Malware Analysis Report

2025-01-22 14:56

Sample ID 241206-bkn2vsxrgp
Target ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA256 ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

Threat Level: Known bad

The file ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus main payload

Orcus family

Orcus

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 01:12

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 01:12

Reported

2024-12-06 01:14

Platform

win7-20241010-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\SYSTEM\Sys.exe C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File opened for modification C:\Program Files\SYSTEM\Sys.exe C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File created C:\Program Files\SYSTEM\Sys.exe.config C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2620 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2620 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2624 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2624 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2624 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2620 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Program Files\SYSTEM\Sys.exe
PID 2620 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Program Files\SYSTEM\Sys.exe
PID 2620 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe C:\Program Files\SYSTEM\Sys.exe
PID 2696 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Program Files\SYSTEM\Sys.exe
PID 2696 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Program Files\SYSTEM\Sys.exe
PID 2696 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Program Files\SYSTEM\Sys.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hstkdaew.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC26.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCC25.tmp"

C:\Program Files\SYSTEM\Sys.exe

"C:\Program Files\SYSTEM\Sys.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E1DC4008-29C4-44D4-A24E-392E117D42F3} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]

C:\Program Files\SYSTEM\Sys.exe

"C:\Program Files\SYSTEM\Sys.exe"

Network

Country Destination Domain Proto
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp

Files

memory/2620-0-0x000007FEF5C2E000-0x000007FEF5C2F000-memory.dmp

memory/2620-1-0x000000001AF80000-0x000000001AFDC000-memory.dmp

memory/2620-2-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2620-3-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

memory/2620-4-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\hstkdaew.cmdline

MD5 4c8f5c79474bb25ce9893c3257e490de
SHA1 32e1be83667bde10be8669798955e9d4015340ce
SHA256 a072a65059f3df29dba4191ae86a2171c430706aa7e09ba947fbe85d0b931dbf
SHA512 c1bd3e969d3d644b01e8c8c04ecdba2d7da601913190b646426c2bf31a46dff1132c481e955728823fd8723143499e9afe83a39b8acf9e8f1a97215a55996cc6

\??\c:\Users\Admin\AppData\Local\Temp\hstkdaew.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

memory/2624-10-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCCC25.tmp

MD5 6c5e0c91ee515e59d30001db9c6801c9
SHA1 96b46d161abbdd00ed5379957eae4f9544044451
SHA256 1fcd40892a3f8376e6214bc6f0b22951c3fbcc896d55fc4eab56f287a09b8677
SHA512 634bcd02d66bc7704bff2ebb1e2ec3d3972504cdd97cee7c20872231e6b18607f6c06918916f0e61e7549535fe677727339ab2fef8f162f11392d9547b4cd3b6

C:\Users\Admin\AppData\Local\Temp\RESCC26.tmp

MD5 67a97d7579f1928aa621562b237f7be4
SHA1 6048a16f9847e1478c0a37011323ebf4c33fc1cd
SHA256 83cb8a4fed25490085b538f20a4cd45f71826418ba10cb68a0c287a38361f7fa
SHA512 a717eff2cd29be57dc645e8dd7eb55bf33cb23be30b748c9ff78e6d718b4e1191b4b9312ab625c562de8e5586d3d77cfe5c002b5d4d1e11e6ab136fad54caa25

memory/2624-17-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hstkdaew.dll

MD5 ac6d5803138269337e8bce95924af751
SHA1 6370279fec17912b49f20b512e9953dd21679299
SHA256 bae97f64dd245fd23f789c6d4170b096f0d351e4621effe9638305d6ac42a70a
SHA512 cded37db684caae3e6d1b92a4524d80f5d8f4122aaa1110d06f60ca4ca8a1964670d597950151094e8f4f497851567dc119d731097a65a6a6da8dd560349eaaf

