orcus | 098c48ea4fb2c2f4efefba74a6e4c3c4c0367ed8a257786fcf3cc9d9d08f8377

Analysis

max time kernel
32s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 22:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Size

2.3MB
MD5

87f7d55dbf9bd13dd5440ef0a51fec2e
SHA1

b57facd3bda38c5fca68a44898cc7930d727e48c
SHA256

098c48ea4fb2c2f4efefba74a6e4c3c4c0367ed8a257786fcf3cc9d9d08f8377
SHA512

b887e2b340a22a0a6607ef5396bb5d75ac68c6a7d06e0def3fbaa86fb59696c89399b6b83a870f7fb88f5804e055ce8f873d811d2b58ff6471e700c6bc3d1659
SSDEEP

49152:3AyKUOPuD8C+N+3M/i5cdRW2CVip0CfXl2LXV7eoW:bh8YNcdRW2KiRgF5W

Score

10^/10

orcus defense_evasion discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

37.46.150.253:1337

Mutex

42a98ed1b2ce431689d696f918634edc

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Windows Defender\Windows Defender.exe
reconnect_delay
10000
registry_keyname
Windows Defender
taskscheduler_taskname
Windows Defender Service
watchdog_path
Temp\Windows Defender.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00080000000233d8-10.dat	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00080000000233d8-10.dat	orcus
behavioral2/memory/3508-20-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

tmp.exesvhost.exe

pid	Process
2588	tmp.exe
3508	svhost.exe

Loads dropped DLL 8 IoCs

Processes:

svhost.exe

pid	Process
3508	svhost.exe
3508	svhost.exe
3508	svhost.exe
3508	svhost.exe
3508	svhost.exe
3508	svhost.exe
3508	svhost.exe
3508	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

tmp.exe

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2924 set thread context of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96

Drops file in Program Files directory 3 IoCs

Processes:

svhost.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\Windows Defender.exe	svhost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\Windows Defender.exe	svhost.exe
File created	C:\Program Files (x86)\Windows Defender\Windows Defender.exe.config	svhost.exe

Drops file in Windows directory 3 IoCs

Processes:

tmp.exe

description	ioc	Process
File opened for modification	C:\Windows\assembly	tmp.exe
File created	C:\Windows\assembly\Desktop.ini	tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	tmp.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.execmd.execmd.exetimeout.exe87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exesvhost.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1036	timeout.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe

pid	Process
2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Token: 33	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.execmd.exetmp.execsc.execmd.exe

description	pid	Process	procid_target
PID 2924 wrote to memory of 2588	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	95
PID 2924 wrote to memory of 2588	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	95
PID 2924 wrote to memory of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96
PID 2924 wrote to memory of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96
PID 2924 wrote to memory of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96
PID 2924 wrote to memory of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96
PID 2924 wrote to memory of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96
PID 2924 wrote to memory of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96
PID 2924 wrote to memory of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96
PID 2924 wrote to memory of 3508	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	96
PID 2924 wrote to memory of 776	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	97
PID 2924 wrote to memory of 776	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	97
PID 2924 wrote to memory of 776	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	97
PID 2924 wrote to memory of 3216	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	99
PID 2924 wrote to memory of 3216	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	99
PID 2924 wrote to memory of 3216	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	99
PID 3216 wrote to memory of 1172	3216	cmd.exe	101
PID 3216 wrote to memory of 1172	3216	cmd.exe	101
PID 3216 wrote to memory of 1172	3216	cmd.exe	101
PID 2924 wrote to memory of 4320	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	102
PID 2924 wrote to memory of 4320	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	102
PID 2924 wrote to memory of 4320	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	102
PID 2588 wrote to memory of 1996	2588	tmp.exe	104
PID 2588 wrote to memory of 1996	2588	tmp.exe	104
PID 1996 wrote to memory of 2720	1996	csc.exe	106
PID 1996 wrote to memory of 2720	1996	csc.exe	106
PID 2924 wrote to memory of 2640	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	107
PID 2924 wrote to memory of 2640	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	107
PID 2924 wrote to memory of 2640	2924	87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe	107
PID 2640 wrote to memory of 1036	2640	cmd.exe	110
PID 2640 wrote to memory of 1036	2640	cmd.exe	110
PID 2640 wrote to memory of 1036	2640	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nzg-czbg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECF1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCECF0.tmp"
      4⤵
      PID:2720
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/87f7d55dbf9bd13dd5440ef0a51fec2e_JaffaCakes118.exe" "%temp%\FolderN\svchost.exe" /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\svchost.exe.lnk" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\svchost.exe:Zone.Identifier
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 60
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe

Filesize
2.3MB

MD5
87f7d55dbf9bd13dd5440ef0a51fec2e

SHA1
b57facd3bda38c5fca68a44898cc7930d727e48c

SHA256
098c48ea4fb2c2f4efefba74a6e4c3c4c0367ed8a257786fcf3cc9d9d08f8377

SHA512
b887e2b340a22a0a6607ef5396bb5d75ac68c6a7d06e0def3fbaa86fb59696c89399b6b83a870f7fb88f5804e055ce8f873d811d2b58ff6471e700c6bc3d1659

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\svchost.exe.bat

Filesize
194B

MD5
d09b6e9cef61c36a40e11f365a1ac118

SHA1
6c9deeb56ecbeb2a4a4388b63a1bc4a889ed82c9

SHA256
d1e14b1fc5ac0d3d70e1c227d63d4371e7fae6bf0198d741ee889c2c935ed952

SHA512
26b31b1e3f6c86b381549127e533a1d20b68fecc1b6c3fab94a82ce5a4acab19a570928bc3666a3752f65a09138ac3dc5ac7d726763fceb16662e823ebb8b331

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESECF1.tmp

Filesize
1KB

MD5
5b70a40b3696b0e2dd9843131cf3d21b

SHA1
8dac7805b490fa3695df59225ca3e7108cbaa6ee

SHA256
a3c7e1a20cd7b32a68efba834ac103b09cbadb41716c0c80e4b6202dc6c9bc91

SHA512
a8e320252cdc7a0be95dfc7c0dc1df4a8ed81303ff6e0df03857a561e2d79a53884afb99351150782937ee72065ba678e272fcd019f8d03720d4ac2815d4a6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzg-czbg.dll

Filesize
76KB

MD5
a93a1f2c56a676ec2968ed36c7a84901

SHA1
ef4b1c46882a81ec4b2e3192c0d0a666f20f8516

SHA256
4b6a7b461a2f5124f9869f4f0cb89f7a4edec12858ad03085a63a9f8fb3492a6

SHA512
c95ba989d70048b35d28255294b34e868660db7d42050f90eabee618522c2693a6e420ef410018bc24db92410ab8ea9b7ecf5b96b760c5aca4e138f093c624bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
918KB

MD5
51842fb9ba927d1a3ef14819f508b670

SHA1
ce113069ff7137fd812e9df67c6c46a367fb9eb3

SHA256
5c83c924a159e999326d20004b40f0de029b55502fe9faca30a52b0c80486061

SHA512
36872e35893ba1b301560d1788c8081156c5d1fde9dadd049b59a587b8c094c0de18b8b5fd1265a2577f0e854b6735690fbf300e9537ddf6739d43fda6a2a011

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCECF0.tmp

Filesize
676B

MD5
cb61fd1ee48c29eb873281ab23d78346

SHA1
d74c38b0c45c5cfc26319cbd678b3937f4b0abce

SHA256
53e9fdac9b352d3a57688628b5bf34cf36b634d36ab35c0a4dd4abe8c97e936e

SHA512
a8397cd9b5b38d968d28c519c293a6e5deaea18b3926c86cd24ed4890cbee9d1340f4d7ea1e2943a0f2cd9a7464d706f4ec9f0260c65f4e34370914f849c5655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nzg-czbg.0.cs

