orcus | 53ef45215a305cdeb6a25dcb51c691af9f4d545534d78e102d125536baa608b7

Analysis

max time kernel
208s
max time network
209s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tar.exe
Size

3.0MB
MD5

bf7895e063d2bc2e2df12a0808369f74
SHA1

c0b6158b47aee66cbe68885e582f20a388b0b146
SHA256

53ef45215a305cdeb6a25dcb51c691af9f4d545534d78e102d125536baa608b7
SHA512

e664d6a6e763c27738ef5472bab2fdf6334083756e2bbb8a92b43f29bac7f557e548f53a16c2f2d28df713744b3d9d88911ae75ca55acd8af24110641bbf1ffa
SSDEEP

49152:gAkDf7+QSLqZeM9/04zgaMWUljQfJgVXkKAypQxb0/o9JnCmYWncFf0I74gu3yM:gPyb2MnjQBEUNypSb6o9JCm

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

108.231.94.28:10134

Mutex

2c09a108509b4d9aa6f48e001c264c91

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 4 IoCs

resource	yara_rule
behavioral1/memory/1036-1-0x0000000000D00000-0x0000000000FFC000-memory.dmp	orcus
behavioral1/files/0x0006000000019346-26.dat	orcus
behavioral1/memory/1964-29-0x0000000000D80000-0x000000000107C000-memory.dmp	orcus
behavioral1/memory/1964-505-0x000000001E5F0000-0x000000001E8EC000-memory.dmp	orcus

Executes dropped EXE 10 IoCs

pid	Process
2012	WindowsInput.exe
2832	WindowsInput.exe
1964	Orcus.exe
2660	Orcus.exe
2248	OrcusWatchdog.exe
2924	OrcusWatchdog.exe
3048	OrcusWatchdog.exe
1028	OrcusWatchdog.exe
352	OrcusWatchdog.exe
2068	OrcusWatchdog.exe

Loads dropped DLL 1 IoCs

pid	Process
1964	Orcus.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	tar.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	tar.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	tar.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	tar.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	tar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7C654971-E204-11EF-9C44-E61828AB23DD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe
1964	Orcus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	Orcus.exe
Token: SeBackupPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe
Token: SeSecurityPrivilege	1964	Orcus.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2500	iexplore.exe
1964	Orcus.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1964	Orcus.exe
2500	iexplore.exe
2500	iexplore.exe
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2012	1036	tar.exe	30
PID 1036 wrote to memory of 2012	1036	tar.exe	30
PID 1036 wrote to memory of 2012	1036	tar.exe	30
PID 1036 wrote to memory of 1964	1036	tar.exe	32
PID 1036 wrote to memory of 1964	1036	tar.exe	32
PID 1036 wrote to memory of 1964	1036	tar.exe	32
PID 2624 wrote to memory of 2660	2624	taskeng.exe	34
PID 2624 wrote to memory of 2660	2624	taskeng.exe	34
PID 2624 wrote to memory of 2660	2624	taskeng.exe	34
PID 1964 wrote to memory of 2248	1964	Orcus.exe	35
PID 1964 wrote to memory of 2248	1964	Orcus.exe	35
PID 1964 wrote to memory of 2248	1964	Orcus.exe	35
PID 1964 wrote to memory of 2248	1964	Orcus.exe	35
PID 2248 wrote to memory of 2500	2248	OrcusWatchdog.exe	37
PID 2248 wrote to memory of 2500	2248	OrcusWatchdog.exe	37
PID 2248 wrote to memory of 2500	2248	OrcusWatchdog.exe	37
PID 2248 wrote to memory of 2500	2248	OrcusWatchdog.exe	37
PID 2500 wrote to memory of 1812	2500	iexplore.exe	38
PID 2500 wrote to memory of 1812	2500	iexplore.exe	38
PID 2500 wrote to memory of 1812	2500	iexplore.exe	38
PID 2500 wrote to memory of 1812	2500	iexplore.exe	38
PID 1964 wrote to memory of 2924	1964	Orcus.exe	39
PID 1964 wrote to memory of 2924	1964	Orcus.exe	39
PID 1964 wrote to memory of 2924	1964	Orcus.exe	39
PID 1964 wrote to memory of 2924	1964	Orcus.exe	39
PID 1964 wrote to memory of 3048	1964	Orcus.exe	42
PID 1964 wrote to memory of 3048	1964	Orcus.exe	42
PID 1964 wrote to memory of 3048	1964	Orcus.exe	42
PID 1964 wrote to memory of 3048	1964	Orcus.exe	42
PID 1964 wrote to memory of 1028	1964	Orcus.exe	43
PID 1964 wrote to memory of 1028	1964	Orcus.exe	43
PID 1964 wrote to memory of 1028	1964	Orcus.exe	43
PID 1964 wrote to memory of 1028	1964	Orcus.exe	43
PID 1964 wrote to memory of 352	1964	Orcus.exe	44
PID 1964 wrote to memory of 352	1964	Orcus.exe	44
PID 1964 wrote to memory of 352	1964	Orcus.exe	44
PID 1964 wrote to memory of 352	1964	Orcus.exe	44
PID 1964 wrote to memory of 2068	1964	Orcus.exe	45
PID 1964 wrote to memory of 2068	1964	Orcus.exe	45
PID 1964 wrote to memory of 2068	1964	Orcus.exe	45
PID 1964 wrote to memory of 2068	1964	Orcus.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tar.exe
"C:\Users\Admin\AppData\Local\Temp\tar.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2012
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1964 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=OrcusWatchdog.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1812
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1964 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1964 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1964 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1964 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:352
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1964 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2068

