Malware Analysis Report

2025-03-15 06:53

Sample ID 231219-1qp9jsbean
Target ac911d58b1fe06ccafd6697c665451d4
SHA256 0dbac1adb12dab36645992c3e54c3e8a1f095694a380562fdfcfa62b5e0dfcde
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dbac1adb12dab36645992c3e54c3e8a1f095694a380562fdfcfa62b5e0dfcde

Threat Level: Known bad

The file ac911d58b1fe06ccafd6697c665451d4 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus main payload

Orcus family

Orcus

Orcurs Rat Executable

Orcurs Rat Executable

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 21:51

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 21:51

Reported

2023-12-20 06:37

Platform

win7-20231215-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\recov\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A
File opened for modification C:\Windows\INF\recov\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A
File created C:\Windows\INF\recov\RuntimeBroker.exe.config C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\INF\recov\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2172 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2172 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2172 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2172 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe C:\Windows\INF\recov\RuntimeBroker.exe
PID 2172 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe C:\Windows\INF\recov\RuntimeBroker.exe
PID 2172 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe C:\Windows\INF\recov\RuntimeBroker.exe
PID 2172 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe C:\Windows\INF\recov\RuntimeBroker.exe
PID 2124 wrote to memory of 2160 N/A C:\Windows\system32\taskeng.exe C:\Windows\INF\recov\RuntimeBroker.exe
PID 2124 wrote to memory of 2160 N/A C:\Windows\system32\taskeng.exe C:\Windows\INF\recov\RuntimeBroker.exe
PID 2124 wrote to memory of 2160 N/A C:\Windows\system32\taskeng.exe C:\Windows\INF\recov\RuntimeBroker.exe
PID 2124 wrote to memory of 2160 N/A C:\Windows\system32\taskeng.exe C:\Windows\INF\recov\RuntimeBroker.exe
PID 2568 wrote to memory of 2660 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2660 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2660 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2660 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2660 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2660 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2660 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2660 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2660 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2660 wrote to memory of 2932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2568 wrote to memory of 1980 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1980 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1980 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1980 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1980 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1980 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1980 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 1980 wrote to memory of 2016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1980 wrote to memory of 2016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1980 wrote to memory of 2016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1980 wrote to memory of 2016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2004 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2004 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2004 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2004 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2568 wrote to memory of 1400 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1400 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1400 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1400 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1400 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1400 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 1400 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 1400 wrote to memory of 436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1400 wrote to memory of 436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1400 wrote to memory of 436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1400 wrote to memory of 436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\INF\recov\RuntimeBroker.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 1828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe

"C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\INF\recov\RuntimeBroker.exe

"C:\Windows\INF\recov\RuntimeBroker.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {65482A9D-034C-48E4-B683-958541DCD8D2} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Windows\INF\recov\RuntimeBroker.exe

C:\Windows\INF\recov\RuntimeBroker.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Steam"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Steam

Network

Country Destination Domain Proto
N/A 192.168.178.20:10134 tcp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp

Files

memory/2172-1-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2172-0-0x0000000000C00000-0x0000000000D08000-memory.dmp

memory/2172-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

memory/2172-3-0x0000000000280000-0x000000000028E000-memory.dmp

memory/2172-4-0x0000000000AF0000-0x0000000000B4C000-memory.dmp

memory/2172-5-0x00000000002D0000-0x00000000002E2000-memory.dmp

\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2376-14-0x0000000000A10000-0x0000000000A1C000-memory.dmp

memory/2376-15-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/2376-16-0x0000000001F70000-0x0000000001FF0000-memory.dmp

memory/2376-19-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/2732-21-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

\Windows\inf\recov\RuntimeBroker.exe

MD5 ea3c11036577e0bdb1dbc67ca98bbc92
SHA1 b746e1cd632db045f7905a58bf881ed782984368
SHA256 aa3ae199c75c9de4e786512071ca909faf2d1b8014c0bcc361990d23d2ffec95
SHA512 00e6ab330d91f7ae44b2e684a00ff5df4747bd9006563e0581af65265334cd94104bdd1e319b4a8f085009f726447f2a0e7050da73600b4c3e7a2eaad9194d63

