Malware Analysis Report

2025-01-22 15:04

Sample ID 240205-bk9nkahbdj
Target 02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c
SHA256 02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c
Tags
orcus evasion rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c

Threat Level: Known bad

The file 02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c was found to be: Known bad.

Malicious Activity Summary

orcus evasion rat spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

UAC bypass

Orcus

Orcurs Rat Executable

Orcus main payload

Orcus family

Contains code to disable Windows Defender

Orcurs Rat Executable

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-05 01:13

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-05 01:13

Reported

2024-02-05 01:15

Platform

win7-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
File opened for modification C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
File created C:\Program Files (x86)\Steam Helper\Steam.exe.config C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2176 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2176 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2176 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 2176 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 1900 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 1900 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 1900 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 1900 wrote to memory of 2472 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 2940 wrote to memory of 676 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 676 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 676 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 676 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1636 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 2940 wrote to memory of 1636 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 2940 wrote to memory of 1636 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 2940 wrote to memory of 1636 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 2940 wrote to memory of 1636 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 2940 wrote to memory of 1636 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 2940 wrote to memory of 1636 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1636 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1636 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1636 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1636 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1636 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1636 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1636 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe

"C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Program Files (x86)\Steam Helper\Steam.exe

"C:\Program Files (x86)\Steam Helper\Steam.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {241F0569-14D0-4188-8679-7EDDFE62F95C} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Program Files (x86)\Steam Helper\Steam.exe

"C:\Program Files (x86)\Steam Helper\Steam.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Users\Admin\AppData\Local\Temp\Update Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Update Defender.exe" /watchProcess "C:\Program Files (x86)\Steam Helper\Steam.exe" 2940 "/protectFile"

C:\Users\Admin\AppData\Local\Temp\Update Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Update Defender.exe" /launchSelfAndExit "C:\Program Files (x86)\Steam Helper\Steam.exe" 2940 /protectFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.253.86:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 52.28.112.211:14390 4.tcp.eu.ngrok.io tcp
DE 52.28.112.211:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.121.139.82:14390 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:14390 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:14390 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:14390 4.tcp.eu.ngrok.io tcp

Files

memory/2176-0-0x0000000000BB0000-0x0000000000CBC000-memory.dmp

memory/2176-1-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2176-2-0x0000000004A90000-0x0000000004AD0000-memory.dmp

memory/2176-3-0x0000000000330000-0x000000000033E000-memory.dmp

memory/2176-4-0x0000000000B10000-0x0000000000B6C000-memory.dmp

memory/2176-5-0x0000000000990000-0x00000000009A2000-memory.dmp

memory/2176-9-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/2176-8-0x0000000000A10000-0x0000000000A18000-memory.dmp

memory/2176-7-0x0000000000A00000-0x0000000000A0A000-memory.dmp

memory/2176-10-0x0000000000A30000-0x0000000000A38000-memory.dmp

memory/2176-6-0x00000000009F0000-0x00000000009F8000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2280-20-0x00000000000F0000-0x00000000000FC000-memory.dmp

memory/2280-21-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

memory/2280-22-0x00000000022F0000-0x0000000002370000-memory.dmp

memory/2280-25-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

memory/2588-27-0x0000000001210000-0x000000000121C000-memory.dmp

memory/2588-28-0x000007FEF4BA0000-0x000007FEF558C000-memory.dmp

memory/2588-29-0x0000000000B80000-0x0000000000C00000-memory.dmp

memory/1644-36-0x000000006D660000-0x000000006DC0B000-memory.dmp

memory/1644-37-0x000000006D660000-0x000000006DC0B000-memory.dmp

memory/1644-38-0x00000000027E0000-0x0000000002820000-memory.dmp

memory/1644-39-0x00000000027E0000-0x0000000002820000-memory.dmp

memory/1644-40-0x000000006D660000-0x000000006DC0B000-memory.dmp

\Program Files (x86)\Steam Helper\Steam.exe

MD5 d193a29579532107f3eb50bcc2460768
SHA1 0da00fc0b2173a44e690ef825d3724027f27f7c9
SHA256 c9ff75149cbf26a5c780c500a60dda473f1f8cdf4e8fa6b80f94bf12db28e6a6
SHA512 32143edcfb02bd979c0824d23a4dea8ebd3ca299cf18417fe9520c80be01730e8c9ee815904b80f95d10761cee612f85899b58529a4acf0775d379f8f818cf02

