General Info

File name

27.rar

Full analysis
https://app.any.run/tasks/90e3798b-8880-4a1a-ab3b-8cfefd4efc94
Verdict
Malicious activity
Analysis date
4/15/2019, 11:19:13
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

rat

orcus

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v4, os: Win32
MD5

2ff6dbb642cfa32bddd1d516914543f7

SHA1

80c02a3e0f007f3fd5305d86aaefd55f35488961

SHA256

e3521204d4c41931c48e570eceff8c90d8e1e391c8caebf817de728cd73d9ba7

SSDEEP

98304:r13ZEnF0faxoxm5eM/u+haRQ+QwqZ9so623jL2x4Yd6Lz0O5grUyCatryXG/TTSq:r1JSoxm5z/NQRCLyo6EzY8EUwJTTSq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 2944)
  • Orcus.Administration-cracked.exe (PID: 1244)
Orcus was detected
  • Orcus.Administration-cracked.exe (PID: 1244)
Application was dropped or rewritten from another process
  • Orcus.Administration-cracked.exe (PID: 1244)
Reads Environment values
  • Orcus.Administration-cracked.exe (PID: 1244)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 3624)
Dropped object may contain Bitcoin addresses
  • WinRAR.exe (PID: 3624)
Reads settings of System Certificates
  • Orcus.Administration-cracked.exe (PID: 1244)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v-4.x) (58.3%)
.rar
|   RAR compressed archive (gen) (41.6%)
EXIF
ZIP
CompressedSize:
1034569
UncompressedSize:
4143104
OperatingSystem:
Win32
ModifyDate:
2017:05:26 12:43:14
PackingMethod:
Normal
ArchivedFileName:
Orcus.Administration-cracked.exe

Screenshots

Processes

Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start winrar.exe #ORCUS orcus.administration-cracked.exe searchprotocolhost.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2944
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\version.dll
c:\users\admin\desktop\orcus.administration-cracked.exe
c:\users\admin\desktop\libraries\de\orcus.staticcommands.resources.dll
c:\users\admin\desktop\libraries\de\orcus.plugins.resources.dll
c:\windows\system32\msxml3r.dll
c:\users\admin\desktop\libraries\writeablebitmapex.wpf.dll
c:\users\admin\desktop\libraries\vestris.resourcelib.dll
c:\users\admin\desktop\libraries\turbojpegwrapper.dll
c:\users\admin\desktop\libraries\starksoft.aspen.dll
c:\users\admin\desktop\libraries\sparrow.chart.wpf.40.dll
c:\users\admin\desktop\libraries\shelllibrary.dll
c:\users\admin\desktop\libraries\sharpdx.dxgi.dll
c:\users\admin\desktop\libraries\sharpdx.dll
c:\users\admin\desktop\libraries\sharpdx.direct3d9.dll
c:\users\admin\desktop\libraries\sharpdx.direct3d11.dll
c:\users\admin\desktop\libraries\oxyplot.wpf.dll
c:\users\admin\desktop\libraries\oxyplot.dll
c:\users\admin\desktop\libraries\orcus.shared.utilities.dll
c:\users\admin\desktop\libraries\orcus.administration.commands.dll
c:\users\admin\desktop\libraries\opuswrapper.dll
c:\users\admin\desktop\libraries\ookii.dialogs.wpf.dll
c:\users\admin\desktop\libraries\mono.cecil.dll
c:\users\admin\desktop\libraries\microsoft.threading.tasks.dll
c:\users\admin\desktop\libraries\lidgren.network.dll
c:\users\admin\desktop\libraries\icsharpcode.sharpziplib.dll
c:\users\admin\desktop\libraries\icsharpcode.avalonedit.dll
c:\users\admin\desktop\libraries\gongsolutions.wpf.dragdrop.dll
c:\users\admin\desktop\libraries\exceptionless.wpf.signed.dll
c:\users\admin\desktop\libraries\directoryinfoex.dll
c:\users\admin\desktop\libraries\cscore.dll
c:\users\admin\desktop\libraries\be.windows.forms.hexbox.dll
c:\users\admin\desktop\libraries\aforge.video.dll
c:\users\admin\desktop\libraries\aforge.video.directshow.dll
c:\users\admin\desktop\libraries\xceed.wpf.toolkit.dll
c:\users\admin\desktop\libraries\system.windows.interactivity.dll
c:\users\admin\desktop\libraries\sorzus.wpf.toolkit.dll
c:\users\admin\desktop\libraries\orcus.staticcommands.dll
c:\users\admin\desktop\libraries\orcus.shared.dll
c:\users\admin\desktop\libraries\orcus.plugins.dll
c:\users\admin\desktop\libraries\orcus.administration.viewmodels.dll
c:\users\admin\desktop\libraries\orcus.administration.plugins.dll
c:\users\admin\desktop\libraries\orcus.administration.fileexplorer.dll
c:\users\admin\desktop\libraries\orcus.administration.core.dll
c:\users\admin\desktop\libraries\nupdate.dll
c:\users\admin\desktop\libraries\nlog.dll
c:\users\admin\desktop\libraries\newtonsoft.json.dll
c:\users\admin\desktop\libraries\mahapps.metro.iconpacks.material.dll
c:\users\admin\desktop\libraries\mahapps.metro.dll
c:\users\admin\desktop\libraries\fluentcommandlineparser.dll
c:\users\admin\desktop\libraries\exceptionless.signed.dll

PID
3624
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\27.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
1244
CMD
"C:\Users\admin\Desktop\Orcus.Administration-cracked.exe"
Path
C:\Users\admin\Desktop\Orcus.Administration-cracked.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Orcus Technologies
Description
Orcus Administration
Version
1.9.1.0
Modules
Image
c:\users\admin\desktop\orcus.administration-cracked.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\desktop\libraries\exceptionless.signed.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\32512bd09e2231f6eebb15fc17e3ad79\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\416ba33cb980d07643e82c4c45bd5786\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\da36abbea6ef456f432434d4d8d835c1\presentationframework.ni.dll
c:\users\admin\desktop\libraries\nupdate.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\6d09f865a22e2f903b74476769e1b76a\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\users\admin\desktop\libraries\mahapps.metro.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\01bed42723486eb478a5b3e2557173db\presentationframework.classic.ni.dll
c:\users\admin\desktop\libraries\mahapps.metro.iconpacks.material.dll
c:\users\admin\desktop\libraries\orcus.administration.fileexplorer.dll
c:\users\admin\desktop\libraries\xceed.wpf.toolkit.dll
c:\users\admin\desktop\libraries\sorzus.wpf.toolkit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsform0b574481#\da612289faed8f139ce9c577e06762f1\windowsformsintegration.ni.dll
c:\users\admin\desktop\libraries\orcus.administration.core.dll
c:\users\admin\desktop\libraries\orcus.administration.viewmodels.dll
c:\users\admin\desktop\libraries\orcus.administration.plugins.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\users\admin\desktop\libraries\fluentcommandlineparser.dll
c:\users\admin\desktop\libraries\orcus.plugins.dll
c:\users\admin\desktop\libraries\orcus.shared.dll
c:\users\admin\desktop\libraries\newtonsoft.json.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\cd7ca8846a122a7e690e11c4611bc902\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\c56771a9cfb87e660d60453e232abe27\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml.linq\0261f24b2fd53085823ea90b359d71ee\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\032f5fa875be86b577722ddeeee2e51c\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shell32.dll
c:\users\admin\desktop\libraries\nlog.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowscodecs.dll
c:\users\admin\desktop\libraries\system.windows.interactivity.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\users\admin\desktop\libraries\orcus.staticcommands.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rasadhlp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio84a7b877#\e56357d7d3d0eeefff9b4bd199154203\presentationframework-systemdata.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio4b37ff64#\ec80a2cdcf0a749cf0fbcad633b29253\presentationframework-systemxmllinq.ni.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio49d6fefe#\33d15f16d20849f7c46d19b7bc7f4273\presentationframework-systemxml.ni.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msctfui.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationtypes\7e77d1835b49fa80598b5c47eaedccfc\uiautomationtypes.ni.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servicemodel\f101d49ff42f71da4271bfa41dda9bd2\system.servicemodel.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\a625f78e6ba48a38f05c102a5fb9c103\system.net.http.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.22cc68a8#\8d2ad6d35810477975ebd0827e4e7c6e\system.net.http.webrequest.ni.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\users\admin\desktop\libraries\starksoft.aspen.dll
c:\users\admin\desktop\libraries\orcus.shared.utilities.dll

Registry activity

Total events
843
Read events
806
Write events
37
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2944
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2944
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\System32\msxml3r.dll,-1
XML Document
3624
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3624
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3624
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3624
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\27.rar
3624
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3624
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3624
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3624
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASAPI32
EnableFileTracing
0
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASAPI32
EnableConsoleTracing
0
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASAPI32
FileTracingMask
4294901760
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASAPI32
ConsoleTracingMask
4294901760
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASAPI32
MaxFileSize
1048576
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASAPI32
FileDirectory
%windir%\tracing
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASMANCS
EnableFileTracing
0
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASMANCS
EnableConsoleTracing
0
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASMANCS
FileTracingMask
4294901760
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASMANCS
ConsoleTracingMask
4294901760
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASMANCS
MaxFileSize
1048576
1244
Orcus.Administration-cracked.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Orcus_RASMANCS
FileDirectory
%windir%\tracing
1244
Orcus.Administration-cracked.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1244
Orcus.Administration-cracked.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1244
Orcus.Administration-cracked.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
Orcus.Administration-cracked.exe
1244
Orcus.Administration-cracked.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
1244
Orcus.Administration-cracked.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Left
0
1244
Orcus.Administration-cracked.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Top
0

Files activity

Executable files
48
Suspicious files
0
Text files
25
Unknown types
24

Dropped files

PID
Process
Filename
Type
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\Orcus.Administration-cracked.exe
executable
MD5: cc3670f1b3e60e00b43c86d787563a44
SHA256: 9ca18641bc6b48708e4314b3f8275860aef6b9ea16cd6230d781f0abaa84c853
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\SharpDX.dll
executable
MD5: ffb4b61cc11bec6d48226027c2c26704
SHA256: 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\ICSharpCode.SharpZipLib.dll
executable
MD5: c8164876b6f66616d68387443621510c
SHA256: 40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\SharpDX.Direct3D11.dll
executable
MD5: 98eb5ba5871acdeaebf3a3b0f64be449
SHA256: d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\ICSharpCode.AvalonEdit.dll
executable
MD5: d7467d0156f22feb4b22cc5f74d7bd60
SHA256: 2bf6079c143f177d954731db2ffde515bee8fbd6261e0d338ba8e7c8df1ab658
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Lidgren.Network.dll
executable
MD5: a6fdc03e2cbdfa9d393512606097a1ff
SHA256: bf9948c27bd2947a42ea51ccc63b93f2b9030bd117393e1d7637a5770b9b0776
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\FluentCommandLineParser.dll
