Analysis Overview
SHA256
2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a
Threat Level: Known bad
The file a65588611bea2e11e8b7a783586d45ed_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcurs Rat Executable
Orcus family
Orcus main payload
Orcurs Rat Executable
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops desktop.ini file(s)
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-13 15:46
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 15:46
Reported
2024-06-13 15:49
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\owo\OwO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\owo\OwO.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\owo\OwO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WWWWWWWWWWW = "\"C:\\Program Files (x86)\\owo\\OwO.exe\"" | C:\Program Files (x86)\owo\OwO.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\owo\OwO.exe | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\owo\OwO.exe | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\owo\OwO.exe.config | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\owo\OwO.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rdkkjiel.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5295.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5294.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Program Files (x86)\owo\OwO.exe
"C:\Program Files (x86)\owo\OwO.exe"
C:\Program Files (x86)\owo\OwO.exe
"C:\Program Files (x86)\owo\OwO.exe"
C:\Users\Admin\AppData\Local\Temp\hostwd.exe
"C:\Users\Admin\AppData\Local\Temp\hostwd.exe" /launchSelfAndExit "C:\Program Files (x86)\owo\OwO.exe" 2132 /protectFile
C:\Users\Admin\AppData\Local\Temp\hostwd.exe
"C:\Users\Admin\AppData\Local\Temp\hostwd.exe" /watchProcess "C:\Program Files (x86)\owo\OwO.exe" 2132 "/protectFile"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.107.17.2.in-addr.arpa | udp |
| N/A | 10.8.0.62:6969 | tcp | |
| US | 8.8.8.8:53 | owo-whats-this.duckdns.org | udp |
| N/A | 10.8.0.62:6969 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | owo-whats-this.duckdns.org | udp |
| N/A | 10.8.0.62:6969 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | owo-whats-this.duckdns.org | udp |
| N/A | 10.8.0.62:6969 | tcp | |
| US | 8.8.8.8:53 | owo-whats-this.duckdns.org | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| N/A | 10.8.0.62:6969 | tcp | |
| US | 8.8.8.8:53 | owo-whats-this.duckdns.org | udp |
| N/A | 10.8.0.62:6969 | tcp | |
| US | 8.8.8.8:53 | owo-whats-this.duckdns.org | udp |
Files
memory/2152-0-0x0000000000400000-0x0000000000532000-memory.dmp
memory/2152-1-0x0000000077072000-0x0000000077073000-memory.dmp
memory/2152-2-0x0000000077073000-0x0000000077074000-memory.dmp
memory/2152-3-0x0000000074182000-0x0000000074183000-memory.dmp
memory/2152-4-0x0000000074180000-0x0000000074731000-memory.dmp
memory/2152-5-0x0000000074180000-0x0000000074731000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rdkkjiel.cmdline
| MD5 | d3b1084e7b3ed38f55c945e1db616410 |
| SHA1 | 2740663b8274ae8f579742f468064f116c4c83ea |
| SHA256 | 08a41348fa21cb93248008cd949150e0830d654df4182fcb7fe7650c4843ccc2 |
| SHA512 | faea1ca9c06eaf0501a787fa8826455fddd143772b0b50536ee0702887ec5007ed8cb4d3c8ecf0608becb739f4718e0ed4bf8811d2d31d2408c057063345f3e6 |
\??\c:\Users\Admin\AppData\Local\Temp\rdkkjiel.0.cs
| MD5 | 7669784b0302bff34aaad1d9ef742997 |
| SHA1 | 895403f905eef878c0f345ad164fef4540bf1015 |
| SHA256 | eacfba78c3492576bd08fbd6c09409dff6ef7374a0bbbc2c73c28efdaff94c48 |
| SHA512 | 921027b7717974c2676389ce552f33d438c74635cf8c421abea9d505902dbf1a8cc36e70bc9daba814942cf23c5c84b5f3c9aa65897aa4d039d05d22c80b5f29 |
memory/984-13-0x0000000074180000-0x0000000074731000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC5294.tmp
| MD5 | a2715833874c53ada6f5420efb4973f0 |
| SHA1 | 2f5b3f3cdb9abb4a475fca186189b8d94702ec7c |
| SHA256 | 6c2b05fe960b93cd9c841353f4f1e6f2771a75e5bebe1b7f87dbf45bc20f8300 |
| SHA512 | 4fd425a998053ad5ebc7daf1f58d3330e42cd155c153fab480245a3a889096e88cfdb1e3cd4148528f43e54f965738e99749bd53447a7fef073b735000b94122 |
C:\Users\Admin\AppData\Local\Temp\RES5295.tmp
| MD5 | b7bde65e4dfbc2937c66712be5900d3e |
| SHA1 | f17cf7fcdb098b2b27728ed688a526fbe1860f13 |
| SHA256 | b12b5935d8ffa7797f952d9fbf1a7244ac0fb5473711f2bf56e405bdb7675f04 |
| SHA512 | 35440ca6fdd4c86359ae5e2049a6576e992c3e209ff42416f724e6988d3e51a7777e841305703d8d308652219e50596ea68c1c044276c6de5e8d6487ed5cee48 |
memory/984-20-0x0000000074180000-0x0000000074731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rdkkjiel.dll
| MD5 | 1bee32b9481fb3e7751e903d95128936 |
| SHA1 | 02c7ac867188eeea06382ce25dc86713f7fda9bf |
| SHA256 | 59ed70a183abe297bbff93e16aa26b9cc8ae2a8a5ce7c1a0a05c1966f42cc564 |
| SHA512 | 3fae2c6588d93d66b97e0350e7daae1739c16918944249e55598bf09ee94afa3eab5ee07608cfbc3edba51436e843246b9e4b6cd1dd7f5ebb05fbdbfaa214047 |
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/1788-36-0x00007FFC3CB13000-0x00007FFC3CB15000-memory.dmp
memory/1788-37-0x0000000000B70000-0x0000000000B7C000-memory.dmp
memory/1788-38-0x0000000001460000-0x0000000001472000-memory.dmp
memory/1788-39-0x0000000002DA0000-0x0000000002DDC000-memory.dmp
memory/1788-40-0x00007FFC3CB10000-0x00007FFC3D5D1000-memory.dmp
memory/1788-44-0x00007FFC3CB10000-0x00007FFC3D5D1000-memory.dmp
memory/1836-46-0x000000001B360000-0x000000001B46A000-memory.dmp
C:\Program Files (x86)\owo\OwO.exe
| MD5 | a65588611bea2e11e8b7a783586d45ed |
| SHA1 | 70df9e0bb904ec5cacd4ccc54950d3029ab322c9 |
| SHA256 | 2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a |
| SHA512 | 123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8 |
memory/2132-64-0x0000000000400000-0x0000000000532000-memory.dmp
memory/2152-63-0x0000000000400000-0x00000000004EC000-memory.dmp
memory/2132-65-0x0000000005190000-0x000000000519E000-memory.dmp
memory/2132-66-0x00000000051A0000-0x00000000051FC000-memory.dmp
memory/2132-68-0x00000000052E0000-0x0000000005884000-memory.dmp
memory/2152-67-0x0000000074180000-0x0000000074731000-memory.dmp
memory/2132-69-0x0000000005890000-0x0000000005922000-memory.dmp
memory/2132-70-0x0000000005FF0000-0x0000000006002000-memory.dmp
memory/2132-71-0x0000000006000000-0x0000000006008000-memory.dmp
memory/2132-72-0x0000000006020000-0x000000000606E000-memory.dmp
memory/2132-74-0x0000000006220000-0x0000000006242000-memory.dmp
memory/4504-75-0x0000000000400000-0x0000000000532000-memory.dmp
memory/2132-76-0x0000000006250000-0x0000000006268000-memory.dmp
memory/2132-77-0x0000000006290000-0x00000000062A0000-memory.dmp
memory/2132-78-0x00000000067D0000-0x00000000067DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hostwd.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/1396-92-0x0000000000970000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hostwd.exe.log
| MD5 | 4eaca4566b22b01cd3bc115b9b0b2196 |
| SHA1 | e743e0792c19f71740416e7b3c061d9f1336bf94 |
| SHA256 | 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb |
| SHA512 | bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1 |
memory/2132-100-0x0000000000400000-0x0000000000532000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 15:46
Reported
2024-06-13 15:49
Platform
win7-20240611-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\owo\OwO.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\owo\OwO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\owo\OwO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\WWWWWWWWWWW = "\"C:\\Program Files (x86)\\owo\\OwO.exe\"" | C:\Program Files (x86)\owo\OwO.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\owo\OwO.exe | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\owo\OwO.exe | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\owo\OwO.exe.config | C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\owo\OwO.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hostwd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-u3scnzd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9944.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9943.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Program Files (x86)\owo\OwO.exe
"C:\Program Files (x86)\owo\OwO.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {D5ED89E9-EBA1-48EC-B0F6-FBEFEDCC7A75} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
C:\Program Files (x86)\owo\OwO.exe
"C:\Program Files (x86)\owo\OwO.exe"
C:\Users\Admin\AppData\Local\Temp\hostwd.exe
"C:\Users\Admin\AppData\Local\Temp\hostwd.exe" /launchSelfAndExit "C:\Program Files (x86)\owo\OwO.exe" 2512 /protectFile
C:\Users\Admin\AppData\Local\Temp\hostwd.exe
"C:\Users\Admin\AppData\Local\Temp\hostwd.exe" /watchProcess "C:\Program Files (x86)\owo\OwO.exe" 2512 "/protectFile"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.8.0.62:6969 | tcp | |
| US | 8.8.8.8:53 | owo-whats-this.duckdns.org | udp |
| N/A | 10.8.0.62:6969 | tcp | |
| N/A | 10.8.0.62:6969 | tcp | |
| N/A | 10.8.0.62:6969 | tcp | |
| N/A | 10.8.0.62:6969 | tcp | |
| N/A | 10.8.0.62:6969 | tcp |
Files
memory/2240-0-0x0000000000400000-0x0000000000532000-memory.dmp
memory/2240-1-0x00000000771C0000-0x00000000771C1000-memory.dmp
memory/2240-2-0x0000000074301000-0x0000000074302000-memory.dmp
memory/2240-3-0x0000000074300000-0x00000000748AB000-memory.dmp
memory/2240-4-0x0000000074300000-0x00000000748AB000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\-u3scnzd.cmdline
| MD5 | 08b73454aa80e825cf2cc05c3c16cf68 |
| SHA1 | 9e66c4e0e3ced10710c0c0f637803db9003cc9d3 |
| SHA256 | 3fc058a4fcc584a1cd6d1a1385f70ae9942acd70d6b70adc6688d42073d1ef02 |
| SHA512 | 551f4836003f6428b60ad17268cd1a76d51dd89d7b310b8df38c4a44bcb32b9c570ee967c73cb142ca874525f00317c0a4821aa4b2717cb2b3e84e876b8c3af7 |
\??\c:\Users\Admin\AppData\Local\Temp\-u3scnzd.0.cs
| MD5 | 674639c9bcc025f2151b3e6200880194 |
| SHA1 | 2b8a41c18450038b5135f0e07eaa9e2b85567645 |
| SHA256 | 794e0ca0d2ff4c48b8fa42628454d560373c19518680fc18af358a794a378ff6 |
| SHA512 | 400b1efba9c7c701843470a1d2ed6e5c65810093c1947957fec9ac1eab325f5dd8e2da9654c5e42616721a38c0a0f34308b8eddf964d2581b982ad8513d34af4 |
memory/2200-10-0x0000000074300000-0x00000000748AB000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC9943.tmp
| MD5 | 283fc0f2b09f64e1d2f482f3295ac03d |
| SHA1 | a954712932c69b4b21cda0a8f75364c0476157b8 |
| SHA256 | 8957181422f546bbd27f65d1db3cb1092ae3f0aad862f228a266908308af3c66 |
| SHA512 | 93a9e09c31a1b29e0f191859582af0806d47b7ada93bce9683c3537941fac4bcd447857f98fdf9e181a3c0cccd0df293684119f7df92b77108b7298bff01e30f |
C:\Users\Admin\AppData\Local\Temp\RES9944.tmp
| MD5 | c3b7571372d35d6404df1f94c4f2889d |
| SHA1 | 957e14673542a2f7bd0ea0e47a71d11187b5cb6e |
| SHA256 | 1f8ba5da84cd94337d3d4e1cde311db2cad756ca217406ed71ecfc1dfb97caa3 |
| SHA512 | 991367ecb6c77bba45357d20cfaae7f3983fb59e0dd481675959a5a91876f2ffa2e5b654d255930af0bcaa66755bdb2f5a98e11860335a8a4dc7de4cee284baa |
C:\Users\Admin\AppData\Local\Temp\-u3scnzd.dll
| MD5 | f9efe21f916e8d692a30285c51e80f28 |
| SHA1 | 725dd96db39817ac6b1d1f07cdc14413f8674170 |
| SHA256 | 1698dbd2e15696da11f0c9317cfc1544bf3967e1d33458c9fc0a1f213386dcb3 |
| SHA512 | 9134856e6bd51bcd35a2918687aae47dd5432631f9a766995788be3d271b368537b4a879cb503a14013e9c60cbdde6204ae3b02f2ea6170f567233496c9e64b9 |
memory/2200-17-0x0000000074300000-0x00000000748AB000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/2692-28-0x00000000001D0000-0x00000000001DC000-memory.dmp
memory/2740-32-0x0000000000180000-0x000000000018C000-memory.dmp
\Program Files (x86)\owo\OwO.exe
| MD5 | a65588611bea2e11e8b7a783586d45ed |
| SHA1 | 70df9e0bb904ec5cacd4ccc54950d3029ab322c9 |
| SHA256 | 2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a |
| SHA512 | 123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8 |
memory/2512-44-0x0000000000400000-0x0000000000532000-memory.dmp
memory/2240-43-0x0000000000400000-0x00000000004EC000-memory.dmp
memory/2240-40-0x0000000005E40000-0x0000000005F72000-memory.dmp
memory/2240-47-0x0000000074300000-0x00000000748AB000-memory.dmp
memory/2512-48-0x00000000023A0000-0x00000000023AE000-memory.dmp
memory/2512-49-0x00000000025D0000-0x000000000262C000-memory.dmp
memory/2512-50-0x00000000023E0000-0x00000000023F2000-memory.dmp
memory/2512-51-0x0000000002560000-0x0000000002568000-memory.dmp
memory/2512-52-0x0000000004E50000-0x0000000004E9E000-memory.dmp
memory/2512-53-0x00000000058F0000-0x0000000005908000-memory.dmp
memory/2512-54-0x0000000005B50000-0x0000000005B60000-memory.dmp
memory/2400-58-0x0000000000400000-0x0000000000532000-memory.dmp
\Users\Admin\AppData\Local\Temp\hostwd.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/2808-66-0x0000000001190000-0x0000000001198000-memory.dmp
memory/2512-72-0x0000000000400000-0x0000000000532000-memory.dmp