351399816e9940a56e84d5eca39acd0b65c98c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
8KB

MD5
5dd72576ad7b695eca67e3eb9e996d28

SHA1
cf7c6e8e2f70d6b67a9f29176345e93604e44d44

SHA256
d9f44c385e1bf1c3b8bfb984928c7c699988e90c25ab33596dbcff2e73d5884f

SHA512
3dfc98ea7e04155402ab6735101317fc0ec269d4ae403a0a0e3ab879aa7fcc0e20b3c7fbad9c62e74b3c313510ea59c856791d25e6118d19519c91cc67980f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\favicon_32x32[1].png

Filesize
3KB

MD5
8664c8de3f90ca1e989902ac189d1605

SHA1
bea97b47f6d06663d9586f15ce8f96ab2e8ef1cd

SHA256
502b2fa1f09e4b9e4cab7b1e3d1bf8c921b2508c64e131481c221499158f9097

SHA512
3633059a2dc6ba6d63a2602288312cf9c9d3c49f6fa657d994bffa1ef138a41ae7d0340f73485826d2d390ab3b97a0e8a327b6a93b70778c30bace5d2b3c76fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO858BEFE6\Orcus.Administration.exe

Filesize
16.2MB

MD5
a6347e4e194adb6d2a3fae52598d8cdd

SHA1
aa06c496c20d6e04142d4a5205a032680a452a0d

SHA256
911e3e95efddbae9d1c2f4b04027567c76823116755097b5868b7241c7e30cbc

SHA512
2ee24604c0edbc09096e2344ca6c1f74b1067b9aff7f077d0b4e42cd8f51dd1116e98016e34f0a1d951fcdbc8bfed33b1709a9692ba95b3ea3cd84d9ce080922

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD17.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDD49.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\How To Setup a Rat.url

Filesize
96B

MD5
8d61646db59cc7460b40bc79001a40a1

SHA1
e43cdfb3d27a0cb4b4532053c27810abf06d415e

SHA256
c5d1bc7427609e082195ad8db57c9b35b274e3df63a92d78917334425730d1e7

SHA512
9eef7dcaa96a52d52caff6b9709f8377437ff201e976761eec8c35669f946ef111d7da9528c8f253f469969513e4ec5e6a5d0b861665254a6564f8c2d85d9f99

Download Submit
C:\Users\Admin\Desktop\Orcus.Administration.exe.config

Filesize
1KB

MD5
2846ec087e67923c130a5b875193c893

SHA1
ab1049f2531941cb98e99e5f83e8fb6b5be3a7f4

SHA256
148dc241bfa25e5fda9ebef2d315aa95121f9468da29dc167573f32f14733d08

SHA512
a332471ee3d01a13d6f7fd3516ce58e43ce7f6d7dbc0f6b8cc90b26d1be13b2b5b39ce76c29be753edbf5146eca92c02de2746f251918ac12a1cf103df1899de

Download Submit
C:\Users\Admin\Desktop\libraries\NLog.dll

Filesize
517KB

MD5
27c2b96dfbebba578638588d2c95705f

SHA1
6223920526982da59a93ccb2d733e9bdbb1afbaf

SHA256
a74414ee5a23d73d879c216d9cfd96a9a8ad048773fe689d8a8b3022c9869cdf

SHA512
aa90ef4fef936a43c3413c90427668b7956742bb88eb2693d8dc23654952997771e702f5c0b8ffa04e8f0ef8e16809d8bb3ac1f007bc9989b039e78a1d2a6358

Download Submit
C:\Users\Admin\Desktop\libraries\Orcus.Administration.Plugins.dll

Filesize
34KB

MD5
358e21f82feabac03af75599b09532bd

SHA1
b6523b40151fa7090d1a2c44f2b7335170b2d7aa

SHA256
ba011053d673579f781de553994366683d7ea57410ae8d10d9823387ee94b918

SHA512
7334c3b0dcddd321f9fa0536b5000151a4b65f7da5b41e1f70009af7cfdaee70c44d07ce4d5f7eded97d30a89b9c1bb71a18e39fc6243b0fc07a5e3ee05dd1d9

