| Source: QeTCfhacvf.exe | Malware Configuration Extractor: OrcusRAT {"AutostartBuilderProperty": {"AutostartMethod": "Registry", "TaskSchedulerTaskName": "svchost", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "svchost", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "true", "AssemblyTitle": "svchost.exe", "AssemblyDescription": "Host Process for Windows Services", "AssemblyCompanyName": "Microsoft Corporation", "AssemblyProductName": "Microsoft\u00ae Windows\u00ae Operating System", "AssemblyCopyright": "\u00a9 Microsoft Corporation. All rights reserved.", "AssemblyTrademarks": null, "AssemblyProductVersion": "10.0.20348.0", "AssemblyFileVersion": "6.2.20348.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2024-11-05T04:20:55"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "45.10.151.182", "Port": "10134"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orc"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "true"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET48"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Orcus\\svchost.exe"}, "InstallBuilderProperty": {"Install": "true"}, "KeyloggerBuilderProperty": {"IsEnabled": "true"}, "MutexBuilderProperty": {"Mutex": "064acb3fed56475eaee5e20cdd2d83c3"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "true"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "true"}, "WatchdogBuilderProperty": {"IsEnabled": "true", "Name": "csrss.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "true"}} |
| Source: | Binary string: #costura.shelllibrary.pdb.compressed source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1658118810.000001D058DA3000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: costura.orcus.staticcommands.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: costura.orcus.shared.utilities.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: costura.directoryinfoex.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: C:\Users\fatih\DEV\Orcus\Features\Orcus.Golem\obj\Release\Orcus.Golem.pdb source: csrss.exe, 00000005.00000000.1400711862.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmp, csrss.exe.4.dr |
| Source: | Binary string: +costura.orcus.staticcommands.pdb.compressed source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1658118810.000001D058DA3000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: costura.orcus.shared.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: C:\Users\fatih\DEV\Orcus\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: svchost.exe, 00000004.00000002.3847007641.0000021BFD340000.00000004.08000000.00040000.00000000.sdmp |
| Source: | Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: svchost.exe, 00000004.00000002.3846529376.0000021BFBDF0000.00000004.08000000.00040000.00000000.sdmp |
| Source: | Binary string: orcus.sharedGcostura.orcus.shared.dll.compressedGcostura.orcus.shared.pdb.compressed-orcus.shared.utilities[costura.orcus.shared.utilities.dll.compressed[costura.orcus.shared.utilities.pdb.compressed)orcus.staticcommandsWcostura.orcus.staticcommands.dll.compressedWcostura.orcus.staticcommands.pdb.compressedUpl.microsoft.win32.taskscheduler.resources source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: directoryinfoexMcostura.directoryinfoex.dll.compressedMcostura.directoryinfoex.pdb.compressedUes.microsoft.win32.taskscheduler.resources source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: opuswrapperEcostura.opuswrapper.dll.compressedEcostura.opuswrapper.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: costura.opuswrapper.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: shelllibraryGcostura.shelllibrary.dll.compressedGcostura.shelllibrary.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: C:\Users\fatih\DEV\Orcus\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, QeTCfhacvf.exe, 00000000.00000002.1400420832.00000207E1ED0000.00000004.08000000.00040000.00000000.sdmp, QeTCfhacvf.exe, 00000000.00000002.1397563470.00000207D9821000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: $costura.orcus.plugins.pdb.compressed source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: svchost.exe, 00000004.00000002.3845870218.0000021BFBD90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3842772840.0000021BF3D6F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3842772840.0000021BF3B61000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: costura.orcus.plugins.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: costura.fluentcommandlineparser.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: C:\Users\fatih\DEV\Orcus\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, QeTCfhacvf.exe, 00000000.00000002.1394321824.00000207C7DF0000.00000004.08000000.00040000.00000000.sdmp, QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C974F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9F7000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: C:\Users\fatih\DEV\Orcus\Features\Orcus.Service\obj\Release\Orcus.Service.pdb source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9A5D000.00000004.00000800.00020000.00000000.sdmp, WindowsInput.exe, 00000002.00000000.1369008220.000001E8D0F52000.00000002.00000001.01000000.00000007.sdmp, WindowsInput.exe.0.dr |
| Source: | Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: svchost.exe, 00000004.00000002.3846529376.0000021BFBDF0000.00000004.08000000.00040000.00000000.sdmp |