C:\Program Files (x86)\Steam Helper\Steam.exe

MD5 4b1cc829c9de48746263c44e824d2c3d
SHA1 402572409e2ccd9da2d4e15b9f032a6efcc0e697
SHA256 170836ea19a0b576df0559fe676c685957ac9c4afdce1a7d0bb9055b9c11bcab
SHA512 6bac201be80a689c8683f5f1a1c3ff4544963456944a27f3749192c90ef5f74ef61f5c17225ddb064615fed4053a912846db1c3bf87a9f3785133987a3ad6f85

C:\Program Files (x86)\Steam Helper\Steam.exe

MD5 d7b389d0da1af1f59b4930528b8c64ae
SHA1 6d0b125db65dddd81baf5deb950a90d9186e2a21
SHA256 d19ebf87e911e396d560b0b9fcb0df2a12c1e32f0fe49da09c94d7f73e9ec467
SHA512 77e37f6eafcecc71c8eb21b4108b3e3ce50b5e07936bfccb9d16477c8d7f3ec3b345991abd00e5dea61dbc77da87c883f90761b40f6b6b0f836153d40cff19cb

memory/2940-50-0x00000000743A0000-0x0000000074A8E000-memory.dmp

C:\Program Files (x86)\Steam Helper\Steam.exe

MD5 bad5bc3c8c0fb75a077ad27126d9d830
SHA1 2a1edae298c1d34da4acac238c79dcbe6980c5ed
SHA256 a318aa555fda435c264aca27c0ca36107739510c816a5be7737003bd444f489e
SHA512 a4d73f7b5bda694f6fd9900e461c4da4fcc8311d63efc62c19768d1bec944cdbc25ee4f1458a1330f87acf7bc4da9a0ca6d5bc4bd871d7fecda7676d121f66d6

memory/2940-51-0x0000000000CF0000-0x0000000000DFC000-memory.dmp

memory/2176-48-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2940-52-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/2940-53-0x0000000000410000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_381f52cc4da947c788fee861bc207f0e.dat

MD5 8b90a6c99330a3291e6ea45ab7097401
SHA1 9e4087f7c2aa963364631dc59abef4445c582d4d
SHA256 ad6de8f4b10e7d470b0480d67eb740724d7215b7aca4be073ee08944a7ae8190
SHA512 6ecabe8d61ab4c9ce847c8d86f99867546477c0045bd9606f5eb198014779321882d654ef388196fc5b85ed986f4824c3bd308f0237de21fd97066871ddc936e

memory/2940-56-0x0000000005140000-0x000000000518E000-memory.dmp

memory/2940-57-0x00000000046F0000-0x0000000004708000-memory.dmp

C:\Program Files (x86)\Steam Helper\Steam.exe

MD5 1aadd7da7bb740805a4a6c0776791a5a
SHA1 8ddfe861889c4113cedcaff71a922b8822b36034
SHA256 7804122ad6595e824a0ef34faa11eb29431d6f63cf6355eaff6d930649ce4d38
SHA512 a62aa89fa5a5cc789f4d50750cab9950d46af86cdd91266c77e188396da2216bdebee76d642d2d3ea85e8e8101f76d92b3139fe7a478c157551851b5dd2a7741

memory/2940-58-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/2472-60-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2940-62-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/2472-61-0x0000000004AC0000-0x0000000004B00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 81118bcf5a39264d4a095760693b1e59
SHA1 585c463cd5fe0464ffb703725d0eda560110ab85
SHA256 02a25a2ae0cea1c7a11f2f82a81370f9085f963eafa12cbe9ea71ad7b73dadef
SHA512 4584db4fc4dd2228d944f956f7d883870fa8fb8614ae5c9cd2bd7f1cf002f84cdfc1041484efca3d68ab3c8e9ca21ff5205fc692cfeb721cbd9043612467e487

