Malware Analysis Report

2025-03-15 06:55

Sample ID 231219-y3r8kaehe2
Target 91d9c067cff61ba23182b0bff60db942
SHA256 3b1b7d9aae7a192cca60d19ebc5278b52ecc5bb1f9358eb367d56399658d9895
Tags
orcus evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b1b7d9aae7a192cca60d19ebc5278b52ecc5bb1f9358eb367d56399658d9895

Threat Level: Known bad

The file 91d9c067cff61ba23182b0bff60db942 was found to be: Known bad.

Malicious Activity Summary

orcus evasion persistence rat spyware stealer

Orcus

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Orcurs Rat Executable

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 20:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 20:18

Reported

2023-12-20 10:31

Platform

win7-20231215-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe"

Signatures

Orcus

rat spyware stealer orcus

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Broker\Broker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Broker\Broker.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Broker\Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Broker\Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Broker\Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Broker\Broker.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine C:\Program Files (x86)\Broker\Broker.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine C:\Program Files (x86)\Broker\Broker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Broker = "\"C:\\Program Files (x86)\\Broker\\Broker.exe\"" C:\Program Files (x86)\Broker\Broker.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
N/A N/A C:\Program Files (x86)\Broker\Broker.exe N/A
N/A N/A C:\Program Files (x86)\Broker\Broker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Broker\Broker.exe.config C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
File created C:\Program Files (x86)\Broker\Broker.exe C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
File opened for modification C:\Program Files (x86)\Broker\Broker.exe C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
N/A N/A C:\Program Files (x86)\Broker\Broker.exe N/A
N/A N/A C:\Program Files (x86)\Broker\Broker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Broker\Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1720 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe C:\Program Files (x86)\Broker\Broker.exe
PID 1720 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe C:\Program Files (x86)\Broker\Broker.exe
PID 1720 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe C:\Program Files (x86)\Broker\Broker.exe
PID 1720 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe C:\Program Files (x86)\Broker\Broker.exe
PID 1060 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Broker\Broker.exe
PID 1060 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Broker\Broker.exe
PID 1060 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Broker\Broker.exe
PID 1060 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Broker\Broker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe

"C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Broker\Broker.exe

"C:\Program Files (x86)\Broker\Broker.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {21F17C99-0AA8-4F53-BAD1-C46FEAC6F79A} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Program Files (x86)\Broker\Broker.exe

"C:\Program Files (x86)\Broker\Broker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 flywithmez.info udp
US 8.8.8.8:53 riskama.online udp

Files

memory/1720-0-0x0000000000D50000-0x0000000001406000-memory.dmp

memory/1720-1-0x0000000077390000-0x0000000077392000-memory.dmp

memory/1720-2-0x0000000074B10000-0x0000000074B5A000-memory.dmp

memory/1720-3-0x0000000074C60000-0x0000000074C69000-memory.dmp

memory/1720-4-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/1720-5-0x0000000000D50000-0x0000000001406000-memory.dmp

memory/1720-6-0x0000000000D50000-0x0000000001406000-memory.dmp

memory/1720-7-0x00000000758C0000-0x000000007598C000-memory.dmp

memory/1720-8-0x0000000074220000-0x00000000742A0000-memory.dmp

memory/1720-9-0x0000000076A10000-0x0000000076B00000-memory.dmp

memory/1720-10-0x0000000000BC0000-0x0000000000C00000-memory.dmp

memory/1720-11-0x0000000000B10000-0x0000000000B1E000-memory.dmp

memory/1720-12-0x00000000051D0000-0x000000000522C000-memory.dmp

memory/1720-13-0x0000000073F60000-0x0000000073F6B000-memory.dmp

memory/1720-14-0x0000000073F40000-0x0000000073F57000-memory.dmp

memory/1720-15-0x0000000000B50000-0x0000000000B62000-memory.dmp

memory/1720-16-0x0000000000D50000-0x0000000001406000-memory.dmp

memory/1720-17-0x0000000073E30000-0x0000000073E3E000-memory.dmp

memory/1720-18-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

memory/1720-19-0x0000000074EA0000-0x0000000074F40000-memory.dmp

memory/1720-23-0x0000000075710000-0x0000000075793000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/1720-24-0x0000000074B10000-0x0000000074B5A000-memory.dmp

