Malware Analysis Report

2025-01-22 14:49

Sample ID 241206-bhny3sxqgn
Target ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA256 ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

Threat Level: Known bad

The file ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 01:08

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 01:08

Reported

2024-12-06 01:11

Platform

win7-20241010-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\SYSTEM\Sys.exe C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File created C:\Program Files\SYSTEM\Sys.exe.config C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File created C:\Program Files\SYSTEM\Sys.exe C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1528 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1528 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2576 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2576 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2576 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1528 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Program Files\SYSTEM\Sys.exe
PID 1528 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Program Files\SYSTEM\Sys.exe
PID 1528 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Program Files\SYSTEM\Sys.exe
PID 2656 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Program Files\SYSTEM\Sys.exe
PID 2656 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Program Files\SYSTEM\Sys.exe
PID 2656 wrote to memory of 2872 N/A C:\Windows\system32\taskeng.exe C:\Program Files\SYSTEM\Sys.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\655dr0fb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D33.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D32.tmp"

C:\Program Files\SYSTEM\Sys.exe

"C:\Program Files\SYSTEM\Sys.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2A1E0322-BDF2-462C-A0B9-8D44FDF725CA} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]

C:\Program Files\SYSTEM\Sys.exe

"C:\Program Files\SYSTEM\Sys.exe"

Network

Country Destination Domain Proto
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp

Files

memory/1528-0-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

memory/1528-2-0x0000000000380000-0x000000000038E000-memory.dmp

memory/1528-1-0x000000001AD80000-0x000000001ADDC000-memory.dmp

memory/1528-3-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

memory/1528-4-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\655dr0fb.cmdline

MD5 3d389e78a1bc31023b9cdfb2df6f272d
SHA1 26a4af88225d0cffbee5fe9fdacdb98f16ef0a45
SHA256 fbdfb40315fa73367939ae0669bf5684d32564e696c39586d4fff1d0673bdd25
SHA512 6b690887a4350e02bddb83215cf0a47b1563059f5e2a96c32d791377d36883877751b153ea3cf8122c5045f481b757fce20eb171aa6e4dfc28aebd2630311157

\??\c:\Users\Admin\AppData\Local\Temp\655dr0fb.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

memory/2576-12-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES8D33.tmp

MD5 be1531a85f91030bb40b36ffedf46557
SHA1 5e4247ba1edcab0ce3a7841be630fe2b943cdceb
SHA256 4be64f2a92fc504c65abfec6fb047362c9928fef5e2f3ea5e49049525fa69e1b
SHA512 6be460af123b974198c87b2df1d9951caed73ecde9645ae4db7068c82bcf31ed2cf46488ad295d356dcf53b6e8d52bd5d0028d6f2084d6983984e2fefd7725c8

\??\c:\Users\Admin\AppData\Local\Temp\CSC8D32.tmp

MD5 7d59ac63bca07b2a374ac972fbfee876
SHA1 21fad64011f501c44b0e4f6382065c11d3baf26d
SHA256 2bd4b97fe3e28a0b5d83f1a8953033fb55e12a0b019a717b0a4a5be5bb85aa5d
SHA512 6499c1a492db1b86e985f6d8a309c4d8ed99648726da110351398ddf0405c6f2277dd73f51cb0ab4e33c7d22cf3260bd2779641128a94f3c5fb44b1f90d13b76

memory/2576-17-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

memory/1528-19-0x00000000021B0000-0x00000000021C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\655dr0fb.dll

MD5 39ff948dd51252808697f5bc80bc5b09
SHA1 0fb19986b2af1b668d64ac089d9e9341df41657f
SHA256 f3e14fd5ab0514927ca8e222e7231b58e72607c6771f5d0dd23c5951a1e121f0
SHA512 0a3bd80665ff246345dcb29b03cb8745a69412aa28b7962345785fc1bb3706980ed11a955e1c1db5dde053bdcfbe8bf68e802d8dd65bfe9ab37ea1c0ad295637

memory/1528-21-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/1528-22-0x0000000000490000-0x0000000000498000-memory.dmp

memory/1528-23-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

memory/1528-24-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

C:\Program Files\SYSTEM\Sys.exe

MD5 da251d4a25d879b2b47d796b89a49bac
SHA1 55e66cef9543175ada225d7efb9dbf00d8acc396
SHA256 ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA512 7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96

C:\Program Files\SYSTEM\Sys.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/1528-31-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

memory/2476-35-0x0000000000950000-0x0000000000A3A000-memory.dmp

memory/1528-34-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

C:\Users\Admin\AppData\Roaming\System32\err_9a0711938f32476b9cf4a8909df7bbe0.dat

MD5 46d9cb02d0cb2c623f510f95d1ea1e6f
SHA1 2e168d7db38403cca9acfc2032e053ee8b5cb9e2
SHA256 b3152cfe1a4047ebc0d878b958bcd0b3ba9d29a2eeb2a405a7166938976c1cd8
SHA512 f33a36d1002fc2302c55f166eaddbd19dbb7314b7361e2d4dee626970bc32cb68889d1fb4d8b896216fc8f3f1b55718422c63d57ebd4db436740afb9857f3263

memory/2476-38-0x00000000021E0000-0x000000000222E000-memory.dmp

memory/2476-39-0x000000001ABB0000-0x000000001ABC8000-memory.dmp

memory/2476-40-0x000000001ABD0000-0x000000001ABE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 01:08

Reported

2024-12-06 01:11

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\SYSTEM\Sys.exe C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File opened for modification C:\Program Files\SYSTEM\Sys.exe C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File created C:\Program Files\SYSTEM\Sys.exe.config C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mgazzg7a.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98A7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC98A6.tmp"

C:\Program Files\SYSTEM\Sys.exe

"C:\Program Files\SYSTEM\Sys.exe"

C:\Program Files\SYSTEM\Sys.exe

"C:\Program Files\SYSTEM\Sys.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp

Files

memory/4564-0-0x00007FFE85055000-0x00007FFE85056000-memory.dmp

memory/4564-1-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

memory/4564-2-0x000000001B200000-0x000000001B25C000-memory.dmp

memory/4564-6-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

memory/4564-5-0x000000001B300000-0x000000001B30E000-memory.dmp

memory/4564-7-0x000000001B920000-0x000000001BDEE000-memory.dmp

memory/4564-8-0x000000001BE90000-0x000000001BF2C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mgazzg7a.cmdline

MD5 f6e768c7760e750884e06ee3b32ee0c9
SHA1 850451f29f2796d545050a0fc0531fe5457f4a7e
SHA256 448571e1c776aa11c66479f9eb4fffdd8008d2cf325d8b5d9144d0db82987cbe
SHA512 0edb1e49b86069600ec7289e21fc8147399973c282ef02c2bfb1c5d2716e304249fb45f3ae00603b7f81dffd1b7eb496802f1026fa8f6b50aa19098ee477adda

\??\c:\Users\Admin\AppData\Local\Temp\mgazzg7a.0.cs

MD5 da1c81c4360fdd05b0629c84da57666a
SHA1 fca24fdc4652aba6155041c49e4857a53e1275a9
SHA256 db438ed89fbb58decc88d6bf70972f60f3bf5f2466f696ce55973819e9e55016
SHA512 135535c333fa9e9feceb2ceef685aac06c558178fd93e866c5ccba27d51131fb90315d2fd74c92a2228d929ee206bee02f04f5d1a724dd1d10c36b3e3abe6498

memory/1304-16-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC98A6.tmp

MD5 34e13cdb110d928ec13a5ec9438fbc08
SHA1 9085489458ee47e44fa63d9c5288308594e68e29
SHA256 1d18ee0489047b74d09bc028c1023dc79408ae1f2e39a308051fb655737f1e7d
SHA512 e7cd6361d3ed26e26af6962df6e7029e387f0e3b8d2f4efb9933acf79191217407ac160901ed4af1dcdb7c8b9467837e44e95c533466e0f5ca19999e56ab7f60