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\system32\taskeng.exe
taskeng.exe {9392799F-99DA-4D2B-9722-F42799B00CD9} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:2660

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
bf7895e063d2bc2e2df12a0808369f74

SHA1
c0b6158b47aee66cbe68885e582f20a388b0b146

SHA256
53ef45215a305cdeb6a25dcb51c691af9f4d545534d78e102d125536baa608b7

SHA512
e664d6a6e763c27738ef5472bab2fdf6334083756e2bbb8a92b43f29bac7f557e548f53a16c2f2d28df713744b3d9d88911ae75ca55acd8af24110641bbf1ffa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e734b1e8ba577f12aab07ccd0b412a45

SHA1
e3d6e17e7232583db231371f1d1bd62569d166a2

SHA256
4ea548b99a65d38a13e752658649a6e5ed0e72b9dd4c0a0125b774d1bb84fbef

SHA512
4c2f69d3418de03b2cb3102d7e5cc3a6d8bf2f05076ff99eac296e1b1c75a756d027f9d76fa02a4fb2d585178223f05db7695065f32682b8dadfe006dff4a8fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb746e6b2f50d67f5d86ac0582ed931f

SHA1
79e320ad5791fc14887881065dadaa40ba49af5b

SHA256
144fc8232c06424e34377b82c7bab95945ebad2445e91f743ac975894a75113c

SHA512
defbb32b945c5f552d941a9c2f48f42b40d31fc998c24f16440ec3b6017055b6202f50952f1b9b9725ece324b7e66e20b7a54dc12439fe28416c28cf8859c120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29d74abce2ffd948cc102b84b2dd1d5d

SHA1
ccbcaa970a40bf01340cad66649c003a12a66be8

SHA256
d6ffbf077a0d18c0cf80e64d93321e4397310291af43c08da4b65504b87e50f6

SHA512
3c5d3e8db787000db3f77dcde2fd60d4c437690c0f13439c148f20cea1035b2afb21a8cd92048673c8159145d9fc7c26f2528c777d9a6c39d6b48bd0ae44d8e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7523b8d8b3f10d96201192cf28dafb7c