C:\Windows\inf\recov\RuntimeBroker.exe

MD5 9701501baef216f9bb1ba360d16a7f0b
SHA1 6f9cd2190c2e0024e2002524198166aef15d4e14
SHA256 56890609fb23d2f3caaab5e2e34e8badbcd420234bf9e33cf9acc757fc797d58
SHA512 795c0327cc4c916fdce639e372e6e6d649cca799ad14f2847dc9718fbef297ab2f9fd15f4e87c72cdc7ab8f0a8b166fd218c034f8c7d6306ccc100efafcf1637

C:\Windows\INF\recov\RuntimeBroker.exe

MD5 b2db56a5ca69d5c1e4296f038e6a34af
SHA1 ffb081bc369b0cbb5b556eeb1a7c4102e6880438
SHA256 431cdc0dc5c9213b32a617825e273b4fcbba03e4b02382d47988d84b9c59b9e6
SHA512 748a7358e2ff3df6cec1aa57c2a93b1d757f1049c3d65bed9a3627cd54440e936ce6f798e41fba442cc8848336161a288879f1e4c768f697cb7a8baad47579f0

C:\Windows\inf\recov\RuntimeBroker.exe

MD5 6e16af94810db40567dbf99592f487c5
SHA1 de0c5612ba8094860e0841db2960d4a2a69ba25d
SHA256 78344f5e6169d2fb9a2a62cb053633eb8f2c97fa7496555f08311d1365664d43
SHA512 56a2498dcc51aba1ed964f45399c922333ed49618a13d2c984dd8209b9e3f3f15fae62f692fd3fc9fe892cae9dc850902270dd5ec7f8e7b8021c33669867f40e

memory/2568-33-0x0000000000A80000-0x0000000000B88000-memory.dmp

memory/2172-32-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2568-34-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2568-35-0x0000000000A10000-0x0000000000A50000-memory.dmp

memory/2568-36-0x0000000004C00000-0x0000000004C4E000-memory.dmp

memory/2568-37-0x0000000002230000-0x0000000002248000-memory.dmp

C:\Windows\inf\recov\RuntimeBroker.exe

MD5 ac911d58b1fe06ccafd6697c665451d4
SHA1 ded22a883d85fd21d97dd0fc8b75b8e02b200f7e
SHA256 0dbac1adb12dab36645992c3e54c3e8a1f095694a380562fdfcfa62b5e0dfcde
SHA512 6dfa086a1a3cf32252b42fd70c6036dca48d75405ad74a2835f1dd608e58049efc7465d6458f36ce027b9a2d7b1c65d5558dabc0a511454aa4b8a061338f67c9

memory/2160-39-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2160-40-0x0000000004930000-0x0000000004970000-memory.dmp

memory/2568-41-0x00000000020E0000-0x00000000020F0000-memory.dmp

memory/2160-45-0x0000000074C50000-0x000000007533E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Steam

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2732-47-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

memory/2568-48-0x0000000074C50000-0x000000007533E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2eb8aad31fe78637bd862f61ec0f8259
SHA1 7ae36cfa414df4983afd0ffbabfe51d9e001d508
SHA256 51b38ff03810c427b0e058b963018c67ffdd043a301caeb3fd4cab6d80b4fb2d
SHA512 4b355aa05e91c888d4018df48bec3ac391bc6d209adce7f4adb86c2606c8bfc375bc4c2333b7b14e39caaa839e426789840183bd136d12c5f61ca9121acf3f10

memory/2568-64-0x0000000000A10000-0x0000000000A50000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 21:51

Reported

2023-12-20 06:35

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\recov\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A
File opened for modification C:\Windows\INF\recov\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A
File created C:\Windows\INF\recov\RuntimeBroker.exe.config C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Windows\INF\recov\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe

"C:\Users\Admin\AppData\Local\Temp\ac911d58b1fe06ccafd6697c665451d4.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\INF\recov\RuntimeBroker.exe

"C:\Windows\INF\recov\RuntimeBroker.exe"

C:\Windows\INF\recov\RuntimeBroker.exe

C:\Windows\INF\recov\RuntimeBroker.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
N/A 192.168.178.20:10134 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
DE 178.200.180.146:10134 tcp
N/A 192.168.178.20:10134 tcp
DE 178.200.180.146:10134 tcp