memory/2620-19-0x000000001AE00000-0x000000001AE16000-memory.dmp

memory/2620-21-0x0000000000410000-0x0000000000422000-memory.dmp

memory/2620-22-0x0000000000440000-0x0000000000448000-memory.dmp

memory/2620-23-0x000000001AE20000-0x000000001AE28000-memory.dmp

memory/2620-24-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

memory/2620-29-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

C:\Program Files\SYSTEM\Sys.exe

MD5 da251d4a25d879b2b47d796b89a49bac
SHA1 55e66cef9543175ada225d7efb9dbf00d8acc396
SHA256 ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA512 7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96

memory/2620-33-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

C:\Program Files\SYSTEM\Sys.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2908-35-0x0000000000B80000-0x0000000000C6A000-memory.dmp

memory/2908-36-0x0000000000410000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\System32\err_9a0711938f32476b9cf4a8909df7bbe0.dat

MD5 9a9b73169d6b69ee3dc7137cf471dcd3
SHA1 88629ca6aef28adb8b8e1ce688ffed3c56da7bee
SHA256 7e8d2ebc9772bd2b163091e3b725120f0dd547a96299f0db8072541430cccf6a
SHA512 aabb5ddd418545d0e509a5a943cb7014bd593e23cd708835ea27bfbf90684498bc9f33a420c51621ce94a54fe8e047a87367f35a3b58e270295419d05e5a0830

memory/2908-39-0x000000001A850000-0x000000001A89E000-memory.dmp

memory/2908-40-0x00000000021A0000-0x00000000021B8000-memory.dmp

memory/2908-41-0x0000000002360000-0x0000000002370000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 01:12

Reported

2024-12-06 01:14

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\SYSTEM\Sys.exe C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File opened for modification C:\Program Files\SYSTEM\Sys.exe C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File created C:\Program Files\SYSTEM\Sys.exe.config C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\SYSTEM\Sys.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ywc-ethy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D1D.tmp"

C:\Program Files\SYSTEM\Sys.exe

"C:\Program Files\SYSTEM\Sys.exe"

C:\Program Files\SYSTEM\Sys.exe

"C:\Program Files\SYSTEM\Sys.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp
N/A 192.168.31.232:10134 tcp

Files

memory/1496-0-0x00007FF9A09C5000-0x00007FF9A09C6000-memory.dmp

memory/1496-1-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

memory/1496-2-0x000000001B4B0000-0x000000001B50C000-memory.dmp

memory/1496-5-0x000000001B690000-0x000000001B69E000-memory.dmp

memory/1496-6-0x000000001BB70000-0x000000001C03E000-memory.dmp

memory/1496-7-0x000000001C0E0000-0x000000001C17C000-memory.dmp

memory/1496-8-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ywc-ethy.cmdline

MD5 e31f1213ff69ae2da34e275c4211607b
SHA1 d45b92810038498df14baa3ab312732bf0460e0a
SHA256 1b645a177a93379020b9011094dcb849f8a503b6e66bc49178f6ee8938ac76e7
SHA512 a3842fcbc0fbf157ffecca4d3b8c684fd1230e6cc6663f6dbc800de8138b87dcb267209e4a6bbab914f3a0bef179f9655c360292a9fdbcc444780a89a8581326

\??\c:\Users\Admin\AppData\Local\Temp\ywc-ethy.0.cs

MD5 acc22ad826adbb363a0f1c36c57e240a
SHA1 a8c4cbec7d5ff35d20c2654b8be9a81169c6e655
SHA256 ba89deeeccfc5dd1947f2840deacb202f813746dbbaa3518cec04f678d1398b0
SHA512 78a0d3d2723454a6a25e85985cab3e58b02ba719cece681e0b09fae46564a4583025e223a1ce2c81c4483b93846aebc9497f6c23bbd1dbf5b64375ca8fb0e76e