Download Submit
C:\Users\Admin\Desktop\plugins\ApplicationAudioPack.orcplg

Filesize
628KB

MD5
b8cd6b3141a11fa161b2039ded9dc0f1

SHA1
bdf56b2b8b84940699034a2afd9be6fca554d905

SHA256
c82a13255716c73b3ed9d89c48eb000d556e9690f4f830d444ffb64041f7e813

SHA512
deba05e0c5e077aba1b17985863abdbe115d7f9476a2902d6ddbed081b7632b79510601561276354516350553913d162333842a1e896af8af5b1dd5bc2c00b4f

Download Submit
C:\Users\Admin\Desktop\plugins\BSoDProtection.orcplg

Filesize
14KB

MD5
727dbdbe573b1ef41a2c2457d9d1b9a4

SHA1
b65d0ead80c87f7e4b6543c362c257185d5e33c3

SHA256
fe204d16f31a6b210343be7e52279f8abedf8587206503daa6f2c8f6224679f2

SHA512
0b1530ca35d6772da20ef7018bd1f81554d9e2f1b9f30ea12db5c40f7f800712c88caa77b3df29e503ebd40b33d06cc16125eadab7804f974d659b2f6c577681

Download Submit
C:\Users\Admin\Desktop\plugins\BuildPumper.orcplg

Filesize
54KB

MD5
595efdf47d3a392ec489defac02ad7cb

SHA1
40741f2a47c5f1f210f860c10fac7bedc4eb058d

SHA256
9fac7662c10a44f9870f42e1a5d407b31b0d7e4428b7ca95c28bc705625d0613

SHA512
a7c5bde085b6d9465cf01798631381e3eb73b9b93db8d06bb7ab7c759bef1a92fe8174b6faf2bfcc7b300d0c242bab2adc90c488ab36d257bbc34d56e8d41bcf

Download Submit
C:\Users\Admin\Desktop\plugins\DisableWebcamLights.orcplg

Filesize
21KB

MD5
5f32cd5a2c08ec5504de906c6f598281

SHA1
7adafa9de45c29b0e58c7df98f1c756ebf05dcb2

SHA256
f54ef6da320b5f66f3562e44a36bf0cea3848d452ebe2b53f7f5dbb28cd2b61b

SHA512
f3f9affc5157a1ac09eea0f2075184d5649dcd8e49c888ead27e633faf543e30d4085997c0af0942398f64b3ef2a62a8a37028efcfa30b77f491e2d34fe34b72

Download Submit
C:\Users\Admin\Desktop\plugins\EILoTIRiXAudioPack.orcplg

Filesize
2.8MB

MD5
31aafa3933fdab7683e889ec1038ad35

SHA1
d11f7fa55e2cf75ebbc6487468ed4b0674f1111d

SHA256
24aa9269afbac24251495bd0c86538b814089cdaa0aa77a2ef653d31dbc33bcd

SHA512
e63ef239f6f58692f8b5c1fe4dd60e91f2892da696b8797437e4cbc6b7bddfeb0dbaaccee0be0185e50e05162b5cc141ee14da9aa153f26252bc7461d8da2da1

Download Submit
C:\Users\Admin\Desktop\plugins\ExceptionTest.orcplg

Filesize
19KB

MD5
a5b3e031c0d6b20817422beb12bfc78f

SHA1
e9a909e13889a2e6688782d3a290ac375ba4b528

SHA256
c66c8d3ae5f3af64ee34da2f7df88055e314fa1e9254aa9e2425e1f527db9e81

SHA512
f96ad64a771767bb626de49786f5adc4e94a56fa10f68588b9af06ae33dc2f73fade1fc9758ecbefd56a94a6a6221392addb6b9a2b1295f8f39940d7e760a509

Download Submit
C:\Users\Admin\Desktop\plugins\ExtensionSpoofer.orcplg

Filesize
20KB

MD5
2e27ddbcd452e61fe204dc593e1846ff

SHA1
005a864ba1c68802218cfba31756a62193a3407e

SHA256
ef736367bc542ca05bc3ca14455934b412a3f88564d022bb14c59f82d0433ba2

SHA512
4bc127d9e21667b113df85f4beda96c00d1a5933c9f25d65ec6084b7efdec58500404eb394f648a5cfbbf50c4e32af0306686f978a09ad0f6a3212427b0ffcff