executable
MD5: 9b5e37f89268ccce0e098222004093ad
SHA256: fe068b6f15a5423f86558927dd22ec35070c041db9cde1ecade0590d93ca5285
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Sorzus.Wpf.Toolkit.dll
executable
MD5: 24e84c8a2d39b66e80966f3a860581ff
SHA256: 34e1daea8b1b338654c8dc347d97f435708b605c58808791509c69354eef60d9
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\GongSolutions.Wpf.DragDrop.dll
executable
MD5: 21e4c0b33f44d13cdf91b4faf828c044
SHA256: 508e1187d1a42cf9d7a2d7eab9012fc1fd75a24b6d94d9fa636d81dc38c4fcbb
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\SharpDX.DXGI.dll
executable
MD5: 2b44c70c49b70d797fbb748158b5d9bb
SHA256: 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Exceptionless.Signed.dll
executable
MD5: 1b0128f8b2bf3aafec28817c2031dc70
SHA256: 98672dfd5c31b77afebc9853539a828836ec72e7d9b0d5f5f5267ad2ebda16ba
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\OxyPlot.Wpf.dll
executable
MD5: 542f3f95bfcc7cdd6eeb79f03d104428
SHA256: 6188d0b17fdee865f0896b2742b1d519435c8c04e5da903d969b69aeb66855ea
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Sparrow.Chart.Wpf.40.dll
executable
MD5: 218df16f7f5514e7f9350cb7949b2754
SHA256: d9f1d9ccc551e4befb208492b85231358c6bef50a5ad2ec1ab8d38a954873725
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\MahApps.Metro.dll
executable
MD5: 63a79e31b7bc52bb9aec3a747cbb63fe
SHA256: fb5fae42fcc19f3fe3ed2d9b1fdf0594a4c442148b58ac4d2a9dafdda847e673
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Exceptionless.Wpf.Signed.dll
executable
MD5: ef36a316751603cdcb9c3f5da42b3b60
SHA256: 78fdd30a20ee50f88602059f0940acc92d9bfc09bc5ebebe99372d2a5af7342a
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\OxyPlot.dll
executable
MD5: 705da03570bd14a66f4f60ec054f28e6
SHA256: 2d312cde67d4ecf600298148742df302df2f7d4d179a65a9311f2967ffdc262e
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\ShellLibrary.dll
executable
MD5: 20aa983bd64aa1f8a37d9e61961eabec
SHA256: ace8dc565164e7612ed3f964a5d16bdcdda0aac7185ba3639b3b7c6064ca1124
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\MahApps.Metro.IconPacks.Material.dll
executable
MD5: d8e627aadfb6dfed292be0672faa9f15
SHA256: 97f4ca8c89ee13b8c249ca6f929d067ba3e87be07b4afa372fdc0a7e9e6e78e1
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\DirectoryInfoEx.dll
executable
MD5: 314955d214bb02847e7f8607a16ec550
SHA256: 82fd40348eb630313d5032910d021ebd982fdde086fbe73ba8947a6d2cb40357
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.StaticCommands.dll
executable
MD5: e6f165cb62b40d4cd53ccafedd0f253c
SHA256: c007c2a4aadc728be29aae5000e2389d0bdc40615d394d32a3dcf97c4e1a738a
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\System.Windows.Interactivity.dll
executable
MD5: 580244bc805220253a87196913eb3e5e
SHA256: 93fbc59e4880afc9f136c3ac0976ada7f3faa7cacedce5c824b337cbca9d2ebf
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Microsoft.Threading.Tasks.dll
executable
MD5: d01819bfe03222dfa9e35a36555b6b6c
SHA256: 5f29e16edff5379e93d5be9bee4cddf98132b84326027688511ac0f3157aaf94
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\de\Orcus.StaticCommands.resources.dll
executable
MD5: d2eb38d0011e8b86b7bc41f096add14c
SHA256: 9b435d3fc3cda3e72fe93262898b4c9f9f14f715fa2f87f1ae8f6cef257838db
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Shared.dll
executable
MD5: ff50d43370efe0bbb001155843dbcb32
SHA256: 496782100ff55259457a6bcd20b25b8a2b925e9830d9cc05be40114a30c1a1b1
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\starksoft.aspen.dll
executable
MD5: c2a974c1e5972d8772207ef8f9c5e39c
