Malware Analysis Report

2025-03-15 06:47

Sample ID 250113-gps49s1qgk
Target 5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe
SHA256 5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3
Tags
winzip orcus discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3

Threat Level: Known bad

The file 5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe was found to be: Known bad.

Malicious Activity Summary

winzip orcus discovery rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus main payload

Orcus family

Orcurs Rat Executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-13 05:59

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 05:59

Platform

debian9-mipsel-20240611-en

Max time kernel

0s

Command Line

[/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]

Signatures

N/A

Processes

/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe

[/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 05:59

Platform

android-x86-arm-20240624-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 05:59

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]

Signatures

N/A

Processes

/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe

[/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 05:59

Platform

debian9-mipsbe-20240729-en

Max time kernel

0s

Command Line

[/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]

Signatures

N/A

Processes

/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe

[/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 06:14

Platform

win7-20240903-en

Max time kernel

900s

Max time network

891s

Command Line

C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File opened for modification C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File created C:\Program Files\winzip data\winzip.exe.config C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\winzip data\winzip.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\winzip data\winzip.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1552 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1552 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2896 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2896 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2896 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1552 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1552 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1552 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1552 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Program Files\winzip data\winzip.exe
PID 1552 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Program Files\winzip data\winzip.exe
PID 1552 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Program Files\winzip data\winzip.exe
PID 2564 wrote to memory of 2944 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe
PID 2564 wrote to memory of 2944 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe
PID 2564 wrote to memory of 2944 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe
PID 2828 wrote to memory of 1972 N/A C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 2828 wrote to memory of 1972 N/A C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 2828 wrote to memory of 1972 N/A C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 2828 wrote to memory of 1972 N/A C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 1972 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 1972 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 1972 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 1972 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 2564 wrote to memory of 648 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe
PID 2564 wrote to memory of 648 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe
PID 2564 wrote to memory of 648 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe
PID 2564 wrote to memory of 1256 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe
PID 2564 wrote to memory of 1256 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe
PID 2564 wrote to memory of 1256 N/A C:\Windows\system32\taskeng.exe C:\Program Files\winzip data\winzip.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe

C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jsk8fmjf.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD470.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD44F.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\winzip data\winzip.exe

"C:\Program Files\winzip data\winzip.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {EC4C05F2-2AE2-424E-A66E-F6199843DD4A} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]

C:\Program Files\winzip data\winzip.exe

"C:\Program Files\winzip data\winzip.exe"

C:\Users\Admin\AppData\Local\Temp\winzip.exe

"C:\Users\Admin\AppData\Local\Temp\winzip.exe" /launchSelfAndExit "C:\Program Files\winzip data\winzip.exe" 2828 /protectFile

C:\Users\Admin\AppData\Local\Temp\winzip.exe

"C:\Users\Admin\AppData\Local\Temp\winzip.exe" /watchProcess "C:\Program Files\winzip data\winzip.exe" 2828 "/protectFile"

C:\Program Files\winzip data\winzip.exe

"C:\Program Files\winzip data\winzip.exe"

C:\Program Files\winzip data\winzip.exe

"C:\Program Files\winzip data\winzip.exe"

Network

Country Destination Domain Proto
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp
N/A 192.168.10.13:7415 tcp

Files

memory/1552-0-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp

memory/1552-1-0x0000000000DF0000-0x0000000000E4C000-memory.dmp

memory/1552-2-0x0000000000590000-0x000000000059E000-memory.dmp

memory/1552-6-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

memory/1552-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jsk8fmjf.cmdline

MD5 d60148b6635cafb32b7d5b4f82736923
SHA1 49c1dc137926d9278d2be7612bf986e2d14ca6f8
SHA256 1816e83b332d9484d708cfbf8a7c1de03f8010895a72dc3cf1bd3f5dc74cacac
SHA512 ffb7478fa7fbdc0b4cc4fad705252a66d2c9b4009a40eed7a8dd12a550dc1315a0894caed4ec27ae7fa9d2ce0e3af790e9063de870df37b5a6fd455de19b30c3

\??\c:\Users\Admin\AppData\Local\Temp\jsk8fmjf.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

memory/2896-10-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCD44F.tmp

MD5 f71b1c373188857d49f9d6f040039794
SHA1 b9145ea250f6ce6c6426e19471ffa3d8e8396117
SHA256 67b05155a30ac23a2b030a1bcc23d1464acfaa8a6bae334808795a80fb3c45bd
SHA512 e04b0e09b0808d708bb45d15b68904cac034ab8295f41a18b274883fc4e72b409387cee7f6c6736e19d48250af01a9818ea34ed42b051a41fb466eed78c698f8