Download Submit
C:\Users\Admin\Desktop\plugins\GamerView.orcplg

Filesize
405KB

MD5
8b6269e7ca2180ffd4777552f2335760

SHA1
c809c7c37db0d73662f1034d6dfea63a7db0b229

SHA256
8c0d48a0383af350f80c2dadd34e67bb8c0e2b4186871e59178715f0c4aa4d54

SHA512
37c4323b10d663cad2c0869000dcfd47cc61a74c8e4fe2aeb5029e3d64a3301b3a32b32177aae382ecc3c2e68dc677ee362563eb305ac5003a688017db1d327f

Download Submit
C:\Users\Admin\Desktop\settings.json

Filesize
897B

MD5
9ef365494bc362da1a6ddf86acc48b7a

SHA1
e466a6fcd0e8bcfe9a4657e113d81be7a70092e8

SHA256
6f9dd8f4ce48574ce886f3ebd30cead17aafcab6defeccba45ff1348ffa6c8a7

SHA512
9628a120f96d29820a8ee9a39f11579bb2edf0504a76169bbaddba2692fd54a007d8b57f73633c3bca39e32c132cb1ded0374851f5ff5b6107f8d2642ccb2bab

Download Submit
C:\Windows\Temp\SDIAG_1baa5fec-07a4-4ef3-9673-9cdede82b959\DiagPackage.diagpkg

Filesize
152KB

MD5
c9fb87fa3460fae6d5d599236cfd77e2

SHA1
a5bf8241156e8a9d6f34d70d467a9b5055e087e7

SHA256
cde728c08a4e50a02fcff35c90ee2b3b33ab24c8b858f180b6a67bfa94def35f

SHA512
f4f0cb1b1c823dcd91f6cfe8d473c41343ebf7ed0e43690eecc290e37cee10c20a03612440f1169eef08cc8059aaa23580aa76dd86c1704c4569e8139f9781b3

Download Submit
C:\Windows\Temp\SDIAG_1baa5fec-07a4-4ef3-9673-9cdede82b959\result\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Windows\Temp\SDIAG_b4f91e65-eb23-485c-a2ea-b6301d8906e0\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_b4f91e65-eb23-485c-a2ea-b6301d8906e0\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
\Users\Admin\Desktop\libraries\Exceptionless.Extras.dll

Filesize
71KB

MD5
d3fcd5038079ef42e23ed39a86af5a31

SHA1
3977309df5b3ddc0218a800ee463ddcbcae7503e

SHA256
9d4ab0418d94d3c3d7025ecc1c70ce1762ee12aaa4d35666c2dc7887df53a537

SHA512
8535e4b5b7b61cf31fe69bd43eb2ba4c2a248a2f2a6efcf9b1ffc9cf4d39b67dcb687d45964054b3900f5aa21662b4acc91302f02e99e819ac6f5827a0d493d0

Download Submit
\Users\Admin\Desktop\libraries\Exceptionless.Portable.dll

Filesize
678KB

MD5
6aba9f00d64371b940eedc21804ea9eb

SHA1
5fb0e520a23c780474b0866218c61ff55d083b3f

SHA256
22c949720dacd2dc19b7744185b18faf53dc18199c36af44158257a08ce7f3fd

SHA512
9166ff3cfd7adc334f3a98f4a40736c178a1c793f6ca264722bd1b962a3d059d88035eee1f45aab2b45a8692a13ef50c8e762c4c8600937b263fd7c2703185c0

Download Submit
\Users\Admin\Desktop\libraries\FluentCommandLineParser.dll

Filesize
43KB

MD5
9b5e37f89268ccce0e098222004093ad

SHA1
30b12174abda6a420b2cc152b5c682ff8f106c37

SHA256
fe068b6f15a5423f86558927dd22ec35070c041db9cde1ecade0590d93ca5285

SHA512
23e8cbaa6103f5a76729ee8470b5b208d67be22c9b9fa78340055ac8ded04dc6147c8c50cde96f7c10b111f81cab3e5504227ac5b8f1a616c1a1384c6350257f

