Malware Analysis Report

2025-03-15 06:49

Sample ID 240109-w4sjlsfefl
Target Calculator14VGAexe.exe
SHA256 be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588
Tags
orcus tg persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588

Threat Level: Known bad

The file Calculator14VGAexe.exe was found to be: Known bad.

Malicious Activity Summary

orcus tg persistence rat spyware stealer

Orcus

Orcurs Rat Executable

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-09 18:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-09 18:28

Reported

2024-01-09 18:33

Platform

win7-20231215-en

Max time kernel

18s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Program Files (x86)\Java8update\updaterjava9.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\RobloxJavaMaster = "\"C:\\Program Files (x86)\\Java8update\\updaterjava9.exe\"" C:\Program Files (x86)\Java8update\updaterjava9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A
N/A N/A C:\Program Files (x86)\Java8update\updaterjava9.exe N/A
N/A N/A C:\Program Files (x86)\Java8update\updaterjava9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Java8update\updaterjava9.exe C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A
File opened for modification C:\Program Files (x86)\Java8update\updaterjava9.exe C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A
File created C:\Program Files (x86)\Java8update\updaterjava9.exe.config C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A
N/A N/A C:\Program Files (x86)\Java8update\updaterjava9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2828 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2828 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2828 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2828 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Program Files (x86)\Java8update\updaterjava9.exe
PID 2828 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Program Files (x86)\Java8update\updaterjava9.exe
PID 2828 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Program Files (x86)\Java8update\updaterjava9.exe
PID 2828 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Program Files (x86)\Java8update\updaterjava9.exe
PID 2828 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Program Files (x86)\Java8update\updaterjava9.exe
PID 2828 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Program Files (x86)\Java8update\updaterjava9.exe
PID 2828 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe C:\Program Files (x86)\Java8update\updaterjava9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe

"C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Java8update\updaterjava9.exe

"C:\Program Files (x86)\Java8update\updaterjava9.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B539EF4E-4B65-4330-84F7-6FBD9B9532CC} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Program Files (x86)\Java8update\updaterjava9.exe

"C:\Program Files (x86)\Java8update\updaterjava9.exe"

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe

"C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /launchSelfAndExit "C:\Program Files (x86)\Java8update\updaterjava9.exe" 2168 /protectFile

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe

"C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /watchProcess "C:\Program Files (x86)\Java8update\updaterjava9.exe" 2168 "/protectFile"

Network

Country Destination Domain Proto
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp

Files

memory/2828-0-0x0000000000130000-0x00000000005A4000-memory.dmp

memory/2828-2-0x0000000000130000-0x00000000005A4000-memory.dmp

memory/2828-1-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2828-3-0x00000000055C0000-0x0000000005600000-memory.dmp

memory/2828-4-0x00000000022A0000-0x00000000022AE000-memory.dmp

memory/2828-5-0x0000000002B20000-0x0000000002B7C000-memory.dmp

memory/2828-6-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/2828-8-0x00000000023F0000-0x00000000023F8000-memory.dmp

memory/2828-7-0x00000000023E0000-0x00000000023E8000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2716-18-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

memory/2716-19-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

memory/2716-20-0x000000001B400000-0x000000001B480000-memory.dmp

memory/2716-23-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

memory/2624-25-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

memory/2624-26-0x00000000198A0000-0x0000000019920000-memory.dmp

\Program Files (x86)\Java8update\updaterjava9.exe

MD5 f39e4efd6fcc8248c1cc2f69078b9c28
SHA1 3671ca05130321b28a7dbe833c17dd9777760751
SHA256 9e32072759002a881576e8d136d20f2722d956c0e0bac2c2b7e33248dbc1af9f
SHA512 3f82a896e1757e0352c2c37c4c56e5b488637af608a2615f163e4ac11b8b30c851d22e55ba78d646b8ba0fdfcf50ef74611dd717bd965a61756819512fc3e72e