memory/1720-29-0x00000000754D0000-0x000000007566D000-memory.dmp

memory/1720-30-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2708-32-0x00000000002F0000-0x00000000002FC000-memory.dmp

memory/2708-33-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

memory/1720-35-0x0000000074220000-0x00000000742A0000-memory.dmp

memory/2708-36-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/2708-39-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

memory/1720-41-0x0000000076A10000-0x0000000076B00000-memory.dmp

memory/2600-42-0x0000000001330000-0x000000000133C000-memory.dmp

memory/2600-43-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

memory/2600-44-0x0000000001190000-0x0000000001210000-memory.dmp

\Program Files (x86)\Broker\Broker.exe

MD5 91d9c067cff61ba23182b0bff60db942
SHA1 8a071fa90f7a9d911eb97e401ac8be29ee831de2
SHA256 3b1b7d9aae7a192cca60d19ebc5278b52ecc5bb1f9358eb367d56399658d9895
SHA512 ff01cabd1cc13b546f7aa29fd4dc91fa041e1619ba08d6beab5e78ec23facfe2c88bee6b0e8f4135712a2ecd0bfc2650fe93f793faedd1fa0245fff5022d9ab5

C:\Program Files (x86)\Broker\Broker.exe

MD5 b0e5707241dddeebbbf9c24549441649
SHA1 931e48eae9a54f904027b6161abc3b2e578bd1bf
SHA256 59ce91dead47ff544ff22add2dfdb3e97cc867b5d8a66fdf6f22dcd1cd785e23
SHA512 073a97da3bfe9ed173f5c867b53fc64b5100fa0be8d8998768c8559494ee3d6a5b26720d26340f01c846d39d8a4be733bf4f54ae7005c9dda355630dd42501cf

C:\Program Files (x86)\Broker\Broker.exe

MD5 7c8daf7a69a4bebc3341831969c694c1
SHA1 f12c807d436a2a04831536883d903bbd5d52eed6
SHA256 9940cfedbc68cae90077746394a815bfee02879921b9c9895c96b00199423b0b
SHA512 aab9ed0d00b166a2a41aaa38db1da7f12db86a11ca0ebacadb4ab6c436fabe13aace3f6dc461918021946f674f12bd603cb30a243077ea1e03d5452f3325f3f1

memory/1952-54-0x0000000000050000-0x0000000000706000-memory.dmp

memory/1720-53-0x000000006F3F0000-0x000000006F7FB000-memory.dmp

memory/1720-56-0x0000000005E50000-0x0000000006506000-memory.dmp

memory/1720-58-0x0000000074B10000-0x0000000074B5A000-memory.dmp

memory/1720-59-0x0000000074C60000-0x0000000074C69000-memory.dmp

memory/1720-57-0x0000000000D50000-0x0000000001406000-memory.dmp

memory/1720-60-0x0000000076A10000-0x0000000076B00000-memory.dmp

memory/1720-61-0x00000000758C0000-0x000000007598C000-memory.dmp

memory/1720-62-0x0000000074220000-0x00000000742A0000-memory.dmp

memory/1720-63-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/1720-64-0x0000000073F60000-0x0000000073F6B000-memory.dmp