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PX8G1CXD61TIHHI6HM52.temp

MD5 331ec88a329255afba5881181323b42b
SHA1 5697e9361d22019b4ca1255770efab8a34675bad
SHA256 cbf3bb6b7c0e5a7541802508db3166e7d207cf14324c4a58d82461f6f330ecec
SHA512 080316c0aa134441cc6b5af51d90969069fe00c0e73975c461d0112908ac18888bb65640bdbadb1bca59560462a1e1e538c8fdf5288549518acb1e98e16f20eb

memory/2588-68-0x000007FEF4BA0000-0x000007FEF558C000-memory.dmp

memory/676-70-0x0000000002820000-0x0000000002860000-memory.dmp

memory/676-71-0x000000006C2D0000-0x000000006C87B000-memory.dmp

memory/676-73-0x000000006C2D0000-0x000000006C87B000-memory.dmp

memory/676-72-0x0000000002820000-0x0000000002860000-memory.dmp

memory/676-69-0x000000006C2D0000-0x000000006C87B000-memory.dmp

memory/1636-84-0x0000000000070000-0x0000000000078000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Update Defender.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1636-89-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/628-88-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/1636-87-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2472-90-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2940-91-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2940-92-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/2940-93-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/628-94-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-05 01:13

Reported

2024-02-05 01:15

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
File opened for modification C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
File created C:\Program Files (x86)\Steam Helper\Steam.exe.config C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Steam Helper\Steam.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 5000 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 5000 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 5000 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 5000 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe C:\Program Files (x86)\Steam Helper\Steam.exe
PID 1700 wrote to memory of 1268 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1268 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1268 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 4268 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1700 wrote to memory of 4268 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 1700 wrote to memory of 4268 N/A C:\Program Files (x86)\Steam Helper\Steam.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 4268 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 4268 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe
PID 4268 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Update Defender.exe C:\Users\Admin\AppData\Local\Temp\Update Defender.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Program Files (x86)\Steam Helper\Steam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Program Files (x86)\Steam Helper\Steam.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe

"C:\Users\Admin\AppData\Local\Temp\02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Program Files (x86)\Steam Helper\Steam.exe

"C:\Program Files (x86)\Steam Helper\Steam.exe"

C:\Program Files (x86)\Steam Helper\Steam.exe

"C:\Program Files (x86)\Steam Helper\Steam.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Users\Admin\AppData\Local\Temp\Update Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Update Defender.exe" /launchSelfAndExit "C:\Program Files (x86)\Steam Helper\Steam.exe" 1700 /protectFile

C:\Users\Admin\AppData\Local\Temp\Update Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Update Defender.exe" /watchProcess "C:\Program Files (x86)\Steam Helper\Steam.exe" 1700 "/protectFile"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 52.28.112.211:14390 4.tcp.eu.ngrok.io tcp
DE 52.28.112.211:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
DE 3.127.59.75:14390 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.121.139.82:14390 4.tcp.eu.ngrok.io tcp

Files

memory/5000-0-0x0000000000610000-0x000000000071C000-memory.dmp

memory/5000-1-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/5000-2-0x0000000005370000-0x0000000005380000-memory.dmp

memory/5000-3-0x0000000005070000-0x000000000507E000-memory.dmp

memory/5000-4-0x0000000005080000-0x00000000050DC000-memory.dmp

memory/5000-5-0x0000000005930000-0x0000000005ED4000-memory.dmp

memory/5000-6-0x0000000005220000-0x00000000052B2000-memory.dmp

memory/5000-12-0x0000000005780000-0x0000000005788000-memory.dmp

memory/5000-11-0x0000000005360000-0x0000000005368000-memory.dmp

memory/5000-13-0x0000000005820000-0x0000000005886000-memory.dmp

memory/5000-10-0x0000000005350000-0x0000000005358000-memory.dmp

memory/5000-15-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/5000-14-0x0000000006500000-0x0000000006B18000-memory.dmp

