Malware Analysis Report

2025-01-22 14:56

Sample ID 241213-bndejatnht
Target fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd
SHA256 fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd
Tags
orcus discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd

Threat Level: Known bad

The file fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd was found to be: Known bad.

Malicious Activity Summary

orcus discovery rat spyware stealer

Orcus

Orcus main payload

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 01:17

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 01:17

Reported

2024-12-13 01:19

Platform

win7-20240729-en

Max time kernel

102s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Academy\quard.ai C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File opened for modification C:\Program Files\Windows Academy\quard.ai C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File created C:\Program Files\Windows Academy\quard.ai.config C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2524 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2524 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2776 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2776 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2776 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2524 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2524 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2524 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2524 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\system32\rundll32.exe
PID 2524 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\system32\rundll32.exe
PID 2524 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe C:\Windows\system32\rundll32.exe
PID 2052 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2052 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2052 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2052 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

"C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v_copwwd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F7D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F7C.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files\Windows Academy\quard.ai

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files\Windows Academy\quard.ai"

Network

N/A

Files

memory/2524-0-0x000007FEF57FE000-0x000007FEF57FF000-memory.dmp

memory/2524-2-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

memory/2524-1-0x0000000001F70000-0x0000000001FCC000-memory.dmp

memory/2524-3-0x0000000000330000-0x000000000033E000-memory.dmp

memory/2524-4-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\v_copwwd.cmdline

MD5 9bcdd3ba9e43eba62fae54aba689b6b0
SHA1 53ede35f10c6d07391c2a9f5fb51871f969b75e5
SHA256 278366a3fa7c7c925aedb7863adb6130c32cf19281730f7785ad725709e1ccf3
SHA512 5ef6f09c8a71bd274c3c8c2a1b3dbfb0f32e020609e88949ce1759f38a5c3d1e3d4dc166c76fb8727cc90bbe1db9abee83dc739132edecb7dd2a849c2615903f

\??\c:\Users\Admin\AppData\Local\Temp\v_copwwd.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

\??\c:\Users\Admin\AppData\Local\Temp\CSC7F7C.tmp

MD5 e0a71cc2fb0eeccf28bd03bb952963af
SHA1 86959bc2bb00e437c7619fa2588231371798b90c
SHA256 d6dae9e7b6cafc711e3324fd00b29d5a0af064f62269bb11e314bf020c0c6b86
SHA512 725c1815a09571b56b2c9bbc21400ecd1f665abf177209ddd810a99e281792468a5d9c7f4b065da705359f0c1db7fd71b8cf41c768f7bdf6fbb56b04df9ee58b

C:\Users\Admin\AppData\Local\Temp\RES7F7D.tmp

MD5 6b236eba0d39dc2eddcf453611a0ab47
SHA1 461a1694205e36412f5c8842f8cee56582a9c14a
SHA256 b2fe4da6155eb89565607cc14ab28a52656a87601c6dc3fdcf062ae817e174de
SHA512 00248ecde8699b2454755ad5709006869da913988d9c9f8e4b358739c31454548ab0f8cda5dd2a81cf6b82bc337b79a4ab01f225861e45318de426a138bc594f

memory/2776-19-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

memory/2524-17-0x0000000001FD0000-0x0000000001FE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v_copwwd.dll

MD5 af991fb8f957b65f8e984bbd5c11e2e7
SHA1 1fe8edd42a24ab980a9715297d93b3f3f90ac3e6
SHA256 3bbbe88b06ac3859981677175bcf566c9eb70ab995c475bc18070245beebf5fa
SHA512 f4448d97e83de3009330b2f23f00df15d60f37900a46743a722362c2216964c7b15b0649792571aa069d4f45fa9104207c0fdeb8bb799ddf6220e6cae15eeaf7

memory/2524-20-0x0000000000570000-0x0000000000582000-memory.dmp

memory/2524-21-0x0000000001F20000-0x0000000001F28000-memory.dmp

memory/2524-22-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/2524-23-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

memory/2524-31-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/2676-33-0x0000000001040000-0x000000000104C000-memory.dmp

memory/2584-37-0x00000000001F0000-0x00000000001FC000-memory.dmp

memory/2524-40-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

C:\Program Files\Windows Academy\quard.ai

MD5 8031ba7c7db878cb3ddd3bf3f9bea80b
SHA1 58bff6171067acc0b51c5c61c04de60b036bbb5c
SHA256 fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd
SHA512 581fa0775baca47a48c4b14f186d085ea8c8f37e52faa516b4bcf5bd4958b3fbde0df8dcd5ed65163a928e58ef1c4ac2938d476920be7fd8e72d90f494658d11

memory/2776-42-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 fd1f5f08fdc765fe01a5ec13cb9c4df9
SHA1 b4424b3a0e24a37cc117500568ebd458a9da1a6a
SHA256 54b1becf61fd25ac76aef33fd4a0833a20ff751961f68aadee4c4e679e84f65f
SHA512 9c19e39f8d9f12f75574cc49fdf55c6bcbdf06f228083e9d313b49f4d374a9918e01c209bc1a84151d29fe34021299c829da4e50fa24663ae27c7aae8e60729c