memory/1720-65-0x0000000073F40000-0x0000000073F57000-memory.dmp

memory/1720-66-0x0000000073E30000-0x0000000073E3E000-memory.dmp

memory/1720-67-0x0000000075710000-0x0000000075793000-memory.dmp

memory/1720-68-0x0000000074EA0000-0x0000000074F40000-memory.dmp

memory/1720-69-0x00000000754D0000-0x000000007566D000-memory.dmp

memory/1720-70-0x000000006F3F0000-0x000000006F7FB000-memory.dmp

C:\Program Files (x86)\Broker\Broker.exe

MD5 7d6309b13f129dfc269452fa5955d96d
SHA1 b979335cb2e58c38891cfe7811ddaf163f630895
SHA256 dc9e62d418ce9e7fdf196752bb0ca49de7979b06a26b3d0ff637c3a61786f43f
SHA512 23224c1ac0f907cc7f74a68b012aa755b91b67b19b2b4a9fe68807b4ad5b1296c42b9df4b2562e3df18fe14b2cfcb9bf3173bcc762d6cfc2bd822365a1517e95

memory/1952-73-0x0000000074AC0000-0x0000000074B0A000-memory.dmp

memory/1952-74-0x0000000074B50000-0x0000000074B59000-memory.dmp

memory/1952-76-0x0000000000050000-0x0000000000706000-memory.dmp

memory/1952-78-0x0000000000050000-0x0000000000706000-memory.dmp

memory/1952-77-0x00000000758C0000-0x000000007598C000-memory.dmp

memory/1952-79-0x0000000074350000-0x0000000074A3E000-memory.dmp

memory/1952-80-0x0000000076A10000-0x0000000076B00000-memory.dmp

memory/1952-82-0x0000000074120000-0x0000000074137000-memory.dmp

memory/1952-81-0x0000000000BF0000-0x0000000000C02000-memory.dmp

memory/1952-84-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/1952-83-0x00000000029F0000-0x0000000002A3E000-memory.dmp

memory/1952-75-0x00000000741D0000-0x0000000074250000-memory.dmp

memory/1952-85-0x0000000074140000-0x000000007414B000-memory.dmp

memory/1952-86-0x0000000074110000-0x000000007411E000-memory.dmp

C:\Program Files (x86)\Broker\Broker.exe

MD5 e5d52d7f1473a37dd8dbefa15fd62eaa
SHA1 90a50e46258c8221a10807d6ec35cb7920f4a224
SHA256 804eeb9b8d1090ae7ce661adecadc794e4a3ec2efcbc80ef396041771a3a09a3
SHA512 5ab3b319e5bd0d4acf5ce6708faa7896f189d8f117941b82a33792645ae8e7bb8969cccb6b78ae1570ddf1b5c06b3ce8db52fe2ef07a549a184660e66a288708

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 20:18

Reported

2023-12-20 10:32

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe"

Signatures

Orcus

rat spyware stealer orcus

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Broker\Broker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Broker\Broker.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Broker\Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Broker\Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Broker\Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Broker\Broker.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine C:\Program Files (x86)\Broker\Broker.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine C:\Program Files (x86)\Broker\Broker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Broker = "\"C:\\Program Files (x86)\\Broker\\Broker.exe\"" C:\Program Files (x86)\Broker\Broker.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
N/A N/A C:\Program Files (x86)\Broker\Broker.exe N/A
N/A N/A C:\Program Files (x86)\Broker\Broker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Broker\Broker.exe C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
File opened for modification C:\Program Files (x86)\Broker\Broker.exe C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A
File created C:\Program Files (x86)\Broker\Broker.exe.config C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Broker\Broker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe

"C:\Users\Admin\AppData\Local\Temp\91d9c067cff61ba23182b0bff60db942.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Broker\Broker.exe

"C:\Program Files (x86)\Broker\Broker.exe"

C:\Program Files (x86)\Broker\Broker.exe

"C:\Program Files (x86)\Broker\Broker.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 flywithmez.info udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 riskama.online udp
US 8.8.8.8:53 flywithmez.info udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 riskama.online udp
US 8.8.8.8:53 flywithmez.info udp
US 8.8.8.8:53 riskama.online udp
US 8.8.8.8:53 flywithmez.info udp
US 8.8.8.8:53 riskama.online udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 flywithmez.info udp