C:\Users\Admin\AppData\Local\Temp\RES98A7.tmp

MD5 11b66e87b5d201e603205ef38491072d
SHA1 8661cc5cab2535953beeefdc4935a0b6814cba9d
SHA256 4466e9925ab435412ed8203a1bd8f94c4085d3c6e4eff1f723622dafec3fd8b6
SHA512 84481b905592d9929db79912975d7d00203e19a9efee878a4a9c8de73e8b5f83383a9bb8ded08b2b7c97f7ee1ee63155a7273663a1ed17eaf53d3c5c311a1594

memory/1304-21-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mgazzg7a.dll

MD5 233dd6388963d6b869efafd0c066ed34
SHA1 fe0704ef2dafdc0a054d7bdbdc1147fab04cc9c5
SHA256 d3de5c703c4216c2f6fed47720258f823c75395279f0fb66691cc0b0b1c7d942
SHA512 42a1d02c9c037eb20ec2ae437be063f4263a4f45345ac17a7397983d274599c09400a816e4f1b8689b896bc2d4682ff3e122253c1214d554892798f15610d315

memory/4564-23-0x000000001C510000-0x000000001C526000-memory.dmp

memory/4564-25-0x000000001B160000-0x000000001B172000-memory.dmp

memory/4564-26-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/4564-27-0x000000001B1F0000-0x000000001B1F8000-memory.dmp

memory/4564-28-0x000000001C900000-0x000000001C962000-memory.dmp

memory/4564-29-0x000000001D260000-0x000000001D81A000-memory.dmp

memory/4564-30-0x000000001D820000-0x000000001D910000-memory.dmp

memory/4564-31-0x000000001CA60000-0x000000001CA7E000-memory.dmp

memory/4564-32-0x000000001D920000-0x000000001D969000-memory.dmp

memory/4564-33-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

memory/4564-34-0x000000001DA00000-0x000000001DA70000-memory.dmp

memory/4564-35-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

C:\Program Files\SYSTEM\Sys.exe

MD5 da251d4a25d879b2b47d796b89a49bac
SHA1 55e66cef9543175ada225d7efb9dbf00d8acc396
SHA256 ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA512 7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96

C:\Program Files\SYSTEM\Sys.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/988-51-0x00007FFE82323000-0x00007FFE82325000-memory.dmp

memory/988-52-0x00000000007D0000-0x00000000008BA000-memory.dmp

memory/4564-53-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

memory/988-54-0x000000001B520000-0x000000001B532000-memory.dmp

memory/988-55-0x000000001B560000-0x000000001B572000-memory.dmp

memory/988-56-0x000000001C350000-0x000000001C38C000-memory.dmp

memory/988-57-0x000000001C4A0000-0x000000001C5AA000-memory.dmp

C:\Users\Admin\AppData\Roaming\System32\err_9a0711938f32476b9cf4a8909df7bbe0.dat

MD5 38beef6bd25b0bdf5ed5c0a07ea021b8
SHA1 d8426c0d1d32a0ae7b0b8912e503c22c0192c7f5
SHA256 de9df6fb5ab3cb1fdccd81232b2b7754c742a9056fadc55dd58d2612872000ba
SHA512 2aeaad880249d4f4025f120073ba57df09d6fc9ae4120fc977e802d83f9f19c683b261b03d9b7b5d3edbf4dcde63040e518460db4b8864e8d8f885ac95657e78

memory/988-60-0x000000001C6B0000-0x000000001C6FE000-memory.dmp

memory/988-62-0x000000001CA70000-0x000000001CA88000-memory.dmp

memory/988-63-0x000000001CB90000-0x000000001CBA0000-memory.dmp

memory/988-65-0x00007FFE82323000-0x00007FFE82325000-memory.dmp