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 01:17

Reported

2024-12-13 01:19

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Academy\quard.ai C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File opened for modification C:\Program Files\Windows Academy\quard.ai C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File created C:\Program Files\Windows Academy\quard.ai.config C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

"C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fl3uhf1_.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E39.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7E38.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/316-0-0x00007FFC0ED45000-0x00007FFC0ED46000-memory.dmp

memory/316-1-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

memory/316-2-0x000000001BFC0000-0x000000001C01C000-memory.dmp

memory/316-5-0x000000001C0B0000-0x000000001C0BE000-memory.dmp

memory/316-6-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

memory/316-7-0x000000001C6B0000-0x000000001CB7E000-memory.dmp

memory/316-8-0x000000001CC20000-0x000000001CCBC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fl3uhf1_.0.cs

MD5 e3cd938efa5531036103fd7e5448b46d
SHA1 04f1a25cb644627568807f4d6fb1b892ffdf9704
SHA256 a35e437546da0f52654e0f763794ccf925631f4c4f2f39858a3a480adc614ae0
SHA512 30f76ddc3f85391fcc131f0afb6f86b3cac7579702f6faab8308f36c5fdd75650bf47f07c72537827177094a5197d85766a7169ddf9fcdf37e865d7548545aa1

\??\c:\Users\Admin\AppData\Local\Temp\fl3uhf1_.cmdline

MD5 a9965a129b625696f84ef9811309eb96
SHA1 64b6aee24a82fb3a97018f834ece9c4f0412716a
SHA256 e443a3b0fb24949b00df151fe942bc697363e4e74d783c637852b8c3db64a967
SHA512 0798b42c02017fda9a9aaa32b37f83017c627c716caceffefd4fa93314f625151c271c2348acd9797a86cb5748a8523c39aa0060dc193df39df6ed74682fac93

\??\c:\Users\Admin\AppData\Local\Temp\CSC7E38.tmp

MD5 ef41cadd0412aa3306ba47248215bfa5
SHA1 2dc0d058d06bcd01289b377c965bacaa65e24829
SHA256 2c1ed363f46f5371e2084478fd6029aa388eeeb39dc2d1f1813d1b19ce50f6fc
SHA512 6ccc306fe2c3e69ffef061dd47db7b42a458f76403f64370aa1fb256efd49f9068c39a99645d443f92511e67c29430df214f870d1de6d9b410c83f5bc20cc849

memory/4092-16-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

memory/316-23-0x000000001D2C0000-0x000000001D2D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fl3uhf1_.dll

MD5 b0fa9e36f6d4571d6046f1afe8b05f5e
SHA1 f39c3e0e2da16c694dc3682aecef6e7a72bba407
SHA256 242367ce8e74dc9b8a6d16b67989e9831ebf4158be278020798ce28426c498e5
SHA512 64c0ea0fc8b5b1328fc083d773e49e029d99eabb2ff0ceed5c7db2fae7ff864927e95c514a4a723f9f88d1232c1991149f3a1ef0424361dd20ebf5624fdc142e

memory/4092-21-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES7E39.tmp

MD5 e00c06b9d381d5e2dc2abf067879b993
SHA1 f5f27a5bc9b2503015f09bb4db0a4644be0d3737
SHA256 b80ce57ded51291a0539c44a8f33cc09bea67f7e06d32a9c71c3bee114ad7e58
SHA512 7d71913ed9b5de591a0fd97c8ed1a1cf0f97ff551e2d1d3d82c36050644f7cfd4d229976c0d19377ab43d5604471cae24ef7ec4dc71afc258e3ffff85a2b4826

memory/316-25-0x00000000019E0000-0x00000000019F2000-memory.dmp

memory/316-28-0x000000001D6B0000-0x000000001D712000-memory.dmp

memory/316-29-0x000000001E010000-0x000000001E5CA000-memory.dmp

memory/316-31-0x000000001D810000-0x000000001D82E000-memory.dmp

memory/316-30-0x000000001E5D0000-0x000000001E6C0000-memory.dmp

memory/316-27-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

memory/316-26-0x00000000019C0000-0x00000000019C8000-memory.dmp

memory/316-32-0x000000001E6D0000-0x000000001E719000-memory.dmp

memory/316-33-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

memory/316-34-0x000000001E7B0000-0x000000001E820000-memory.dmp

memory/316-35-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp

memory/316-37-0x000000001EA80000-0x000000001EAA0000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/3712-52-0x00000000006C0000-0x00000000006CC000-memory.dmp

memory/3712-51-0x00007FFC0BCE3000-0x00007FFC0BCE5000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3712-54-0x0000000001020000-0x000000000105C000-memory.dmp

memory/3712-53-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

memory/2080-59-0x0000000019DF0000-0x0000000019EFA000-memory.dmp

memory/316-64-0x00007FFC0EA90000-0x00007FFC0F431000-memory.dmp