Filesize
208KB

MD5
64847ee133097b26a72bc7d69bde42e8

SHA1
34c12d30e3432e373af29242f6d6cd7ecccdbaec

SHA256
7d1c3dba5a79f2d3007db9dd797b6f7d025d5d95c2230134c93f73dac461caa2

SHA512
71739ea2088199b63b926c2edfc2df61cadffb138091aa254b23dd8c2be12e9937b66b25b45c69b5e618e4f3eb68aa75bff6910419f6d95c8d31b9c8371f9e01

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nzg-czbg.cmdline

Filesize
349B

MD5
463585653644d862bd114ce5b820ecfe

SHA1
84d2d2b061098e48864a77d1404c72e25ae223c3

SHA256
6d6e0e360b7927b0186f62ec312be9957ddd6585885785927a6851e47f02ea0b

SHA512
cdf4aa6d31116c6704cc76c0a21ed0f0a0bbd821635363ff652f16c66e5f9d60141e6631b42114357d9d27c83c40e295603eac75f979a7bbc16c17a8cf9f5f18

Download Submit
memory/2588-28-0x00007FFB16BB0000-0x00007FFB17551000-memory.dmp

Filesize
9.6MB

Download
memory/2588-1076-0x000000001C180000-0x000000001C196000-memory.dmp

Filesize
88KB

Download
memory/2588-32-0x000000001CBF0000-0x000000001CC8C000-memory.dmp

Filesize
624KB

Download
memory/2588-31-0x000000001C680000-0x000000001CB4E000-memory.dmp

Filesize
4.8MB

Download
memory/2588-25-0x00007FFB16BB0000-0x00007FFB17551000-memory.dmp

Filesize
9.6MB

Download
memory/2588-1741-0x00007FFB16BB0000-0x00007FFB17551000-memory.dmp

Filesize
9.6MB

Download
memory/2588-18-0x00007FFB16E65000-0x00007FFB16E66000-memory.dmp

Filesize
4KB

Download
memory/2924-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2924-1849-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2924-5-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2924-4-0x0000000004CA0000-0x0000000004D3C000-memory.dmp

Filesize
624KB

Download
memory/2924-3-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/2924-2-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/2924-1-0x00000000000A0000-0x00000000001EC000-memory.dmp

Filesize
1.3MB

Download
memory/3508-1809-0x0000000006180000-0x00000000061AA000-memory.dmp

Filesize
168KB

Download
memory/3508-1877-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-70-0x0000000040000000-0x0000000040419000-memory.dmp