C:\Users\Admin\AppData\Local\Temp\RESD470.tmp

MD5 c50ae84ba33eaca90b59d56c5542b9ce
SHA1 64f4cc2c22accb8159714c217c2ab76d016b0577
SHA256 37926c20db0d7537f450e2b5a1e414b747d64c71dacdbd87e787acff80c6957e
SHA512 cce36230b8f8e5cb5181469afae9ac64792dc6bb04227dc9ee553b60d0015d3d623e690bd0fb143b535b8265baaceabdd6bec9d242074325908dd174fe1bd4f6

memory/2896-17-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

memory/1552-19-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jsk8fmjf.dll

MD5 4946551a3ee63542d917e3f540947f01
SHA1 f73bea9e785d8fdc3285b0f824af12c2c43412a1
SHA256 4785e4e4b6079979468e966fbdb23a74d71816ddaf04d7ce2c3880a7fc4cff9f
SHA512 96297d939e984b217935f0eff0627bc5f1c0317ddfa498c65e794089e6429693b9f26cc32732587a2b61844d796642e58d267de29f41e47dffb5dbce8a90bcb8

memory/1552-21-0x0000000000630000-0x0000000000642000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/2580-29-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/2644-33-0x0000000000990000-0x000000000099C000-memory.dmp

C:\Program Files\winzip data\winzip.exe

MD5 ec7d1fc892a9e267847bfb476f07b25a
SHA1 3ef8f87e97e0cc38d82682837265036f10d5aa0b
SHA256 5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3
SHA512 5b7956b718d154896b89640ce659fee0c52a6963845e23350e38aa142674083b7d3be9657d5a30a5a7ac483bf8be46a29f7890afc9d8b5438d147c7c4f7c96f0

memory/1552-41-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

memory/2828-44-0x00000000008F0000-0x00000000009DA000-memory.dmp

memory/2828-45-0x0000000002230000-0x000000000227E000-memory.dmp

memory/2828-46-0x0000000002070000-0x0000000002088000-memory.dmp

memory/2828-47-0x0000000002090000-0x00000000020A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winzip.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1972-57-0x00000000002A0000-0x00000000002A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 06:14

Platform

win10v2004-20241007-en

Max time kernel

900s

Max time network

898s

Command Line

C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\winzip data\winzip.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File opened for modification C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File created C:\Program Files\winzip data\winzip.exe.config C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
N/A N/A C:\Program Files\winzip data\winzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\winzip data\winzip.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\winzip data\winzip.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4924 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4016 wrote to memory of 4900 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4016 wrote to memory of 4900 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4924 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4924 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4924 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Program Files\winzip data\winzip.exe
PID 4924 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe C:\Program Files\winzip data\winzip.exe
PID 1952 wrote to memory of 2240 N/A C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 1952 wrote to memory of 2240 N/A C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 1952 wrote to memory of 2240 N/A C:\Program Files\winzip data\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 2240 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 2240 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe
PID 2240 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\winzip.exe C:\Users\Admin\AppData\Local\Temp\winzip.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe

C:\Users\Admin\AppData\Local\Temp\5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cksfq9mg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FA1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FA0.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\winzip data\winzip.exe

"C:\Program Files\winzip data\winzip.exe"

C:\Program Files\winzip data\winzip.exe

"C:\Program Files\winzip data\winzip.exe"

C:\Users\Admin\AppData\Local\Temp\winzip.exe

"C:\Users\Admin\AppData\Local\Temp\winzip.exe" /launchSelfAndExit "C:\Program Files\winzip data\winzip.exe" 1952 /protectFile

C:\Users\Admin\AppData\Local\Temp\winzip.exe

"C:\Users\Admin\AppData\Local\Temp\winzip.exe" /watchProcess "C:\Program Files\winzip data\winzip.exe" 1952 "/protectFile"

C:\Program Files\winzip data\winzip.exe

"C:\Program Files\winzip data\winzip.exe"

C:\Program Files\winzip data\winzip.exe

"C:\Program Files\winzip data\winzip.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
US 8.8.8.8:53 249.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp
N/A 192.168.10.13:7415 tcp
US 8.8.8.8:53 z3roxl33t.hopto.org udp

Files

memory/4924-0-0x00007FFE11085000-0x00007FFE11086000-memory.dmp

memory/4924-1-0x00007FFE10DD0000-0x00007FFE11771000-memory.dmp

memory/4924-2-0x00007FFE10DD0000-0x00007FFE11771000-memory.dmp

memory/4924-3-0x000000001C020000-0x000000001C07C000-memory.dmp

memory/4924-6-0x000000001C210000-0x000000001C21E000-memory.dmp

memory/4924-8-0x000000001CC60000-0x000000001CCFC000-memory.dmp

memory/4924-7-0x000000001C6F0000-0x000000001CBBE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cksfq9mg.cmdline

MD5 aad592e08550935088bca8f6cba41f10
SHA1 5d526c49c26e51038f15a1dd676e65e9b63b73b5
SHA256 5e8cba920aa0bf3d9222b3b1fa1217ec34448400dd34c7436a6e2c6d72d16f29
SHA512 abfc6a4ff089a1b6680f36a2d049519428f4855c0f60499da32c74bee85e538a74657a6982078c43ba64f8b3165ff7617f7001668cab907e3c15db58f9a24cba