SHA1
6d23b77f1d45c08468b0dab2c27f688d5fecc9b2

SHA256
111f0c31ee9f7a4aaed71510d52f45a5390f0be8bd2612a776a77d19cdfe33cf

SHA512
aa796de9b4a30be323ed30690f8b18059a30d59bcf849148c3ec3fdfd0f530f0129249455ba1b0ea1927155582a30a3c90da50f77ecb1c951b641faf8f1e669a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d875a9d74fd010d0d18d646c41539a6f

SHA1
ecf470810d8df1a97803506db83b6ce77bbfdd2b

SHA256
1cec6fcb93fa5ef2916ad2c4d1fdb982c435b986d30e70572d0a995b8be4b406

SHA512
c2ac7c97e6cbff9ae6290af1629cd264bd2f644008ddf7a62a4b3f30326762fe3b409fc2c5bc7abfb9458a29cc978b9b266e0d2f97195a48ba336312d06fd7c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b844b699555054b019b492c8ce594e5

SHA1
2d213b7a7c1588eb274a4e4abe426bc0e345af09

SHA256
77fe817bdb447cf095a5eb15c2a7382e0a8b513574d2411582428d6f97e0369b

SHA512
8cb1250024159c3ecb084d3cc989fab26b26d9c9f44d8a083eda5236d0d0e375de6c616b6e2a6eeb173fac97ca58c3ed020779268b2cf640e5157a674754e695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
330c512a3d9a3fb6924d49f6272622fc

SHA1
36fc8295236f38b79dd14eedf8d0f7e42d935880

SHA256
4ca1afc4079ccc9afd724eafc2b7e1751d90d158486d8f235b70034e0c5921d9

SHA512
2583c1b6416e520286fdd523767133fc5e08939f88ba8ece65fe111d360c2b77f65386bea5d6567976257a3455d1c49547f8b7702ae8541600de63ddb611093f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a879f21eeb750c7aeaaef74f8a358a30

SHA1
c25660cde29fa20e352a9c37cb7e66c37ba62daa

SHA256
dd865485a494b2e9f75f1c5742cabc497c4d517bf695678b9e2a7c6a59f92cb4

SHA512
03d3dd7613c39dfaf62d19286684b0423a7726bd5b1f8cb60780aef820799aa3cb52a7446c6f5217bffb72d23f730ad2699ce6142d877b7cab34db2422b5c445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f0a87c336502bee15884c6b2639d789

SHA1
ecde89b5d6dc859e7eed8c7b07f25c2732de23f3

SHA256
9edac7c491e00bec3d8b7f877d93fc93345079645239a106a006f518cdf558c6

SHA512
6e67cea147e6d6ea1421cf11fd8c021e3a22bf05de4c52494a32ec788f79b289820349cf678fb7a25629298c53ead7f6a17865455978a8077d9b4bbb86ba24f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
155545689b4afe350a9b8e7ef42e31bd

SHA1
d0205c80fac8692971a007335ed8e4d2eade8431

SHA256
db7315b5deb86ffeebf2ce75cae1d336a2035e04e5ef8b61809d5c1dd257638d

SHA512
2a154a50cbb4060b67242c077d47bbc1a382349333d93f0cc21d3f1f595119b4fbcb994f354d2b81dda9ffa74559779e716e71e7a85d5b35cb3c05dce578014b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed522c9ec3c1f4bf8e9b02601105f6e9

SHA1
1edc7ef510f52795287f0e19032aa06d070fec1d

SHA256
e7664a60822e3762e540cf9eea1af9b2608202146eb700150a5ea92b74dbdccf

SHA512
0a876a1144e37f84d43573965dfc0e7ebf0e9955c35c34f37635d7b6d37504c24f89b8ad3ba11b680fc4c908d8dd28569fa77408480f4ece95a991219da5af42

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA891.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBDE4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
dee9d0fe14b2c0426ab9dec8a38ce4b9