| Source: | Binary string: .costura.fluentcommandlineparser.pdb.compressed source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: orcus.pluginsIcostura.orcus.plugins.dll.compressedIcostura.orcus.plugins.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: costura.shelllibrary.pdb.compressed source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: C:\Users\fatih\DEV\Orcus\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: QeTCfhacvf.exe, 00000000.00000002.1394383237.00000207C7EC0000.00000004.08000000.00040000.00000000.sdmp, QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9A5D000.00000004.00000800.00020000.00000000.sdmp, QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C97D8000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: #costura.orcus.shared.pdb.compressed source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: svchost.exe, 00000004.00000002.3845870218.0000021BFBD90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3842772840.0000021BF3D6F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3842772840.0000021BF3B61000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: &costura.directoryinfoex.pdb.compressed source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: costura.es.microsoft.win32.taskscheduler.resources.dll.compressed/fluentcommandlineparser]costura.fluentcommandlineparser.dll.compressed]costura.fluentcommandlineparser.pdb.compressedUfr.microsoft.win32.taskscheduler.resources source: QeTCfhacvf.exe, svchost.exe.0.dr |
| Source: | Binary string: -costura.orcus.shared.utilities.pdb.compressed source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1658118810.000001D058DA3000.00000004.00000800.00020000.00000000.sdmp |
| Source: | Binary string: "costura.opuswrapper.pdb.compressed source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8B9A1000.00000004.00000800.00020000.00000000.sdmp |
| Source: WindowsInput.exe, 00000002.00000002.1383351802.000001E8D2C91000.00000004.00000800.00020000.00000000.sdmp, WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD65E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org |
| Source: WindowsInput.exe, 00000002.00000002.1383351802.000001E8D2C91000.00000004.00000800.00020000.00000000.sdmp, WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD65E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org/2004/07/ |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD65E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD65E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry |
| Source: WindowsInput.exe, 00000002.00000002.1383351802.000001E8D2C91000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C97D8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8BA78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1658118810.000001D058E7E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9A5D000.00000004.00000800.00020000.00000000.sdmp, WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD6D1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD6D1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD6D1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C97D8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3827673150.0000021BE39A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.1579751200.0000026B8BA78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1658118810.000001D0590D6000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/ |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD65E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/:NetNamedPipeBinding |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/ |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKey |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKeyResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/CreateValue |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/CreateValueResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/DeleteFile |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/DeleteFileResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKey |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKeyResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/DeleteValue |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/DeleteValueResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/GetPath |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/GetPathResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeys |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValues |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValuesResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLog |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLogResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/IsAlive |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/IsAliveResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/StartProcess |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/StartProcessResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/WriteFile |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/IServicePipe/WriteFileResponse |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/X |
| Source: WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD65E000.00000004.00000800.00020000.00000000.sdmp, WindowsInput.exe, 00000003.00000002.3828043984.000002ACBD59A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/x |
| Source: WindowsInput.exe, 00000002.00000002.1383351802.000001E8D2C91000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.w3.o |