Download Submit
\Users\Admin\Desktop\libraries\MahApps.Metro.dll

Filesize
918KB

MD5
fb1e8eee84791cc015e043ab0ce32bba

SHA1
42fb789011213635a7d022ba4fd5461a0d9a134d

SHA256
0de72da4bc2d16d39c30368af880d754fa0bd9745897652ba50213e589d265c5

SHA512
748af415c875cd5d44f305cf58060e7e66ef2ef041b6e86e3a76287a51af63116096eaed0877dc48c17da6594ad0c8dbf0ecadecb763dd469be8b6cc1d02d4a0

Download Submit
\Users\Admin\Desktop\libraries\Newtonsoft.Json.dll

Filesize
510KB

MD5
c3c04754418382f505cafc18d64427f5

SHA1
cac5e36dc498d6bb16170020be021ff5bd18a9e2

SHA256
df8ec2e0245829ddec5b79f1918c3ae3a3fa540a5a0e3c410e2b6ef0bebc7927

SHA512
bda5efd0f69a9c7198841e5d31744fa2bebb05cedb1e2846a0d2dbce6c3193da69c181be1116f38cd5f3d61b441567b1da2c844522184323e3d429294aa91ab5

Download Submit
\Users\Admin\Desktop\libraries\Orcus.Administration.Licensing.dll

Filesize
80KB

MD5
70e207da89961cd32217eabbe3ac0791

SHA1
305ba309e762a128ae098e5bf0241ba71f3a331e

SHA256
83f968c6682b0e52b217daa6aa3da21be6967aa194a14631f43cc76c11a142e9

SHA512
8d9de9a9b3ad265a1df7bd7ab790db639d6ef4b871275a5b2fbb72f9b324cc3158d2073de2de78692fa7ffe64e78e31e7d7f75cb3b50c0d6513da21094bad075

Download Submit
\Users\Admin\Desktop\libraries\Orcus.Plugins.dll

Filesize
21KB

MD5
88e74301f491db06cf075502629b6e56

SHA1
21e970cd1a672fc00eba203ec52a7e4bcb972420

SHA256
e33b1f7ef345a2fde88b2f70e24f1df739c4db0d33f4c2a6fdbacbc4e4190e91

SHA512
0efd79562d68912d6526d570be6a9334cbc79df0c68c105b7287ff6f36b5b6c85a7eb99ba8d6b057e86333c0e8909fe50fe49fe42f2c717f10801a88609c4ecd

Download Submit
\Users\Admin\Desktop\libraries\Sorzus.Wpf.Toolkit.dll

Filesize
43KB

MD5
efc2bbca9bfe174475d17e62ea0f5b4d

SHA1
3d74ba1d65245fe86cbca4cff525856e9b1755a1

SHA256
9f025d34cb7dc817df9f7f722c14eff6f2d95946ef24c486c7063d8ce9e0236f

SHA512
575a9700ea8d4fa1d470632c3654425c816b82c7a5f60c8c9787cc699961d95b2eee82ebedceaa77ec17a96329958235b3a94b6ee868e3a900bcae770506ef23

Download Submit
\Users\Admin\Desktop\libraries\Xceed.Wpf.Toolkit.dll

Filesize
1007KB

MD5
96a320c552ce1152cd674895ffad9f10

SHA1
7a345edab598a794d71d03cd36b78e1ce683e5c5

SHA256
fcadc89d8b2154008f96073da5562575c054e5520f8cd1ff5e292ffe7e67efd7

SHA512
465032415e03c4eb27eb07c157139962d1a3f04619b4bc989bbc1455a62fb5491e7915ac5df9be83c3b17f7287086ab0de0d4caf0cb161f857f3eff05ff776dc

Download Submit
\Users\Admin\Desktop\libraries\nUpdate.dll

Filesize
2.6MB

MD5
253ba7f0427e3f8e032b97496a019a24

SHA1
62793783943b04d8836746bb452145722cf63001

SHA256
814eb85113211fa90efe952f35d06e537f01bf38febca48e2c0cef02ebdb1877

SHA512
29f848f4293454a0103197cd3bb59e364df099b7a26f926673b30132ffe3d15b505fbfc3e0391482d9cd9ed53efd0f3193d0cdf83e0fb59ce3e27de878b83585