\??\c:\program files (x86)\java8update\updaterjava9.exe

MD5 69546c55bc2c9e967d2e45c0247d6a70
SHA1 db6d9594099e7687038e2f6ac40daba5ce1fd829
SHA256 6a3bb15b41b4b5d195e1273e2c483bdc3a15e228b327938d112ac33eeeeff874
SHA512 a4082019369b0e2b27bca122bf62df87baf2012394d032177c1f63541f5e764237297c052b9fb8cbb8f9765c08f4e82977be5ee27d1edfb398dd29f8a7ced328

C:\Program Files (x86)\Java8update\updaterjava9.exe

MD5 874202df303f602a991febc9925e5bbb
SHA1 609556f1c3f7b96bfed02776846fd11cdd8d23e3
SHA256 1b496cf6ae19560d09e55959047d3e4a04cb2c9859aea03224efcf20de331578
SHA512 81767e258b383efb911e7e0d751dd8b66865849173261e93afb25a018ee4110e07de53a7c0ff27286321d55a65d3d92abb7d04d3bc49eca2172894f3f4bfa041

C:\Program Files (x86)\Java8update\updaterjava9.exe

MD5 20fdf1beffa96d617b2e4b14d6d4ebbd
SHA1 86338fade369cae9d456f44ad984decdfddb9722
SHA256 8eacf1a84ac2fe14d210c374efbdce2b00ff5d1dbe5a710d0272999ac1dc8f68
SHA512 05176ddeb2959a969ecd808ddcf0b684e4e0eff0e74f661cf5c8c4ebea7bf102dcff2b0f9f86d2b0211f1a02d651382337b45b76204ff8ae4e5c80c0c4cc6aa7

memory/2168-36-0x0000000001200000-0x0000000001674000-memory.dmp

memory/2168-39-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2168-41-0x0000000001200000-0x0000000001674000-memory.dmp

memory/2168-43-0x0000000003070000-0x00000000030B0000-memory.dmp

memory/2828-42-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2168-40-0x0000000001200000-0x0000000001674000-memory.dmp

memory/2828-44-0x0000000000130000-0x00000000005A4000-memory.dmp

memory/2168-45-0x0000000000A90000-0x0000000000AA2000-memory.dmp

C:\Users\Admin\AppData\Roaming\NVIDlA\err_a867e8d19abf423285769fa6d8e47601.dat

MD5 73e5bab7da043419d9fbb9a25e81af8f
SHA1 2ddc759d3b2ec24c6319521dae54e4c1b59c54de
SHA256 59d443f8803d8e90200e90ab2ea2fcb05759117aff5cb945b8c00a37e8f47bef
SHA512 79e43d4003d82306447f3f027752d57e86a5725a1727433ef7ea1ad265e0bcd1bb2052a676fcae15d53dd36809bbad3256b4377b6da0facf42511452b13444e7

memory/2168-48-0x0000000002D20000-0x0000000002D6E000-memory.dmp

memory/2168-49-0x0000000002DC0000-0x0000000002DD8000-memory.dmp

memory/2168-50-0x0000000002EF0000-0x0000000002F00000-memory.dmp

C:\Program Files (x86)\Java8update\updaterjava9.exe

MD5 8417700ec3578fa0b73f356882efdfd2
SHA1 35786a26be89eb3c3761068bd724bd500dfe068a
SHA256 1140edf1cdb34a129c371639cfcc97af55cda5d50cc1dd8dbcfa668a5650da42
SHA512 16b190cf8b8491c43bd55f647b5308c5d927c99570e0b0cea563e1e36d2346dca8ccd0e8261568be9d81cd7b5b657c93df859b634eda22a634c1a9fe779894e2

memory/1732-52-0x0000000001200000-0x0000000001674000-memory.dmp

memory/2168-58-0x0000000003070000-0x00000000030B0000-memory.dmp

memory/1732-64-0x0000000001200000-0x0000000001674000-memory.dmp

memory/2624-66-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2624-72-0x00000000198A0000-0x0000000019920000-memory.dmp

memory/1764-73-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/564-74-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/1732-69-0x0000000005530000-0x0000000005570000-memory.dmp

memory/1764-68-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/1764-67-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/1732-56-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/1732-55-0x0000000001200000-0x0000000001674000-memory.dmp

memory/1732-76-0x0000000001200000-0x0000000001674000-memory.dmp

memory/1732-77-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2168-79-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2168-80-0x0000000003070000-0x00000000030B0000-memory.dmp

memory/2168-81-0x0000000003070000-0x00000000030B0000-memory.dmp

memory/564-83-0x0000000074900000-0x0000000074FEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-09 18:28

Reported

2024-01-09 18:32

Platform

win10v2004-20231215-en

Max time kernel

31s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe

"C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Java8update\updaterjava9.exe

"C:\Program Files (x86)\Java8update\updaterjava9.exe"

C:\Program Files (x86)\Java8update\updaterjava9.exe

"C:\Program Files (x86)\Java8update\updaterjava9.exe"

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe

"C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /launchSelfAndExit "C:\Program Files (x86)\Java8update\updaterjava9.exe" 4548 /protectFile

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe

"C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /watchProcess "C:\Program Files (x86)\Java8update\updaterjava9.exe" 4548 "/protectFile"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 10.0.2.15:6969 tcp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
N/A 10.0.2.15:6969 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
N/A 10.0.2.15:6969 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
N/A 10.0.2.15:6969 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp
N/A 10.0.2.15:6969 tcp

Files

memory/4988-0-0x0000000000170000-0x00000000005E4000-memory.dmp

memory/4988-2-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4988-3-0x0000000000170000-0x00000000005E4000-memory.dmp

memory/4988-4-0x0000000003770000-0x0000000003780000-memory.dmp

memory/4988-5-0x0000000003740000-0x000000000374E000-memory.dmp

memory/4988-6-0x0000000005A00000-0x0000000005A5C000-memory.dmp

memory/4988-8-0x0000000005B70000-0x0000000005C02000-memory.dmp

memory/4988-7-0x0000000006010000-0x00000000065B4000-memory.dmp

memory/4988-9-0x0000000005F60000-0x0000000005F72000-memory.dmp

memory/4988-11-0x0000000005F80000-0x0000000005F88000-memory.dmp

memory/4988-12-0x00000000066C0000-0x0000000006726000-memory.dmp

memory/4988-10-0x0000000005F70000-0x0000000005F78000-memory.dmp

memory/4988-13-0x0000000006D50000-0x0000000007368000-memory.dmp

memory/4988-14-0x0000000006790000-0x00000000067A2000-memory.dmp

memory/4988-15-0x00000000067F0000-0x000000000682C000-memory.dmp

memory/4988-16-0x0000000006830000-0x000000000687C000-memory.dmp

memory/4988-17-0x00000000069B0000-0x0000000006ABA000-memory.dmp

memory/4988-19-0x00000000074A0000-0x00000000074C2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4988-35-0x0000000000170000-0x00000000005E4000-memory.dmp

memory/3060-33-0x0000000000D00000-0x0000000000D0C000-memory.dmp

memory/3060-36-0x0000000002DA0000-0x0000000002DB2000-memory.dmp

memory/3060-38-0x00007FFDF61A0000-0x00007FFDF6C61000-memory.dmp

memory/3060-39-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/3060-37-0x0000000002E30000-0x0000000002E6C000-memory.dmp

memory/3060-43-0x00007FFDF61A0000-0x00007FFDF6C61000-memory.dmp

memory/4336-45-0x00007FFDF61A0000-0x00007FFDF6C61000-memory.dmp

memory/4336-46-0x000000001A6F0000-0x000000001A700000-memory.dmp

memory/4336-47-0x000000001AB10000-0x000000001AC1A000-memory.dmp

C:\Program Files (x86)\Java8update\updaterjava9.exe

MD5 2a0cd606a2fcce371b2bed64028ef376
SHA1 6a603f8f8bfb2766c59948e6ff609226d85efb45
SHA256 d8e988fbece0c4037e38f9121cf75775be571ddd55e22e14f44ba336f5ca8990
SHA512 76e5671e8099667972b841657756956d5d08f8beadba183c096aa5579c3eace611fe625149eae05d578a531917de3c8106f6c3096ca38d2ece931805b1683e6f

