Malware Analysis Report

2025-03-15 06:49

Sample ID 240107-bdr5yacge6
Target 43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094
SHA256 43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094
Tags
client orcus rat spyware stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094

Threat Level: Known bad

The file 43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094 was found to be: Known bad.

Malicious Activity Summary

client orcus rat spyware stealer persistence

Orcus

Orcurs Rat Executable

Orcus main payload

Orcus family

Orcurs Rat Executable

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 01:02

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 01:02

Reported

2024-01-07 01:05

Platform

win7-20231215-en

Max time kernel

15s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe

"C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B0B1E753-2AC1-4909-8D9A-E76FA1C6AF97} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Local\Temp\windowss.exe

"C:\Users\Admin\AppData\Local\Temp\windowss.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 2676 "/protectFile"

C:\Users\Admin\AppData\Local\Temp\windowss.exe

"C:\Users\Admin\AppData\Local\Temp\windowss.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 2676 /protectFile

Network

Country Destination Domain Proto
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp

Files

memory/2188-0-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2188-1-0x0000000000CA0000-0x0000000000D8E000-memory.dmp

memory/2188-2-0x0000000004BD0000-0x0000000004C10000-memory.dmp

memory/2188-3-0x00000000005C0000-0x00000000005CE000-memory.dmp

memory/2188-4-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/2188-5-0x0000000000660000-0x0000000000672000-memory.dmp

memory/2188-7-0x0000000000770000-0x0000000000778000-memory.dmp

memory/2188-6-0x0000000000760000-0x0000000000768000-memory.dmp

memory/1692-17-0x0000000000040000-0x000000000004C000-memory.dmp

memory/1692-18-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

memory/1692-19-0x000000001ABF0000-0x000000001AC70000-memory.dmp

memory/2416-24-0x0000000000F00000-0x0000000000F0C000-memory.dmp

memory/2416-25-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

memory/1692-22-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

memory/2676-36-0x0000000000E40000-0x0000000000F2E000-memory.dmp

memory/2676-37-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2188-39-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2676-38-0x0000000004870000-0x00000000048B0000-memory.dmp

memory/2676-42-0x00000000047C0000-0x000000000480E000-memory.dmp

memory/2416-43-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

memory/2676-44-0x00000000043D0000-0x00000000043E8000-memory.dmp

memory/2676-46-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/660-48-0x0000000004900000-0x0000000004940000-memory.dmp

memory/660-47-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2676-49-0x0000000004860000-0x0000000004870000-memory.dmp

memory/2676-60-0x0000000004870000-0x00000000048B0000-memory.dmp

memory/1000-65-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/788-64-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/1000-62-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/1000-59-0x0000000000D40000-0x0000000000D48000-memory.dmp

memory/660-66-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/788-67-0x0000000074C50000-0x000000007533E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 01:02

Reported

2024-01-07 01:04

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowss = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" C:\Program Files (x86)\Orcus\Orcus.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4836 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4836 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 4836 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 4836 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 3504 wrote to memory of 1348 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\windowss.exe
PID 3504 wrote to memory of 1348 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\windowss.exe
PID 3504 wrote to memory of 1348 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\windowss.exe
PID 1348 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe C:\Users\Admin\AppData\Local\Temp\windowss.exe
PID 1348 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe C:\Users\Admin\AppData\Local\Temp\windowss.exe
PID 1348 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\windowss.exe C:\Users\Admin\AppData\Local\Temp\windowss.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe

"C:\Users\Admin\AppData\Local\Temp\43db97a85f8d26642b446aee887a1ceb45b304b2877230e4101fa870add86094.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Local\Temp\windowss.exe

"C:\Users\Admin\AppData\Local\Temp\windowss.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 3504 /protectFile

C:\Users\Admin\AppData\Local\Temp\windowss.exe

"C:\Users\Admin\AppData\Local\Temp\windowss.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 3504 "/protectFile"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
N/A 192.168.219.110:10134 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
N/A 192.168.219.110:10134 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
N/A 192.168.219.110:10134 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 192.168.219.110:10134 tcp
N/A 192.168.219.110:10134 tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
N/A 192.168.219.110:10134 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
N/A 192.168.219.110:10134 tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/4836-0-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/4836-1-0x0000000000560000-0x000000000064E000-memory.dmp