SHA256: 0c52d8a203ba92de6f937a7d458c24854951761ccbbc8d3961bc2b7923239c7c
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Mono.Cecil.dll
executable
MD5: cc0bc97cb18ac4e7c6f4decf0218a127
SHA256: ea592e7ba43cb057966778b0027c0d6e7ce9672741b5d3c8c927d48918366183
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\de\Orcus.Plugins.resources.dll
executable
MD5: 03258470c0c379c1eb894412fba1f15c
SHA256: de081d21b9d681d2e267a22cd679b215520af8b6c7f50656915920014d1f0de1
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Shared.Utilities.dll
executable
MD5: b35c2b279b4fb6e97937f09b98a529fe
SHA256: 393583b6dbb47e8de1c559b689aaf74308ca63a7cf0aa9fa56ebb4eaf6eafc2c
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\TurboJpegWrapper.dll
executable
MD5: ac6acc235ebef6374bed71b37e322874
SHA256: 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Newtonsoft.Json.dll
executable
MD5: c53737821b861d454d5248034c3c097c
SHA256: 575e30f98e4ea42c9e516edc8bbb29ad8b50b173a3e6b36b5ba39e133cce9406
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\CSCore.dll
executable
MD5: dde3ec6e17bc518b10c99efbd09ab72e
SHA256: 60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\NLog.dll
executable
MD5: a10a1a2ae1c77e9c7b3fbf7df9179998
SHA256: 6e7016fd4ccf28a1549958dfe226e48b236c28c9b240c983e38bac0eb6b08989
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\WriteableBitmapEx.Wpf.dll
executable
MD5: 7c0d9f3df7f0c3da771ecc5e2bcd97b8
SHA256: 6c2c94d4f5b52213289460c2a3284940e1c35aee2d080d35c750c7580ec44cec
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\nUpdate.dll
executable
MD5: 253ba7f0427e3f8e032b97496a019a24
SHA256: 814eb85113211fa90efe952f35d06e537f01bf38febca48e2c0cef02ebdb1877
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\AForge.Video.dll
executable
MD5: 0bd34aa29c7ea4181900797395a6da78
SHA256: bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Ookii.Dialogs.Wpf.dll
executable
MD5: 5926472580c7a7b45cd611dc0fb06244
SHA256: 04b8cb55ff481a4f4f9a60bc3c5e06ed78c12a8677c211621edcf9d8467bd823
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Vestris.ResourceLib.dll
executable
MD5: 01e1e34a2e2622a72a261c41bc017787
SHA256: e421fa5b5143b08ee6f773deb6b0d7b8f2f9e701fe3d5a698541d34f0757fc46
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\OpusWrapper.dll
executable
MD5: bf0ef47bea0139b87d42a449a0240101
SHA256: 07ec44bca9b44de3b22f9d212db3ecc5191201e27e4310d7bb2b199deffbab5a
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Be.Windows.Forms.HexBox.dll
executable
MD5: e00907b3d9270d4cca87c25ff30bcd02
SHA256: 5448e587498c560ef1d8e182344bc340a57cfd3b05c4507c48da11e139035818
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Plugins.dll
executable
MD5: b1514fb82d332691bec05d5eb215621c
SHA256: 7aadc3b3cdf8ad6e8e6032ba2701d67703a8b530032d985215b146249c7ec9f0
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Xceed.Wpf.Toolkit.dll
executable
MD5: 0d47f99ada12dad4894c4298b9348e88
SHA256: a2bde70c456b8957bd0db23793938e99d55e8ae6d6d1b9cccd3dc14998074386
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.FileExplorer.dll
executable
MD5: 64d39f6ae623e811adfc568e2c4339f2
SHA256: 073962b2c49be6fd7c844db723e6b8bf3ad950955acc0cd2b8f28a004597cf67
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\AForge.Video.DirectShow.dll
executable
MD5: 17ed442e8485ac3f7dc5b3c089654a61
SHA256: 666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Core.dll
executable
MD5: ad3c240eb1f76b5857330238e079b818
SHA256: 949c1a060e7995c08c6321911492cb8173611adf283103768b0eb3f786c9594f