\??\c:\Users\Admin\AppData\Local\Temp\CSC8D1D.tmp

MD5 dded4ba809a9dbaabc6fff5d4754328f
SHA1 3f4e77dd21f45b3fceddc78e3fec33874e498cc8
SHA256 821c53fa4927e8563b375c80ec0d7c8dde2272cfbe2c2ad853638d6191c603cd
SHA512 726b64c5c758a649133a0a7ae411ab97acce65e1a4ed3ab811ee277327a01102a02aa5212005c1750999124f59d99cfb5b3e26c9cef79d9914bc5a0855d51f39

memory/3068-17-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES8D1E.tmp

MD5 e6a21f2e10533079f9a6713cf4b858fc
SHA1 74e26e517ff62694a36a918ec27317689a39f844
SHA256 9d72901d6f5a6867cf6e4afb32f257dfc569b91d032d9bd6c1482b56ad65c4ed
SHA512 6ff8472088f00531dd1cb1173f628fb9bff7c2aeffdf669891567bac517e1b2ad9a43cd21fd45803b33ceb5e2573800f2a6a3b4be7d0c31c4afeb3d80ee085ae

memory/3068-21-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

memory/1496-23-0x000000001C7A0000-0x000000001C7B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ywc-ethy.dll

MD5 5e1548b8e8ff829bcaad5004cb1e6881
SHA1 630abffd1a039a5c7e50461abd5ce1f275438245
SHA256 28f8a8f2ccba204eddc39b9ffda7568b887c547aad5e9586c6b60ba8c1e90abd
SHA512 f91ddbdb70b302b8e8f7ad348932baf7ff96e4f0cb9d158c9875af12ce134b3565bef671bc783605fd301e797c06e1a8863bf49eda900912c1fefbe033356f47

memory/1496-25-0x000000001B3F0000-0x000000001B402000-memory.dmp

memory/1496-26-0x000000001B370000-0x000000001B378000-memory.dmp

memory/1496-27-0x000000001B480000-0x000000001B488000-memory.dmp

memory/1496-28-0x000000001CB90000-0x000000001CBF2000-memory.dmp

memory/1496-29-0x000000001D4F0000-0x000000001DAAA000-memory.dmp

memory/1496-30-0x000000001DAB0000-0x000000001DBA0000-memory.dmp

memory/1496-31-0x000000001CCF0000-0x000000001CD0E000-memory.dmp

memory/1496-32-0x000000001DBB0000-0x000000001DBF9000-memory.dmp

memory/1496-33-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

memory/1496-34-0x000000001DC90000-0x000000001DD00000-memory.dmp

memory/1496-35-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

C:\Program Files\SYSTEM\Sys.exe

MD5 da251d4a25d879b2b47d796b89a49bac
SHA1 55e66cef9543175ada225d7efb9dbf00d8acc396
SHA256 ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA512 7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96

C:\Program Files\SYSTEM\Sys.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/5024-50-0x00007FF99DD53000-0x00007FF99DD55000-memory.dmp

memory/1496-52-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

memory/5024-53-0x0000000000680000-0x000000000076A000-memory.dmp

memory/5024-54-0x00000000029F0000-0x0000000002A02000-memory.dmp

memory/5024-55-0x0000000002A30000-0x0000000002A42000-memory.dmp

memory/5024-56-0x0000000002A90000-0x0000000002ACC000-memory.dmp

memory/5024-57-0x000000001C410000-0x000000001C51A000-memory.dmp

C:\Users\Admin\AppData\Roaming\System32\err_9a0711938f32476b9cf4a8909df7bbe0.dat

MD5 9ebbdde76a6e6f46fe97e3cb84c134a6
SHA1 5822dce79f42cb76caf3ad3cde3e98d3996a680a
SHA256 cc83505a1c23465fdcd24a7aeb3954f3d4a170b371aecab89b7c24ea50d79e92
SHA512 f9134affbb6bfac3ebc283bb198c50c4bca860ec62c23cfdcfeff2f045ead47e8d8a2ce26105f47d83a9f6800d8b09ef9aceb91d7b5f074e341afadb88ddf989

memory/5024-60-0x000000001B4C0000-0x000000001B50E000-memory.dmp

memory/5024-62-0x000000001B540000-0x000000001B558000-memory.dmp

memory/5024-63-0x000000001C400000-0x000000001C410000-memory.dmp

memory/5024-65-0x00007FF99DD53000-0x00007FF99DD55000-memory.dmp