memory/4836-2-0x0000000005160000-0x0000000005170000-memory.dmp

memory/4836-3-0x0000000004FB0000-0x0000000004FBE000-memory.dmp

memory/4836-4-0x0000000004FC0000-0x000000000501C000-memory.dmp

memory/4836-5-0x0000000005720000-0x0000000005CC4000-memory.dmp

memory/4836-6-0x0000000005170000-0x0000000005202000-memory.dmp

memory/4836-7-0x0000000005660000-0x0000000005672000-memory.dmp

memory/4836-8-0x0000000005670000-0x0000000005678000-memory.dmp

memory/4836-10-0x0000000005CD0000-0x0000000005D36000-memory.dmp

memory/4836-9-0x0000000005680000-0x0000000005688000-memory.dmp

memory/4836-11-0x0000000006360000-0x0000000006978000-memory.dmp

memory/4836-12-0x0000000005D90000-0x0000000005DA2000-memory.dmp

memory/4836-13-0x0000000005DF0000-0x0000000005E2C000-memory.dmp

memory/4836-14-0x0000000005E30000-0x0000000005E7C000-memory.dmp

memory/4836-15-0x0000000005FB0000-0x00000000060BA000-memory.dmp

memory/4836-17-0x0000000006980000-0x00000000069A2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 bc916f2187d3541bf14e2536174a2f43
SHA1 18ff97008380b21bbcb55eae5abd70c1bf99eaf1
SHA256 f80547788ada6b94c8df5f32429ae58bbf7f6b2fca37d6657c689ccff8a8a1b3
SHA512 10779565eddb0e3971b074c467c230322d2c11a170e3a7fef61f4657fc9e277ec86ac5f4ef39184f8242c188795c69a346f0d1a18cd5cfe080a37b5d95c9fe79

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4140-31-0x00000000008C0000-0x00000000008CC000-memory.dmp

memory/4140-32-0x00007FFC85690000-0x00007FFC86151000-memory.dmp

memory/4140-33-0x00000000029C0000-0x00000000029D0000-memory.dmp

memory/4140-35-0x000000001C4E0000-0x000000001C51C000-memory.dmp

memory/4140-34-0x0000000002980000-0x0000000002992000-memory.dmp

memory/4140-39-0x00007FFC85690000-0x00007FFC86151000-memory.dmp

memory/1816-41-0x00007FFC85690000-0x00007FFC86151000-memory.dmp

memory/1816-42-0x000000001A760000-0x000000001A770000-memory.dmp

memory/1816-43-0x000000001B430000-0x000000001B53A000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 f8613b155e0afd9a221bd01a2b8067ed
SHA1 96308d61b9a747c856b5771d0d9a9e822718cf33
SHA256 8756475a8f150b0cf983835118e85746464088da204ad829c1c322c2fae8706e
SHA512 68da87b651b9b884c773f5c4afe6108dd7fb8d30b1ab06774ed7b2c0413a987e4ca8c942cc14e4d3a3327f9c401747c9c9e4f864e2ed9acaaa970725191eb817

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 fe6bbdee04c142dd36971ac6c0d09482
SHA1 33d022d592f2e0a7c14b680164c0bee5c16d05c1
SHA256 4b44e1bfeff9ef7233d11fb846020178fd35c34a1ce12f08c4e65b45c9f35185
SHA512 0d122997062ff78079974790953cfb623df366af53f655bef8002450e9a83a5b332b31198c4317f3e67701980fa0ccca4727f0cdfe1bec4b87c70861a0484e01

memory/3504-60-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/3504-61-0x0000000005790000-0x00000000057A0000-memory.dmp

memory/4836-59-0x00000000747E0000-0x0000000074F90000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 42cce74433432a78c41d2821f03f7bb5
SHA1 72c13eaef860217dfb347c266970827b2f94cd7b
SHA256 04134b1f7e9f530651af282978dbc9bf45f9d439faad52e57d1fcbec77fd4fec
SHA512 32bf45d4f6c02954dadd874d400d9bf2f8e8dfc9121d7e3986d8547a45bdd7587db93338254d6100cebfb1327498bbd8e83b36fd429c4da2bbc4bce45244f500

memory/3504-64-0x00000000070B0000-0x00000000070FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\windowss\err_32bdde81ba50416d80618ca9b250805e.dat

MD5 482ee1e63e5991ef19ff19625bafcb4c
SHA1 b5304c6080396c43aeac1d6bafc9354543787fde
SHA256 f12ba503ce9cee7483b4417f353a6e2a99e107133472d2c70c1a3b9c0aced1b2
SHA512 6c0357e248b1dea52ad4ab591b5f4607741560f3f884f5966b6730f47d0685e46a694ee6be90ffe3bafdd1648e9de584c08165d0a111b76221fe2a35190e5a46

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 8fc829387d752a3b3a54a096be11142d
SHA1 30ac7abc098b80e2fe70940ea99629414a86cc18
SHA256 23109ae2418b24902a48d4df845700fa93a5454d0aba4bdce7152476c9e066ee
SHA512 b8a3a617f3b39430595a26bdbf5676e828721a8e50e6d849161546abd883c628bda70995ab931fde0387400edd47f5b20b5c9a3c589a8d47cc7c18303758d9f7

memory/3504-65-0x0000000007290000-0x00000000072A8000-memory.dmp

memory/3504-67-0x0000000007630000-0x00000000077F2000-memory.dmp

memory/2896-69-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/3504-68-0x00000000072E0000-0x00000000072F0000-memory.dmp

memory/3504-70-0x0000000007560000-0x000000000756A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windowss.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1348-84-0x0000000000190000-0x0000000000198000-memory.dmp

memory/1348-85-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/1552-88-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/1348-89-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/2896-91-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/1816-92-0x00007FFC85690000-0x00007FFC86151000-memory.dmp

memory/1816-93-0x000000001A760000-0x000000001A770000-memory.dmp

memory/3504-94-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/3504-95-0x0000000005790000-0x00000000057A0000-memory.dmp

memory/1552-96-0x00000000747E0000-0x0000000074F90000-memory.dmp