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Commands.dll
executable
MD5: 9ab6c9b6dd87628285c892f2c5c0190e
SHA256: f47afc523d077fd7bcfa325c0b74ee3e4623d74179959c8186c27ca2c8ebd60a
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Plugins.dll
executable
MD5: c0a1d945b4edd07bfd16c7fa8c702425
SHA256: 8ffe6de509f29c52b2a62fae165dc91d015073eec33f2c8a90f36d08e0b8581f
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.ViewModels.dll
executable
MD5: 2bc1236c108c3c8ec1eea5b7d98918d5
SHA256: ea223476d216cb4069e0a09198630d41af6e71427ae1f219c1216e3e3decc3f8
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\SharpDX.Direct3D9.dll
executable
MD5: 934da0e49208d0881c44fe19d5033840
SHA256: 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\OxyPlot.xml
xml
MD5: 25e6ac82fcd698331828f8e4dcfec96c
SHA256: 16522639d7c8816de0c33ea3cd6c1bdd145bbc5b6aff1e0bd150cac3f6d08559
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Core.dll.config
xml
MD5: e6350abc733d88dd0d2dc6f00c9b17b4
SHA256: 3d338682303fa469255fcfe39d923b415481c782280c94e794d35c30eaa1d464
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Commands.pdb
pdb
MD5: 7975244aae1c16f20a19f0e24d69a7cb
SHA256: ed437679a1ed3f4efb4a3e5c68556cb00d17b677ee30238bb1156fec389d8c63
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\starksoft.aspen.xml
xml
MD5: 18c6fded59acc5f1279587273f16a457
SHA256: 13299361c68cd032390e47435d69458def80c0a14e3335b788279ce334e96908
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\OxyPlot.Wpf.pdb
pdb
MD5: 6b208231ef6bb405f911e104db56f29a
SHA256: 4f85e9bdae8426c148a6640a2506ebdd01093a9d5423b404f2f68ac8aa529ca0
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\OpusWrapper.pdb
pdb
MD5: 2d1b0f08cc92511c73ee67432a46d39d
SHA256: c95b3763fd3dc16f590af8c0a49ece513b05851d8b473b0573f786ee3dda2b2a
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Ookii.Dialogs.Wpf.xml
xml
MD5: 38cc6ca7ea65b3eaeccc780f217be2b0
SHA256: 184a5a445d65b158f0cecc0135797350c327c31209ce18525251e2e8e0e16e76
1244
Orcus.Administration-cracked.exe
C:\Users\admin\Desktop\settings.json
text
MD5: 98f2e3e6ee779b96279dddc277ba6d30
SHA256: 1461aa839b4c2d0de78ba021d1ee3210adf69f3dd0d661ed7ae9160c7ad1ba4e
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\nUpdate.pdb
pdb
MD5: d01ad4a540f23a0638547ce0d6ce3e65
SHA256: a7686cf951724d0018dfe1e1c7b4357fa9028a84dd15b2ae7f200e7fa4b8bf78
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\nUpdate.dll.config
xml
MD5: 8fd95a14599b6fcb8f31bf86773522b9
SHA256: 4560c371fa83c28464c1489e2cd6c4194d3fff08da6f0a8dd9e7113e9b2b4ede
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\OxyPlot.Wpf.xml
xml
MD5: 6086cf7b6c693af1b2f1964eff0a71ce
SHA256: 68ac04bfbf6d935fdf45a16832e41eaee464a40aa73b9b490f38cda327dcd754
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\NLog.xml
xml
MD5: 7149cf36a31e0de1ed71a19f46bbc88f
SHA256: 137dcdd847f025490874739684b0f7367f6a952dafc80523031dc8bc8f89d12e
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\OxyPlot.pdb
pdb
MD5: d753f4d8454bf949c74ed23754cf5814
SHA256: c4b7991d845465d74c16582527431d0ca09621602adba9c4690c6a804230c123
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Shared.Utilities.pdb
pdb
MD5: 6bcb40dc9dc2dcbe02a8c5fc92572ed0
SHA256: 27de5cc7ca2e6905a0f6b74dc94554660486530c03ad35278b8adcdb85c9827c
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Newtonsoft.Json.xml
xml
MD5: 685161f38e4eff85b93161ff23117876
SHA256: 8e4f42413a3b84b49b47a85382243573a635af4fb6a9cf63b734b4b50b3252f7
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\MahApps.Metro.pdb
pdb
MD5: dc3493243757d469fe274a439dbd1b4d