\??\c:\Users\Admin\AppData\Local\Temp\cksfq9mg.0.cs

MD5 9b5a40792e41ad6011a089c067099858
SHA1 dd88b523ac049a24b7e4ec43bffc0d887f172723
SHA256 608c6f026223b00db244e4a9fab9e9a8b0593317e702d32e8e4ad67c89cfe80a
SHA512 3220f5489f3f7f6dd4ee359a2276f368c051ea17672699ef095e1350453950a8eba7d89a30c45937ee825c5646f80bcf1b4c30bb5253f8e66775ce671cd15dca

memory/4016-16-0x00007FFE10DD0000-0x00007FFE11771000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC7FA0.tmp

MD5 09e79024b0ee9de78bee2e5ac8d07beb
SHA1 7f58e0e16fe4c9ec3345434c576a205287d47f7a
SHA256 056e2a8ec4496ea760e5cd55fd12cb8c88903069bd06af78a9d2526a66abd1a8
SHA512 ded98adee0bf8759a08208e88ba5963713a31f3742840fd5e102c188a541f1be7e662b44c3bfd534470e5b5d48471db57f27d6fce861542b6e2ef72c332aceb5

C:\Users\Admin\AppData\Local\Temp\RES7FA1.tmp

MD5 44327856adb2afa918752480ff75a3b8
SHA1 00184d7240d6ea86ca2e6069a626b25a9208ca76
SHA256 8bff2b5ad877d2adc0a2bef83c0b741dc037af81d48990cfda6f27294409b049
SHA512 3203900aa3c31b81a74d22099e1dd7da7747cfbc9c955606095aef76c8f1fefceb79fb4e647f9be83340e7d577dd9302de623ba4369478d037c3e2f9f5584f97

memory/4016-21-0x00007FFE10DD0000-0x00007FFE11771000-memory.dmp

memory/4924-23-0x000000001CD30000-0x000000001CD46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cksfq9mg.dll

MD5 bc7d9ddbede3036f78b9aef5b668cbae
SHA1 ba47abcf6703b0fca26d1bcce8d5de346c4b5f12
SHA256 24fe8dee57d658c6e390746de351c8976e87e9dcef114c364b07b0b68a425cf5
SHA512 bcc00f685899821de23dfaa417c2a2a11663d5314348c1aa87378a102df28cbd13b9fc4cc52c45375f19096a63ec257215fadfe5ad29ca1a5efb293ed4fdd185

memory/4924-25-0x000000001BF80000-0x000000001BF92000-memory.dmp

memory/4924-26-0x000000001D360000-0x000000001D380000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4556-40-0x00007FFE0D9B3000-0x00007FFE0D9B5000-memory.dmp

memory/4556-41-0x0000000000480000-0x000000000048C000-memory.dmp

memory/4556-42-0x0000000000D60000-0x0000000000D72000-memory.dmp

memory/4556-43-0x000000001B0C0000-0x000000001B0FC000-memory.dmp

memory/3504-48-0x000000001ADA0000-0x000000001AEAA000-memory.dmp

C:\Program Files\winzip data\winzip.exe

MD5 ec7d1fc892a9e267847bfb476f07b25a
SHA1 3ef8f87e97e0cc38d82682837265036f10d5aa0b
SHA256 5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3
SHA512 5b7956b718d154896b89640ce659fee0c52a6963845e23350e38aa142674083b7d3be9657d5a30a5a7ac483bf8be46a29f7890afc9d8b5438d147c7c4f7c96f0

memory/4924-66-0x00007FFE10DD0000-0x00007FFE11771000-memory.dmp

memory/1952-65-0x0000000000680000-0x000000000076A000-memory.dmp

memory/1952-67-0x00000000028D0000-0x00000000028E2000-memory.dmp

memory/1952-68-0x0000000002A20000-0x0000000002A6E000-memory.dmp

memory/1952-70-0x0000000002A80000-0x0000000002A98000-memory.dmp

memory/1952-71-0x000000001BD90000-0x000000001BF52000-memory.dmp

memory/1952-72-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winzip.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2240-86-0x0000000000290000-0x0000000000298000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winzip.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winzip.exe.log

MD5 9be3069b2cf9222dde6c28dd9180a35a
SHA1 14b76614ed5c94c513b10ada5bd642e888fc1231
SHA256 5e4c38466764be178ea21ba3149d0580d25d035b57e081b3abb9c06a19cfd67a
SHA512 043256f38c20d8765ddf2f1d5912249bfbb017c0b630d24d9e4894f4a759dec66bf0ffaf878ac69e9dfd6db7ec5e090dd69de2333d83299ef43888c394398885

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 05:59

Platform

android-x64-20240624-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 05:59

Platform

android-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 05:59

Platform

macos-20241101-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-13 05:59

Reported

2025-01-13 05:59

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Command Line

[/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]

Signatures

N/A

Processes

/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe

[/tmp/5b8ec7a0faf0a5c275af5bb510aaecd93bc3358b4626f3eb5a13d891da34d8d3.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]

Network

N/A

Files

N/A