SHA1
692bb4d3af30b03d368892e76291896565d5bc4b

SHA256
a5a2e90c471b394ea725c868580e2461a40be7a567ed917fc15cde1766239c5f

SHA512
84ce407731f13ab272e1a98c5c56c968f17b342c89cf525b1506af35c2096e249cf7929e3fc143a670f7d3c5b87e52d9349025f95ce993349e6ebc572d25a29c

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe.config

Filesize
157B

MD5
7efa291047eb1202fde7765adac4b00d

SHA1
22d4846caff5e45c18e50738360579fbbed2aa8d

SHA256
807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

SHA512
159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_2c09a108509b4d9aa6f48e001c264c91\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
c849d33051fa1082063ea849eb073017

SHA1
9ad0af3cf679778aca3fd0b33b112aef80190eae

SHA256
a270d21a6abcf2c1178e73838d9ca9acf2cc36b174821a679fae759bc51ad500

SHA512
74742cca96531afe004ddfbeb1c6850e9698848b6beec24fd90b52c2c5084b289172eaf593b4491bcdfd9b2da5ea82f5adfb90ef2dcdad2443dbb23492c84a9a

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_2c09a108509b4d9aa6f48e001c264c91\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
memory/1036-30-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-5-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/1036-1-0x0000000000D00000-0x0000000000FFC000-memory.dmp

Filesize
3.0MB

Download
memory/1036-2-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1036-3-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/1036-4-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/1964-792-0x000000001C630000-0x000000001C674000-memory.dmp

Filesize
272KB

Download
memory/1964-31-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/1964-503-0x000000001B060000-0x000000001B06C000-memory.dmp

Filesize
48KB

Download
memory/1964-505-0x000000001E5F0000-0x000000001E8EC000-memory.dmp

Filesize
3.0MB

Download
memory/1964-511-0x000000001B060000-0x000000001B068000-memory.dmp

Filesize
32KB

Download
memory/1964-33-0x00000000024F0000-0x0000000002508000-memory.dmp

Filesize
96KB

Download
memory/1964-879-0x000000001C5D0000-0x000000001C604000-memory.dmp

Filesize
208KB

Download
memory/1964-874-0x000000001BAF0000-0x000000001BB06000-memory.dmp

Filesize
88KB

Download
memory/1964-29-0x0000000000D80000-0x000000000107C000-memory.dmp

Filesize
3.0MB

Download
memory/1964-32-0x0000000002480000-0x00000000024D8000-memory.dmp

Filesize
352KB

Download
memory/1964-34-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/1964-797-0x000000001C680000-0x000000001C6CA000-memory.dmp

Filesize
296KB

Download
memory/1964-802-0x000000001C6D0000-0x000000001C72A000-memory.dmp

Filesize
360KB

Download
memory/1964-807-0x000000001BB20000-0x000000001BB46000-memory.dmp

Filesize
152KB

Download
memory/1964-812-0x000000001C730000-0x000000001C884000-memory.dmp

Filesize
1.3MB

Download
memory/1964-816-0x000000001AED0000-0x000000001AEDA000-memory.dmp

Filesize
40KB

Download
memory/1964-815-0x000000001AED0000-0x000000001AEDA000-memory.dmp

Filesize
40KB

Download
memory/1964-818-0x000000001AED0000-0x000000001AEDA000-memory.dmp

Filesize
40KB

Download
memory/1964-817-0x000000001AED0000-0x000000001AEDA000-memory.dmp

Filesize
40KB

Download
memory/1964-869-0x000000001C590000-0x000000001C5CE000-memory.dmp

Filesize
248KB

Download
memory/1964-822-0x00000000660C0000-0x000000006615C000-memory.dmp

Filesize
624KB

Download
memory/1964-852-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/1964-857-0x000000001BA20000-0x000000001BA36000-memory.dmp

Filesize
88KB

Download
memory/1964-863-0x000000001BA40000-0x000000001BAC6000-memory.dmp

Filesize
536KB

Download
memory/2012-17-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-20-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-15-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/2012-16-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download