Files

memory/3084-0-0x0000000000560000-0x0000000000C16000-memory.dmp

memory/3084-1-0x0000000077B44000-0x0000000077B46000-memory.dmp

memory/3084-2-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/3084-3-0x0000000000560000-0x0000000000C16000-memory.dmp

memory/3084-4-0x0000000000560000-0x0000000000C16000-memory.dmp

memory/3084-6-0x0000000005650000-0x0000000005660000-memory.dmp

memory/3084-7-0x0000000003240000-0x000000000324E000-memory.dmp

memory/3084-8-0x0000000005520000-0x000000000557C000-memory.dmp

memory/3084-9-0x0000000005C10000-0x00000000061B4000-memory.dmp

memory/3084-10-0x0000000005700000-0x0000000005792000-memory.dmp

memory/3084-11-0x0000000000560000-0x0000000000C16000-memory.dmp

memory/3084-12-0x0000000005640000-0x0000000005652000-memory.dmp

memory/3084-13-0x00000000056E0000-0x00000000056E8000-memory.dmp

memory/3084-14-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2372-29-0x00000000002C0000-0x00000000002CC000-memory.dmp

memory/2372-30-0x00007FFA72960000-0x00007FFA73421000-memory.dmp

memory/2372-31-0x000000001B040000-0x000000001B050000-memory.dmp

memory/2372-32-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

memory/2372-33-0x0000000002500000-0x000000000253C000-memory.dmp

memory/2372-37-0x00007FFA72960000-0x00007FFA73421000-memory.dmp

memory/4644-39-0x00007FFA72960000-0x00007FFA73421000-memory.dmp

memory/4644-41-0x000000001A470000-0x000000001A480000-memory.dmp

memory/3084-40-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4644-42-0x000000001A910000-0x000000001AA1A000-memory.dmp

C:\Program Files (x86)\Broker\Broker.exe

MD5 91d9c067cff61ba23182b0bff60db942
SHA1 8a071fa90f7a9d911eb97e401ac8be29ee831de2
SHA256 3b1b7d9aae7a192cca60d19ebc5278b52ecc5bb1f9358eb367d56399658d9895
SHA512 ff01cabd1cc13b546f7aa29fd4dc91fa041e1619ba08d6beab5e78ec23facfe2c88bee6b0e8f4135712a2ecd0bfc2650fe93f793faedd1fa0245fff5022d9ab5

memory/1792-56-0x0000000000800000-0x0000000000EB6000-memory.dmp

memory/3084-59-0x0000000000560000-0x0000000000C16000-memory.dmp

memory/3084-60-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/1792-64-0x0000000000800000-0x0000000000EB6000-memory.dmp

memory/1792-65-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/1792-66-0x0000000000800000-0x0000000000EB6000-memory.dmp

memory/1792-67-0x0000000003460000-0x0000000003470000-memory.dmp

memory/1792-68-0x00000000063D0000-0x00000000063E2000-memory.dmp

memory/1792-69-0x0000000006400000-0x000000000644E000-memory.dmp

memory/4644-70-0x00007FFA72960000-0x00007FFA73421000-memory.dmp

memory/1792-72-0x0000000006600000-0x0000000006618000-memory.dmp

memory/2284-73-0x0000000000800000-0x0000000000EB6000-memory.dmp

memory/1792-74-0x0000000006670000-0x0000000006680000-memory.dmp

memory/1792-75-0x0000000006B00000-0x0000000006B0A000-memory.dmp

memory/4644-76-0x000000001A470000-0x000000001A480000-memory.dmp

memory/1792-78-0x0000000000800000-0x0000000000EB6000-memory.dmp

memory/2284-80-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2284-81-0x0000000000800000-0x0000000000EB6000-memory.dmp

memory/2284-82-0x0000000000800000-0x0000000000EB6000-memory.dmp

memory/2284-83-0x0000000005850000-0x0000000005860000-memory.dmp

memory/1792-85-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2284-88-0x0000000000800000-0x0000000000EB6000-memory.dmp

memory/2284-89-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/1792-90-0x0000000003460000-0x0000000003470000-memory.dmp