memory/5000-17-0x0000000005F60000-0x0000000005FAC000-memory.dmp

memory/5000-16-0x0000000005F20000-0x0000000005F5C000-memory.dmp

memory/5000-9-0x0000000005340000-0x000000000534A000-memory.dmp

memory/5000-8-0x0000000005210000-0x0000000005218000-memory.dmp

memory/5000-7-0x0000000005200000-0x0000000005212000-memory.dmp

memory/5000-18-0x00000000060C0000-0x00000000061CA000-memory.dmp

memory/5000-20-0x0000000006480000-0x00000000064A2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/2068-34-0x0000000000500000-0x000000000050C000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2068-36-0x0000000000CF0000-0x0000000000D02000-memory.dmp

memory/2068-35-0x00007FF941010000-0x00007FF941AD1000-memory.dmp

memory/2068-38-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

memory/2068-37-0x0000000000D50000-0x0000000000D8C000-memory.dmp

memory/2068-42-0x00007FF941010000-0x00007FF941AD1000-memory.dmp

memory/1744-45-0x0000000001CC0000-0x0000000001CD0000-memory.dmp

memory/1744-44-0x00007FF941010000-0x00007FF941AD1000-memory.dmp

memory/1744-46-0x000000001ABC0000-0x000000001ACCA000-memory.dmp

memory/1412-51-0x00000000048E0000-0x0000000004916000-memory.dmp

memory/1412-53-0x0000000005040000-0x0000000005668000-memory.dmp

memory/1412-55-0x0000000004A00000-0x0000000004A10000-memory.dmp

memory/1412-54-0x0000000004A00000-0x0000000004A10000-memory.dmp

memory/1412-56-0x0000000005700000-0x0000000005722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_diimqcdp.4ij.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1412-52-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1412-66-0x0000000005920000-0x0000000005986000-memory.dmp

memory/1412-67-0x0000000005A00000-0x0000000005D54000-memory.dmp

memory/1412-68-0x0000000005E90000-0x0000000005EAE000-memory.dmp

memory/1412-70-0x0000000007050000-0x0000000007082000-memory.dmp

memory/1412-81-0x0000000006470000-0x000000000648E000-memory.dmp

memory/1412-82-0x0000000007090000-0x0000000007133000-memory.dmp

memory/1412-85-0x0000000004A00000-0x0000000004A10000-memory.dmp

memory/1412-84-0x0000000004A00000-0x0000000004A10000-memory.dmp

memory/5000-83-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1412-87-0x00000000071B0000-0x00000000071CA000-memory.dmp

memory/1412-86-0x0000000007800000-0x0000000007E7A000-memory.dmp

memory/1412-71-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

memory/1412-69-0x000000007F570000-0x000000007F580000-memory.dmp

memory/1412-88-0x0000000007230000-0x000000000723A000-memory.dmp

memory/1412-89-0x0000000007430000-0x00000000074C6000-memory.dmp

memory/1412-90-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/1412-92-0x00000000073F0000-0x0000000007404000-memory.dmp

memory/1412-91-0x00000000073E0000-0x00000000073EE000-memory.dmp

memory/1412-94-0x00000000074D0000-0x00000000074D8000-memory.dmp

memory/1412-93-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/1412-97-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/5000-107-0x0000000007B70000-0x0000000007BBA000-memory.dmp