SHA256: fcbf9998346f321b26ad70852ea2d852470685b9adbef9bb87b8e5c86823b153
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Microsoft.Threading.Tasks.xml
xml
MD5: 58ce53b954afa8eafee0d70787c0ccfe
SHA256: 4d3e9cd7064ccf9d4098a4514b30a4e8c9607c63d41e60058b4f144e76d46754
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.StaticCommands.pdb
pdb
MD5: dadd3f09dee1f0cfccbadf6ad5a0ed62
SHA256: c0de8599df04fc910cce5d2057a22cc07f97028f2945a1a349cf512768b12d3c
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\MahApps.Metro.xml
xml
MD5: 075d665ace802afd4f30517c29b12cbf
SHA256: 410592a120538491c3d054fec2b35404dae377418d06c81b8afca833bd7b25f0
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\WriteableBitmapEx.Wpf.xml
xml
MD5: 339d5be20e95c35110d08a6a9ee20ed0
SHA256: 9bb00b26892d217ceb1155ab5aba5962637f2e9b784b3b5cb4659abee70ce90f
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Sparrow.Chart.Wpf.40.xml
xml
MD5: f12ffaa48949f0feafd741cb95f33d0d
SHA256: d94ea55b743be06b016877cd1537621d9ebbef8b8d73fa382964ffa0c3cd047e
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\MahApps.Metro.IconPacks.Material.xml
xml
MD5: 62ef921619818896565710f326941cc7
SHA256: 85f4106903d6ccf6636e86b298632dfe2ae927b17f11f5748257e0cc1108bd0a
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\MahApps.Metro.IconPacks.Material.pdb
pdb
MD5: be9fff6d99f61d173d2453d3d58c5aad
SHA256: 4074fe09c05d2e44ceeaca40c45be6abe18fbfb4bd2a17e192bdd375c1fab993
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Sorzus.Wpf.Toolkit.pdb
pdb
MD5: c329e7fcbacb7726a48ce4b2ffef8de6
SHA256: 761938388c633f16d7707a906a35afe2ed39321f597d6c5ccdf7b7f779d64bfe
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Shared.pdb
pdb
MD5: f70d3a606984d1570880e26781e78f4c
SHA256: 2e3636ec106d37472d9b1ca62d42d20b4e66b6db74fc5e967c4dcdacd115b2c9
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Lidgren.Network.pdb
pdb
MD5: daabfe443d4cef0ee6d8a8dd5f329ad4
SHA256: 8054f0a192da60c86b02acc99f0a301d74606dd8c800cf675a5645acd9d1fa47
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\TurboJpegWrapper.xml
xml
MD5: 1b17badfbd7187c9f345343212efe02a
SHA256: 3717343ba8ee00270229844711a41e86dc98a3b5f7b34d019ca565ed84246bac
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\ICSharpCode.AvalonEdit.xml
xml
MD5: 5950a341ad4ce47c8d7c2aa8ec668438
SHA256: da16d4b2088da6ce5ff6798869fa4858042820517473d349815de3067440f8e6
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.ViewModels.pdb
pdb
MD5: 12ab826c12f421bd851813aee4b52a60
SHA256: 29fafd872c93b0b60f8cee3b07f04a9ba0300c06962204f544e8d74dee4a913e
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\GongSolutions.Wpf.DragDrop.pdb
pdb
MD5: 4f837c9e86409823986a1abf9c369938
SHA256: e7317cf612e9afb974c7c1b22502d0e10767c3a8658fffb10d140a4876cc66bc
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\GongSolutions.Wpf.DragDrop.xml
xml
MD5: 2ca851954e17814eaf3312904e634969
SHA256: 66e59265329996f0d5992f24f2db80445abfbec92e0380e0ffb043e02bb6c0cf
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\FluentCommandLineParser.xml
xml
MD5: e479f4c914c9c0fab2ecc86e31cd1d93
SHA256: 0cf7bc714b9a0e327723fd9728ef3b839e2f4f19eec7a2868127c88e810c7aea
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Plugins.pdb
pdb
MD5: f522b03a924ef4fc7735fa8545711bc7
SHA256: cc87eb693425431f06045dac687d903da64010fb53648ba67acb667e54f11ea0
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\FluentCommandLineParser.pdb
pdb
MD5: 53c0253afa7cf1c2a0c13a4d01869504
SHA256: 2d812996cbdc1fdeddc1a9a9807e7dccae1708cc11def2c950fdb77261a0f21f