\??\c:\program files (x86)\java8update\updaterjava9.exe

MD5 3288ddec3771a143aa6c46943c8e7398
SHA1 d021ce6fbae8e350d5d1945b4f4badf51bfd05a6
SHA256 ad7dd48d72294c8b50c57ce4f63d976e5948f7ff4fc1b6eb2e1ec75e607c62bb
SHA512 f3c59f8eaa7b629eefa0fb29e82ead80e37bfc24296f87673634b281f26ca57335ccebf6ae509b6f69bd30042241d6d35f5a3f44d1208c437c55fb0dc15f0592

memory/4988-65-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4988-66-0x0000000000170000-0x00000000005E4000-memory.dmp

memory/4548-68-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4548-70-0x0000000005940000-0x0000000005950000-memory.dmp

memory/4548-69-0x0000000000D20000-0x0000000001194000-memory.dmp

memory/4548-67-0x0000000000D20000-0x0000000001194000-memory.dmp

memory/4548-62-0x0000000000D20000-0x0000000001194000-memory.dmp

C:\Program Files (x86)\Java8update\updaterjava9.exe

MD5 78344d8aaf68b4680b2ed6e1ef8ba5e1
SHA1 0c492e5b3d3083a8c70bb854dc4af5da0c89c17e
SHA256 4059875be9fb25ede65f963e321987c0e15bf4a004c64f005965bf4de086fa21
SHA512 1a73dde9ceabd54eb39fd693086187d49ab06ca4b4747945a10a2bfc472724550abaff0b0fe4d42bf881cf79ea071b307b87251d04aa3b1b2e66f4c69761bc4e

memory/4548-71-0x0000000005930000-0x0000000005942000-memory.dmp

C:\Users\Admin\AppData\Roaming\NVIDlA\err_a867e8d19abf423285769fa6d8e47601.dat

MD5 d9d1d25063cec149442c6c83cf5a7915
SHA1 44b05e493f4c95e0737c5935f46d90bfe8d1eab3
SHA256 f00ae670f4eb88d5e7d14d8e70bc8ddd575a3c331904fe3dae7a736dbbe8223f
SHA512 83dcae11160361c70b66ef5b859687eff24f609699c9629022636b9787e6519e72f55b9e79a91a21a58b29f60f2c2d500e38ddb731971db32abb860a478e2882

memory/4548-74-0x00000000070F0000-0x000000000713E000-memory.dmp

memory/4548-76-0x00000000072D0000-0x00000000072E8000-memory.dmp

memory/3232-77-0x0000000000D20000-0x0000000001194000-memory.dmp

C:\Program Files (x86)\Java8update\updaterjava9.exe

MD5 e8b10dc141fd2c5a5850889d5f741b7b
SHA1 74b2acc97a21b97e68cca09d754199788c4ef742
SHA256 00dfdd6c66f06965d5b8ba2c6434dd8964859764a238423f091eb549fd552adb
SHA512 f51e2f6effa0952742b53ee5e6f5aa3c6119c5ac0774459caaaa3facbb9ce6d3d108ca92a76e29f4a024c9e0d324bcf7706269de286887331f12b8b0334370e6

memory/4548-79-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4548-78-0x0000000007670000-0x0000000007832000-memory.dmp

memory/3232-81-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4548-80-0x0000000007600000-0x000000000760A000-memory.dmp

memory/3232-84-0x0000000000D20000-0x0000000001194000-memory.dmp

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2204-98-0x0000000000270000-0x0000000000278000-memory.dmp

memory/2204-99-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RobloxUpdater04.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/4336-104-0x00007FFDF61A0000-0x00007FFDF6C61000-memory.dmp

memory/2204-103-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/2988-105-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3232-87-0x0000000006140000-0x0000000006150000-memory.dmp

memory/3232-85-0x0000000000D20000-0x0000000001194000-memory.dmp

memory/3232-108-0x0000000000D20000-0x0000000001194000-memory.dmp

memory/3232-109-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4336-110-0x000000001A6F0000-0x000000001A700000-memory.dmp

memory/4548-112-0x0000000000D20000-0x0000000001194000-memory.dmp

memory/4548-113-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4548-114-0x0000000005940000-0x0000000005950000-memory.dmp

memory/2988-116-0x0000000074520000-0x0000000074CD0000-memory.dmp