Download Submit
memory/2308-871-0x000000000E270000-0x000000000E322000-memory.dmp

Filesize
712KB

Download
memory/2308-889-0x0000000007C50000-0x0000000007C62000-memory.dmp

Filesize
72KB

Download
memory/2308-885-0x0000000007C40000-0x0000000007C54000-memory.dmp

Filesize
80KB

Download
memory/2308-890-0x0000000007D10000-0x0000000007D74000-memory.dmp

Filesize
400KB

Download
memory/2308-891-0x0000000007CC0000-0x0000000007CCC000-memory.dmp

Filesize
48KB

Download
memory/2308-895-0x0000000007D80000-0x0000000007D92000-memory.dmp

Filesize
72KB

Download
memory/2308-896-0x0000000007F00000-0x0000000007F08000-memory.dmp

Filesize
32KB

Download
memory/2308-897-0x0000000007F80000-0x0000000007FCA000-memory.dmp

Filesize
296KB

Download
memory/2308-898-0x0000000008020000-0x0000000008042000-memory.dmp

Filesize
136KB

Download
memory/2308-899-0x0000000008040000-0x0000000008052000-memory.dmp

Filesize
72KB

Download
memory/2308-900-0x0000000008080000-0x000000000808A000-memory.dmp

Filesize
40KB

Download
memory/2308-902-0x00000000083A0000-0x00000000083B0000-memory.dmp

Filesize
64KB

Download
memory/2308-901-0x0000000009510000-0x000000000955C000-memory.dmp

Filesize
304KB

Download
memory/2308-903-0x0000000006760000-0x0000000006770000-memory.dmp

Filesize
64KB

Download
memory/2308-883-0x0000000006650000-0x000000000665A000-memory.dmp

Filesize
40KB

Download
memory/2308-881-0x0000000005DA0000-0x0000000005DA8000-memory.dmp

Filesize
32KB

Download
memory/2308-879-0x00000000078A0000-0x0000000007BE2000-memory.dmp

Filesize
3.3MB

Download
memory/2308-877-0x0000000005D90000-0x0000000005D98000-memory.dmp

Filesize
32KB

Download
memory/2308-875-0x0000000002E20000-0x0000000002E2A000-memory.dmp

Filesize
40KB

Download
memory/2308-873-0x0000000002DE0000-0x0000000002DE8000-memory.dmp

Filesize
32KB

Download
memory/2308-863-0x000000000E1E0000-0x000000000E268000-memory.dmp

Filesize
544KB

Download
memory/2308-869-0x0000000005D60000-0x0000000005D6A000-memory.dmp

Filesize
40KB

Download
memory/2308-859-0x0000000005AC0000-0x0000000005ACE000-memory.dmp

Filesize
56KB

Download
memory/2308-852-0x00000000059F0000-0x0000000005A76000-memory.dmp

Filesize
536KB

Download
memory/2308-848-0x0000000003040000-0x0000000003052000-memory.dmp

Filesize
72KB

Download
memory/2308-844-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/2308-840-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download
memory/2308-833-0x0000000006530000-0x0000000006632000-memory.dmp

Filesize
1.0MB

Download
memory/2308-839-0x0000000000790000-0x00000000007AC000-memory.dmp

Filesize
112KB

Download
memory/2308-829-0x0000000005BD0000-0x0000000005CBC000-memory.dmp

Filesize
944KB

Download
memory/2308-825-0x0000000005EB0000-0x0000000006146000-memory.dmp

Filesize
2.6MB

Download
memory/2308-821-0x0000000002E30000-0x0000000002EE0000-memory.dmp

Filesize
704KB

Download
memory/2308-817-0x0000000000950000-0x000000000198E000-memory.dmp

Filesize
16.2MB

Download
memory/2580-15-0x00000000003F0000-0x000000000142E000-memory.dmp

Filesize
16.2MB

Download