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Vestris.ResourceLib.xml
xml
MD5: 0ae591058e03eab56f1f907e894eaffa
SHA256: ee44defc617559933622c1eb9498a39e674019eb246900185b7c8d380648eb4c
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Exceptionless.Signed.xml
xml
MD5: 308b3c954ce65836529da588a0a0c2ce
SHA256: 3b791329744524e9e3652f998b4650415cfef8f49f9503e08111b30936208373
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\TurboJpegWrapper.pdb
pdb
MD5: ba5468bfb486ab3c9594368614a9d936
SHA256: f4ec7af29a1ea0ca7699f26845cd450ad4947ebc022df6e0c94f3093a4f11958
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.ViewModels.dll.config
xml
MD5: e43cb7ae813c9025ba999bcdc97ad687
SHA256: 02aec367b0d22afcdf576637cd23aa2b123767b60b5322a1144dbcc0d073c73e
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Protected.pdb
pdb
MD5: d7aa1fb324d4a261ba8259ab3c376d4e
SHA256: f391021c775fc1ecba72390457bfd0396851cf08c6dc683fbb5633a0d6d60c3e
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.FileExplorer.pdb
pdb
MD5: 21af280fc71b1cc2b9e939dffb29a3f0
SHA256: 2dcb03c635f4f21b07478b17552b2fd18d2a58ed8f19c7028305ac67a9e91fbe
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Resources.pdb
pdb
MD5: 72c9f7b006e6e69a40786285bf9aad83
SHA256: 78c72ec9ed8fb2b3b67821141d8b5c3b02b4dfac140747adf267d4e6edc09953
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Plugins.pdb
pdb
MD5: b078559db78ce116e280918ee3ddcc9e
SHA256: 2ee855d5c45adf0b20b893f0ce161c1c9a4445c3d402b31f0e864dbf910dc2ef
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\CSCore.xml
xml
MD5: 8fe5e0d1f87f336fa36572f6416a112e
SHA256: de74ff28fac66264ab57fadc235cb6988263697ec0bf94388e6fbd7eca4ae33f
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Be.Windows.Forms.HexBox.xml
xml
MD5: b534569d28458990c1b2f68eafa60bc3
SHA256: 415ea2d9a22ab58e5f89ece1caf45fd61f2579ef0c700c990a997841f284e4e3
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\starksoft.aspen.pdb
pdb
MD5: 9e8ff9f668c301b6228136bb83557c45
SHA256: 4afe37f2d0d8eeb1a47978b32cb34ec12cfd1f376cf69db30858dd30f03c56d6
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\settings.json
text
MD5: 98f2e3e6ee779b96279dddc277ba6d30
SHA256: 1461aa839b4c2d0de78ba021d1ee3210adf69f3dd0d661ed7ae9160c7ad1ba4e
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Orcus.Administration.Core.pdb
pdb
MD5: 26ed4c8a9fd2479772430dd592b27fd8
SHA256: 9afdac52b1d0862ad6956f31248170406456576ecdacd5a3a06f0a82d78b92d7
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\WriteableBitmapEx.Wpf.pdb
pdb
MD5: 7ffdcd2234b593dad24a3f125158e2a1
SHA256: add1da80401389e5e2ae4f4c4e5848007787d4335eaac8320656638f8fbd61c3
3624
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\Orcus.Administration-cracked.exe.config
xml
MD5: d689a8f25c2be9024f4841123b3e4053
SHA256: 7383bcefafa33afd801befed53528cf8b1f16eff9233ac106c3297cc5d54df1f
1244
Orcus.Administration-cracked.exe
C:\Users\admin\Desktop\settings (1).json
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
1

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
1244 Orcus.Administration-cracked.exe 198.54.117.197:443 Namecheap, Inc. US malicious
1244 Orcus.Administration-cracked.exe 40.85.179.199:443 Microsoft Corporation US unknown

DNS requests

Domain IP Reputation
orcus.pw No response suspicious
www.orcus.one 198.54.117.197
198.54.117.198
198.54.117.199
198.54.117.200
unknown
collector.exceptionless.io 40.85.179.199
unknown

Threats

PID Process Class Message
–– –– Potentially Bad Traffic ET DNS Query to a *.pw domain - Likely Hostile

Debug output strings

No debug info.