| Source: WindowsInput.exe, 00000002.00000002.1383351802.000001E8D2C91000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.w3.oh |
| Source: QeTCfhacvf.exe, svchost.exe.0.dr | String found in binary or memory: https://api.ipify.org/I(. |
| Source: svchost.exe, 00000004.00000002.3845870218.0000021BFBD90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3842772840.0000021BF3D6F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3842772840.0000021BF3B61000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/dahall/taskscheduler |
| Source: QeTCfhacvf.exe, type: SAMPLE | Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam |
| Source: QeTCfhacvf.exe, type: SAMPLE | Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen |
| Source: 0.0.QeTCfhacvf.exe.207c77b0000.0.unpack, type: UNPACKEDPE | Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam |
| Source: 0.0.QeTCfhacvf.exe.207c77b0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen |
| Source: 00000000.00000002.1401384345.00000207E212D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam |
| Source: 00000000.00000000.1357917050.00000207C77B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam |
| Source: Process Memory Space: QeTCfhacvf.exe PID: 7652, type: MEMORYSTR | Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam |
| Source: C:\Program Files\Orcus\svchost.exe, type: DROPPED | Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam |
| Source: C:\Program Files\Orcus\svchost.exe, type: DROPPED | Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen |
| Source: C:\Users\user\Desktop\QeTCfhacvf.exe | Code function: 0_2_00007FF886D05B90 | 0_2_00007FF886D05B90 |
| Source: C:\Users\user\Desktop\QeTCfhacvf.exe | Code function: 0_2_00007FF886D04478 | 0_2_00007FF886D04478 |
| Source: C:\Users\user\Desktop\QeTCfhacvf.exe | Code function: 0_2_00007FF886D062C0 | 0_2_00007FF886D062C0 |
| Source: C:\Windows\SysWOW64\WindowsInput.exe | Code function: 3_2_00007FF886D10EFA | 3_2_00007FF886D10EFA |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 4_2_00007FF886D05B90 | 4_2_00007FF886D05B90 |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 4_2_00007FF886D062C0 | 4_2_00007FF886D062C0 |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 4_2_00007FF886D04478 | 4_2_00007FF886D04478 |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 11_2_00007FF886D15B90 | 11_2_00007FF886D15B90 |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 11_2_00007FF886D162C0 | 11_2_00007FF886D162C0 |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 11_2_00007FF886D14478 | 11_2_00007FF886D14478 |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 14_2_00007FF886D25B90 | 14_2_00007FF886D25B90 |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 14_2_00007FF886D262C0 | 14_2_00007FF886D262C0 |
| Source: C:\Program Files\Orcus\svchost.exe | Code function: 14_2_00007FF886D24478 | 14_2_00007FF886D24478 |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Shared.dllB vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9701000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Plugins.dll< vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1401384345.00000207E212D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.exej% vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1400420832.00000207E1ED0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Shared.dllB vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394383237.00000207C7EC0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394321824.00000207C7DF0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Plugins.dll< vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9A5D000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C9A5D000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Service.exe: vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C97D8000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1397563470.00000207D9821000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Shared.dllB vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, 00000000.00000002.1394596796.00000207C974F000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOrcus.Plugins.dll< vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe | Binary or memory string: OriginalFilenameOrcus.exej% vs QeTCfhacvf.exe |
| Source: QeTCfhacvf.exe, type: SAMPLE | Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/ |
| Source: QeTCfhacvf.exe, type: SAMPLE | Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers |
| Source: 0.0.QeTCfhacvf.exe.207c77b0000.0.unpack, type: UNPACKEDPE | Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/ |
| Source: 0.0.QeTCfhacvf.exe.207c77b0000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers |
| Source: 00000000.00000002.1401384345.00000207E212D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/ |
| Source: 00000000.00000000.1357917050.00000207C77B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/ |
| Source: Process Memory Space: QeTCfhacvf.exe PID: 7652, type: MEMORYSTR | Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/ |
| Source: C:\Program Files\Orcus\svchost.exe, type: DROPPED | Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/ |
| Source: C:\Program Files\Orcus\svchost.exe, type: DROPPED | Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers |
Edit tour
QeTCfhacvf.exe (PID: 7652 cmdline: 
consent.exe (PID: 3664 cmdline: 