memory/5000-108-0x00000000087D0000-0x0000000008B24000-memory.dmp

memory/5000-109-0x000000007EE90000-0x000000007EEA0000-memory.dmp

memory/5000-119-0x0000000009FB0000-0x000000000A053000-memory.dmp

memory/5000-120-0x000000000A4D0000-0x000000000A4E1000-memory.dmp

memory/5000-121-0x000000000A4F0000-0x000000000A504000-memory.dmp

C:\Program Files (x86)\Steam Helper\Steam.exe

MD5 2bb5fe7282480f4ad63f33c0f6602835
SHA1 b26384a4574e3be3af772b728632523a9ccf6960
SHA256 b7d898eaff0d6fde2fcf234c535a3010e546282714167e0c99e3dc7012a14401
SHA512 15cdd8fb1d7e1b09d56f342fdbb34ae20a74a5fe77e67c1714cff5a0c52707f2f28192f4a819f80443e96c8a11760a57afaa1b40d8edd08bcedae4245920daae

memory/5000-134-0x0000000005370000-0x0000000005380000-memory.dmp

memory/1700-135-0x0000000074910000-0x00000000750C0000-memory.dmp

C:\Program Files (x86)\Steam Helper\Steam.exe

MD5 597f915ad40219e0ee3785c960382ec9
SHA1 c77bbda401fee1c4916a7637f9366b33421e80c7
SHA256 46978e5af29f7b9551f799ad1a39844c2ff9b2dbf6fcd1c8adb524e1a9bc6a73
SHA512 f5bf385d66c7b43d9d973fd0f14b9414b6c467b19f31b7f8255eaeebbe16532238392adc70ff6767cfe251dca023e35259c123d82920ea3e0bfb71189ab07bec

C:\Program Files (x86)\Steam Helper\Steam.exe

MD5 a21fdf2241cda9cf394bb68eb1d4df6f
SHA1 1ce1260986eb196f163df08e3f91261f605b1f92
SHA256 a9245761d171752e1bbcc02a1e3f67ac768afebd0aa71ea501b95f5c1a0c8d67
SHA512 110522327577d054fff4ae0831222db4d10ab79916f480a8620b1fadacec2d50c97ed24545f8f6dc788aeda9550be33700c96d53164e4b5c858a281cda19b0da

C:\Users\Admin\AppData\Roaming\Orcus\err_381f52cc4da947c788fee861bc207f0e.dat

MD5 aba5f22dd736812f16972d2cd9533fc5
SHA1 e29cf34f36a14a02cfac6089716481dcefadeeb1
SHA256 be8f2ae553602373baf09880d938ed79f36ec36b3e5f50d21277fc002762eb19
SHA512 fb4b3a69d22e94bc8f67ba945dc2ca62a0a4f4bf341109239c2d68398c0d00713327412768d64e32f276ff0a46b14d9a2dd55edb76b42ccb57f71e1f561c9125

C:\Program Files (x86)\Steam Helper\Steam.exe

MD5 d4b4d2772b739515c9246ae04e2a19dd
SHA1 b1c9e1de1a499102e07580270e1ac9f87b398010
SHA256 0e2f475d0f3d167a422946e39f71885d4c309d565e33911d8647679e562d817d
SHA512 118d3b27dcba83423f8183c00c254660fabadd58410d045fef72b595a71d826a3655b2418dc8f77693f84b6c32b4a2e311c255bb8aaf0af9d6ebe2276f81a054

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e38cf80ccd733d12acd8ed657fa76a0f
SHA1 580e49e1b482dcf0480cefe6d5bf8f0331732296
SHA256 47996c1354ee704ef75a94ae2217033da52695ca164573023cda951bdec728be
SHA512 ed7056b56d6cd0fd42f9bb716c647ed21f988231aa0817f28be7fceab199a274a479af4e7b77b86ed298b6734b39c2e6714d46bd6bd408d9862a77d97013bc12

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 abf637a648626a696ff525fc658665dc
SHA1 6a899fee14f0aefea5e34f9aa4d14b878dab52fa
SHA256 208fba8a0e97fecdda6c8e115f83d6fe14c2a5683c82e3168befe026119aeaed
SHA512 c8ec7aab05723a6c5c4271dbe6ae8a067a6ee8c7eb79d7277285c8a9f649ca6394c9c9c18555cd63019b57a3d1273fb86e839186f367d5277cb62f62ebc0ecad

C:\Users\Admin\AppData\Local\Temp\Update Defender.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update Defender.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1