Filesize
4.1MB

Download
memory/3508-57-0x0000000040000000-0x0000000040224000-memory.dmp

Filesize
2.1MB

Download
memory/3508-69-0x00000000059E0000-0x00000000059EE000-memory.dmp

Filesize
56KB

Download
memory/3508-45-0x00000000061F0000-0x00000000062DE000-memory.dmp

Filesize
952KB

Download
memory/3508-79-0x0000000040000000-0x000000004177D000-memory.dmp

Filesize
23.5MB

Download
memory/3508-84-0x0000000040000000-0x0000000040A99000-memory.dmp

Filesize
10.6MB

Download
memory/3508-102-0x0000000040000000-0x00000000400B8000-memory.dmp

Filesize
736KB

Download
memory/3508-96-0x0000000040000000-0x000000004017F000-memory.dmp

Filesize
1.5MB

Download
memory/3508-90-0x0000000040000000-0x0000000040063000-memory.dmp

Filesize
396KB

Download
memory/3508-246-0x0000000040000000-0x0000000040084000-memory.dmp

Filesize
528KB

Download
memory/3508-51-0x0000000006190000-0x0000000006242000-memory.dmp

Filesize
712KB

Download
memory/3508-52-0x0000000006191000-0x0000000006204000-memory.dmp

Filesize
460KB

Download
memory/3508-39-0x00000000060A0000-0x000000000612E000-memory.dmp

Filesize
568KB

Download
memory/3508-35-0x00000000059B0000-0x00000000059B8000-memory.dmp

Filesize
32KB

Download
memory/3508-34-0x00000000059A0000-0x00000000059A8000-memory.dmp

Filesize
32KB

Download
memory/3508-1068-0x0000000040000000-0x0000000040008000-memory.dmp

Filesize
32KB

Download
memory/3508-33-0x0000000005990000-0x00000000059A2000-memory.dmp

Filesize
72KB

Download
memory/3508-29-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/3508-1126-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1137-0x0000000006180000-0x00000000061B0000-memory.dmp

Filesize
192KB

Download
memory/3508-1138-0x00000000061D0000-0x0000000006244000-memory.dmp

Filesize
464KB

Download
memory/3508-1130-0x0000000040000000-0x000000004000A000-memory.dmp

Filesize
40KB

Download
memory/3508-1064-0x0000000040000000-0x0000000040008000-memory.dmp

Filesize
32KB

Download
memory/3508-1053-0x0000000040000000-0x0000000040008000-memory.dmp

Filesize
32KB

Download
memory/3508-30-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/3508-1348-0x0000000006160000-0x000000000616A000-memory.dmp

Filesize
40KB

Download
memory/3508-1341-0x0000000040000000-0x0000000040020000-memory.dmp

Filesize
128KB

Download
memory/3508-1352-0x0000000040000000-0x000000004000E000-memory.dmp

Filesize
56KB

Download
memory/3508-1403-0x0000000040000000-0x0000000040094000-memory.dmp

Filesize
592KB

Download
memory/3508-1732-0x0000000006190000-0x00000000061D0000-memory.dmp

Filesize
256KB

Download
memory/3508-24-0x0000000005360000-0x00000000053BC000-memory.dmp

Filesize
368KB

Download
memory/3508-1804-0x0000000006170000-0x0000000006188000-memory.dmp

Filesize
96KB

Download
memory/3508-1808-0x0000000006190000-0x00000000061A6000-memory.dmp

Filesize
88KB

Download
memory/3508-23-0x0000000002D70000-0x0000000002D7E000-memory.dmp

Filesize
56KB

Download
memory/3508-1810-0x0000000006160000-0x0000000006168000-memory.dmp

Filesize
32KB

Download
memory/3508-1811-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1812-0x0000000006170000-0x0000000006190000-memory.dmp

Filesize
128KB

Download
memory/3508-1813-0x0000000006180000-0x00000000061A6000-memory.dmp

Filesize
152KB

Download
memory/3508-20-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3508-1871-0x0000000040000000-0x000000004003E000-memory.dmp

Filesize
248KB

Download
memory/3508-1872-0x0000000006180000-0x00000000061AC000-memory.dmp

Filesize
176KB

Download
memory/3508-1873-0x0000000006160000-0x0000000006168000-memory.dmp

Filesize
32KB

Download
memory/3508-1874-0x0000000006160000-0x000000000616A000-memory.dmp

Filesize
40KB

Download
memory/3508-1875-0x0000000006180000-0x00000000061A4000-memory.dmp

Filesize
144KB

Download
memory/3508-1876-0x0000000006180000-0x00000000061A8000-memory.dmp

Filesize
160KB

Download
memory/3508-63-0x0000000040000000-0x0000000040048000-memory.dmp

Filesize
288KB

Download
memory/3508-1878-0x0000000006160000-0x000000000616A000-memory.dmp

Filesize
40KB

Download
memory/3508-1879-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/3508-1880-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/3508-1881-0x0000000006160000-0x0000000006168000-memory.dmp