Files

memory/1520-0-0x00000000007F0000-0x00000000008F8000-memory.dmp

memory/1520-1-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/1520-2-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/1520-3-0x0000000005260000-0x000000000526E000-memory.dmp

memory/1520-4-0x0000000005270000-0x00000000052CC000-memory.dmp

memory/1520-5-0x0000000005990000-0x0000000005F34000-memory.dmp

memory/1520-6-0x0000000005480000-0x0000000005512000-memory.dmp

memory/1520-7-0x0000000005470000-0x0000000005482000-memory.dmp

memory/1520-8-0x0000000005950000-0x0000000005972000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4924-22-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/4924-23-0x0000000002A90000-0x0000000002AA2000-memory.dmp

memory/4924-25-0x00007FFEE9230000-0x00007FFEE9CF1000-memory.dmp

memory/4924-24-0x0000000002B20000-0x0000000002B5C000-memory.dmp

memory/4924-26-0x0000000002B10000-0x0000000002B20000-memory.dmp

memory/4924-30-0x00007FFEE9230000-0x00007FFEE9CF1000-memory.dmp

memory/2888-33-0x0000000019FD0000-0x0000000019FE0000-memory.dmp

memory/2888-32-0x00007FFEE9230000-0x00007FFEE9CF1000-memory.dmp

memory/2888-34-0x000000001A530000-0x000000001A63A000-memory.dmp

C:\Windows\INF\recov\RuntimeBroker.exe

MD5 57dfe928653b4c92bc5c0624d57f9d5e
SHA1 87021a5abe8d84deb95b171b799e182df6e53f14
SHA256 f3b5894ff729270a0c605e78cb4965f0a41a7502a9473012e9277f1a78b29605
SHA512 2492447cd764b2c410336c0b2039209cf9eed053be62a6b67dff637a4d9be718d257d6403e9a0daa02fb7c02dd3e39f71c590c1acfe8f7df34ee53a77a0c492b

C:\Windows\INF\recov\RuntimeBroker.exe

MD5 12792f50576d27c6da0bfa5a00c47197
SHA1 a3ca7f13681e70852df2d0ed6d52b603139df28a
SHA256 3aeabaab99faa31e22bc16055d6fbd30cf3c2235da0bd817510d58c6cfe63f04
SHA512 b59fff50e4192950aea1cdebd3b885aa60baab8f3c331a8ea6208f7334bdcbf02803256b329689b59070709fee2279f2aa0e556def430b4db2e9e951e69c13f7

C:\Windows\INF\recov\RuntimeBroker.exe

MD5 a5f6556acbc6d3b2b97306de75defa14
SHA1 18e8f35244c8f47e1af597ec2ad7bb4fc9b4cf49
SHA256 efbc2c5602f198d1ff3966df83a7896278fa69f9244a209f133cc07817d10f42
SHA512 931a496b262c524e26c028e1a6a75e15298af08499714c10a4948195df1fc0de5d673cbe8dc8803d0132822d0534de792ec6ea3f644358739dcbd2c610c4b281

memory/4808-51-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/1520-50-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/4808-52-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

memory/4808-53-0x0000000006140000-0x000000000618E000-memory.dmp

memory/4808-55-0x0000000006AC0000-0x0000000006AD8000-memory.dmp

memory/4808-57-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/4808-58-0x0000000006CA0000-0x0000000006CAA000-memory.dmp

memory/3936-56-0x00000000744F0000-0x0000000074CA0000-memory.dmp

C:\Windows\INF\recov\RuntimeBroker.exe

MD5 96f84cad8f8a5f8f502cb22129ea6f60
SHA1 2775345645d407fb9b189ca2013b7095a0b2f6f8
SHA256 d582ec3484dd5a039db898317e607db77acedf87cb070c38999dbcad1cfa27c4
SHA512 d67f4749abfcc55fdce8ee06268109ae712ae4469a458d8e45722c0b757238a837f7334d51a0b57fe90039f5432e2c816e86d0393826581a632518fda433503a

memory/3936-63-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/2888-64-0x00007FFEE9230000-0x00007FFEE9CF1000-memory.dmp

memory/4808-65-0x00000000744F0000-0x0000000074CA0000-memory.dmp