Filesize
32KB

Download
memory/3508-1882-0x0000000006160000-0x000000000616A000-memory.dmp

Filesize
40KB

Download
memory/3508-1883-0x0000000006160000-0x000000000616E000-memory.dmp

Filesize
56KB

Download
memory/3508-1884-0x0000000006170000-0x0000000006184000-memory.dmp

Filesize
80KB

Download
memory/3508-1885-0x0000000006160000-0x0000000006170000-memory.dmp

Filesize
64KB

Download
memory/3508-1886-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1887-0x0000000006180000-0x00000000061A8000-memory.dmp

Filesize
160KB

Download
memory/3508-1888-0x0000000006160000-0x000000000616A000-memory.dmp

Filesize
40KB

Download
memory/3508-1889-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1890-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1891-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1892-0x0000000006170000-0x0000000006184000-memory.dmp

Filesize
80KB

Download
memory/3508-1893-0x0000000006170000-0x0000000006188000-memory.dmp

Filesize
96KB

Download
memory/3508-1894-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1895-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1896-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1897-0x0000000006160000-0x0000000006170000-memory.dmp

Filesize
64KB

Download
memory/3508-1898-0x0000000006160000-0x000000000616E000-memory.dmp

Filesize
56KB

Download
memory/3508-1899-0x0000000006180000-0x00000000061A2000-memory.dmp

Filesize
136KB

Download
memory/3508-1900-0x0000000006170000-0x000000000618C000-memory.dmp

Filesize
112KB

Download
memory/3508-1901-0x0000000006170000-0x0000000006184000-memory.dmp

Filesize
80KB

Download
memory/3508-1902-0x0000000006170000-0x000000000618A000-memory.dmp

Filesize
104KB

Download
memory/3508-1903-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-1904-0x0000000006160000-0x000000000616E000-memory.dmp

Filesize
56KB

Download
memory/3508-1905-0x0000000006170000-0x0000000006188000-memory.dmp

Filesize
96KB

Download
memory/3508-1906-0x0000000006170000-0x0000000006182000-memory.dmp

Filesize
72KB

Download
memory/3508-1907-0x0000000006160000-0x000000000616E000-memory.dmp

Filesize
56KB

Download
memory/3508-1915-0x0000000006170000-0x000000000617A000-memory.dmp

Filesize
40KB

Download
memory/3508-1919-0x0000000006170000-0x0000000006178000-memory.dmp

Filesize
32KB

Download
memory/3508-1927-0x0000000006190000-0x00000000061AC000-memory.dmp

Filesize
112KB

Download
memory/3508-1939-0x0000000006190000-0x00000000061AC000-memory.dmp

Filesize
112KB

Download
memory/3508-1948-0x0000000006160000-0x0000000006168000-memory.dmp

Filesize
32KB

Download
memory/3508-1953-0x0000000006160000-0x0000000006168000-memory.dmp

Filesize
32KB

Download
memory/3508-1961-0x0000000006170000-0x0000000006178000-memory.dmp

Filesize
32KB

Download
memory/3508-2000-0x0000000006180000-0x00000000061A6000-memory.dmp

Filesize
152KB

Download
memory/3508-1999-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/3508-1992-0x0000000006180000-0x00000000061A8000-memory.dmp

Filesize
160KB

Download
memory/3508-1982-0x0000000006170000-0x000000000617E000-memory.dmp

Filesize
56KB

Download
memory/3508-1970-0x0000000006190000-0x00000000061A2000-memory.dmp

Filesize
72KB

Download
memory/3508-1962-0x0000000006160000-0x000000000616E000-memory.dmp

Filesize
56KB

Download
memory/3508-1991-0x0000000006180000-0x00000000061AA000-memory.dmp

Filesize
168KB

Download
memory/3508-1986-0x0000000006170000-0x000000000617A000-memory.dmp

Filesize
40KB

Download
memory/3508-2001-0x0000000006160000-0x000000000616C000-memory.dmp

Filesize
48KB

Download
memory/3508-2002-0x0000000006160000-0x000000000616A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads