Analysis Overview
SHA256
a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b
Threat Level: Known bad
The file a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Orcurs Rat Executable
Orcus main payload
Orcus
UAC bypass
Contains code to disable Windows Defender
Orcus family
Orcurs Rat Executable
Checks computer location settings
Windows security modification
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-06 01:34
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 01:34
Reported
2024-02-06 01:37
Platform
win7-20231215-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Telegram Update = "\"C:\\Program Files (x86)\\Chrome Update\\Chrome Network.exe\"" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| File created | C:\Program Files (x86)\Chrome Update\Chrome Network.exe.config | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe
"C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
"C:\Program Files (x86)\Chrome Update\Chrome Network.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FBD9780A-D7BF-46CF-913E-D1CFD19F7A18} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
"C:\Program Files (x86)\Chrome Update\Chrome Network.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Users\Admin\AppData\Local\Temp\System Files.exe
"C:\Users\Admin\AppData\Local\Temp\System Files.exe" /launchSelfAndExit "C:\Program Files (x86)\Chrome Update\Chrome Network.exe" 868 /protectFile
C:\Users\Admin\AppData\Local\Temp\System Files.exe
"C:\Users\Admin\AppData\Local\Temp\System Files.exe" /watchProcess "C:\Program Files (x86)\Chrome Update\Chrome Network.exe" 868 "/protectFile"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:11649 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:11649 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/2052-0-0x0000000000310000-0x0000000000400000-memory.dmp
memory/2052-1-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2052-2-0x0000000004D10000-0x0000000004D50000-memory.dmp
memory/2052-3-0x0000000000300000-0x000000000030E000-memory.dmp
memory/2052-4-0x00000000005A0000-0x00000000005FC000-memory.dmp
memory/2052-5-0x00000000004F0000-0x0000000000502000-memory.dmp
memory/2052-6-0x0000000000510000-0x0000000000518000-memory.dmp
memory/2052-7-0x0000000000600000-0x000000000060A000-memory.dmp
memory/2052-8-0x0000000000650000-0x0000000000658000-memory.dmp
memory/2052-9-0x0000000000660000-0x0000000000668000-memory.dmp
memory/2052-10-0x0000000000670000-0x0000000000678000-memory.dmp
\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/2576-20-0x0000000000B90000-0x0000000000B9C000-memory.dmp
memory/2576-21-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2576-22-0x000000001B130000-0x000000001B1B0000-memory.dmp
memory/2576-25-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2740-27-0x000007FEF5510000-0x000007FEF5EFC000-memory.dmp
memory/2740-28-0x00000000199F0000-0x0000000019A70000-memory.dmp
memory/2372-35-0x000000006DF60000-0x000000006E50B000-memory.dmp
memory/2372-36-0x0000000002870000-0x00000000028B0000-memory.dmp
memory/2372-37-0x0000000002870000-0x00000000028B0000-memory.dmp
memory/2372-38-0x000000006DF60000-0x000000006E50B000-memory.dmp
memory/2372-39-0x000000006DF60000-0x000000006E50B000-memory.dmp
\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | c9745e509290205002b5391c335c47db |
| SHA1 | 28797998f1b4e8c3dbf9763525e50128e0baa950 |
| SHA256 | f2871f4307d0a0a13e60f02166fc91d16e2a50c6db9fa61f170fa742f0964ce0 |
| SHA512 | 0745b6d9dbdfd793550a6cad9f8cdbe85299e14428514c352498cf1c40911d25b66bdb06d345f1f1bf21a203cbb9133ae87f1937f61840b9c3787d87467842f8 |
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | a4603a8891eb9348c4c62866c6439d54 |
| SHA1 | 96a1ba81a8cf461a9f6b8174136cd0d5344ae82d |
| SHA256 | 566baba7b3d7b7b2afa951ae00f71bb9d79ba1b586befb1b80b7966b7c678424 |
| SHA512 | 1620d61cfba48e932ad8dfbc5127f28df4ac957ddde05630c7feb54498c8b957e0cf4272b79c28449d202eb51c89e9de19646ed781d94ec6f84e0e8905f0186c |
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | 857bf63eec0e560c0219a92ffe081a70 |
| SHA1 | 3a57ce4e0204808e207b5072aee7d6ef43744a72 |
| SHA256 | 8a3e146a0a8f22ead9b7c202a4a131cecb5f3dfd2ba356624a297e0febd4d3dc |
| SHA512 | d91aaa1389252312d27c7da32ea1c50867688a7cad540686e3e6f67664134f2bb7c4cf3b39a91545bd56e70753046856f432a3f8445edc60d715c3a0f3cc19d1 |
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | c9897f958b41abc1e28946ae05b046bc |
| SHA1 | a935c3914208532d1ad751f9297291bb15f00615 |
| SHA256 | 9b9a8d72a3e3763cebf66bca2259758e24ea57523414dd3ff453ecf51c03e42b |
| SHA512 | 37da26c7a8b5a599d536b9622dc1cd7b8c9d7f0e0729e62cbdfc94ab7637500d63b86a7915b3af19339d2007b868b22bbe2ab937bd373e4710de3aa6ad6f8dcc |
memory/868-48-0x0000000000F40000-0x0000000001030000-memory.dmp
memory/2052-49-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/868-50-0x0000000004AF0000-0x0000000004B30000-memory.dmp
memory/868-51-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2052-52-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2740-53-0x000007FEF5510000-0x000007FEF5EFC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\err_91ae58d9b49a47b0933d6314024a6ff7.dat
| MD5 | f653cdbb78fc13b54f5715a43ab69cb5 |
| SHA1 | c378b3677e8c35ef0cfdd06ed2da83066a096d76 |
| SHA256 | b9bbd94856b23e287fed9bc5f7818ff6b490428cd090f434205c9d92bf9b129b |
| SHA512 | f91077f70e4530cca616e07eb7773df4088346fc002fe5114a4b65873c540d8f86adf5985889964079dff7d90b63aa03ecb9d7b4b019e3e1d4055030a422564f |
memory/868-56-0x0000000000B60000-0x0000000000BAE000-memory.dmp
memory/868-57-0x0000000000DB0000-0x0000000000DC8000-memory.dmp
memory/868-58-0x0000000000F30000-0x0000000000F40000-memory.dmp
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | 075f8728127a0d9c0f7cad3a3f501d7e |
| SHA1 | f9ac4650449f0258e22340cc8dece5bc61f39897 |
| SHA256 | 7cdbb61bca9bbbe2e5375f75121e68d376e3f31e13e0bcfb30c1c7d232b11c8e |
| SHA512 | 066cbd9f48538c4f88157e9cb750c628f6c9879c32d84bc93918ec42b941c974493bc7ac89adced7d245e89519c31bc17beebe843921f84cd990dcd285118706 |
memory/1044-60-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/1044-61-0x0000000004AD0000-0x0000000004B10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 0a8efedad7daaa372940c5dfcc39cb69 |
| SHA1 | c70ead50a0ecd4e5a9589df2a073847d8cfd166e |
| SHA256 | d33769d8787d50690f3398432f606ff100a155485f02eb6b745abd24bdc3ceef |
| SHA512 | 48af885b2f3bbf41fdadbcf774ea4ea5d26b43c135c0b2a08518feb3da26a8bf456d2d798b6db33e42ad01c3a56c61032345ec276babc08529336f1ad795d715 |
memory/1920-67-0x000000006CC30000-0x000000006D1DB000-memory.dmp
memory/1920-68-0x0000000002890000-0x00000000028D0000-memory.dmp
memory/1920-69-0x000000006CC30000-0x000000006D1DB000-memory.dmp
memory/1920-70-0x0000000002890000-0x00000000028D0000-memory.dmp
memory/1920-71-0x0000000002890000-0x00000000028D0000-memory.dmp
memory/1920-72-0x000000006CC30000-0x000000006D1DB000-memory.dmp
\Users\Admin\AppData\Local\Temp\System Files.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/2852-84-0x00000000001B0000-0x00000000001B8000-memory.dmp
memory/2852-83-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2852-87-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/868-88-0x0000000004AF0000-0x0000000004B30000-memory.dmp
memory/2336-89-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/1044-90-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/868-91-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2336-92-0x0000000074CA0000-0x000000007538E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 01:34
Reported
2024-02-06 01:37
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Telegram Update = "\"C:\\Program Files (x86)\\Chrome Update\\Chrome Network.exe\"" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| File created | C:\Program Files (x86)\Chrome Update\Chrome Network.exe.config | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| File created | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System Files.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Chrome Update\Chrome Network.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe
"C:\Users\Admin\AppData\Local\Temp\a29400e0ab5d6053fa0282250f76133714c09580e023a379728d37c6ba21317b.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
"C:\Program Files (x86)\Chrome Update\Chrome Network.exe"
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
"C:\Program Files (x86)\Chrome Update\Chrome Network.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Users\Admin\AppData\Local\Temp\System Files.exe
"C:\Users\Admin\AppData\Local\Temp\System Files.exe" /launchSelfAndExit "C:\Program Files (x86)\Chrome Update\Chrome Network.exe" 4704 /protectFile
C:\Users\Admin\AppData\Local\Temp\System Files.exe
"C:\Users\Admin\AppData\Local\Temp\System Files.exe" /watchProcess "C:\Program Files (x86)\Chrome Update\Chrome Network.exe" 4704 "/protectFile"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:11649 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:11649 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.125.209.94:11649 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| DE | 3.125.209.94:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:11649 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:11649 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:11649 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/1716-0-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/1716-1-0x00000000001D0000-0x00000000002C0000-memory.dmp
memory/1716-2-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/1716-3-0x0000000004BA0000-0x0000000004BAE000-memory.dmp
memory/1716-4-0x0000000004C50000-0x0000000004CAC000-memory.dmp
memory/1716-5-0x0000000005350000-0x00000000058F4000-memory.dmp
memory/1716-6-0x0000000004E40000-0x0000000004ED2000-memory.dmp
memory/1716-7-0x0000000004E30000-0x0000000004E42000-memory.dmp
memory/1716-8-0x00000000052E0000-0x00000000052E8000-memory.dmp
memory/1716-12-0x0000000005320000-0x0000000005328000-memory.dmp
memory/1716-11-0x0000000005310000-0x0000000005318000-memory.dmp
memory/1716-13-0x0000000005970000-0x00000000059D6000-memory.dmp
memory/1716-10-0x0000000005300000-0x0000000005308000-memory.dmp
memory/1716-9-0x00000000052F0000-0x00000000052FA000-memory.dmp
memory/1716-14-0x0000000006000000-0x0000000006618000-memory.dmp
memory/1716-15-0x0000000005A30000-0x0000000005A42000-memory.dmp
memory/1716-16-0x0000000005A90000-0x0000000005ACC000-memory.dmp
memory/1716-17-0x0000000005AD0000-0x0000000005B1C000-memory.dmp
memory/1716-18-0x0000000005C50000-0x0000000005D5A000-memory.dmp
memory/1716-20-0x0000000006750000-0x0000000006772000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/2944-34-0x00000000005E0000-0x00000000005EC000-memory.dmp
memory/2944-35-0x00007FFC08EE0000-0x00007FFC099A1000-memory.dmp
memory/2944-38-0x000000001B3D0000-0x000000001B3E0000-memory.dmp
memory/2944-36-0x0000000000DC0000-0x0000000000DD2000-memory.dmp
memory/2944-37-0x00000000026D0000-0x000000000270C000-memory.dmp
memory/2944-42-0x00007FFC08EE0000-0x00007FFC099A1000-memory.dmp
memory/3404-44-0x00007FFC08EE0000-0x00007FFC099A1000-memory.dmp
memory/3404-45-0x0000000001860000-0x0000000001870000-memory.dmp
memory/3404-46-0x000000001AC90000-0x000000001AD9A000-memory.dmp
memory/4716-51-0x0000000002870000-0x00000000028A6000-memory.dmp
memory/4716-52-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/4716-54-0x00000000028D0000-0x00000000028E0000-memory.dmp
memory/4716-53-0x00000000028D0000-0x00000000028E0000-memory.dmp
memory/4716-55-0x0000000005650000-0x0000000005C78000-memory.dmp
memory/4716-56-0x00000000053E0000-0x0000000005402000-memory.dmp
memory/4716-57-0x0000000005480000-0x00000000054E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hscljcl1.mdh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4716-58-0x0000000005C80000-0x0000000005FD4000-memory.dmp
memory/4716-68-0x00000000061E0000-0x00000000061FE000-memory.dmp
memory/4716-69-0x00000000028D0000-0x00000000028E0000-memory.dmp
memory/4716-70-0x00000000067A0000-0x00000000067D2000-memory.dmp
memory/4716-72-0x00000000712A0000-0x00000000712EC000-memory.dmp
memory/4716-83-0x0000000006780000-0x000000000679E000-memory.dmp
memory/4716-84-0x00000000071C0000-0x0000000007263000-memory.dmp
memory/4716-82-0x000000007F150000-0x000000007F160000-memory.dmp
memory/1716-71-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/4716-86-0x00000000074E0000-0x00000000074FA000-memory.dmp
memory/4716-85-0x0000000007B30000-0x00000000081AA000-memory.dmp
memory/4716-87-0x0000000007550000-0x000000000755A000-memory.dmp
memory/4716-88-0x0000000007760000-0x00000000077F6000-memory.dmp
memory/4716-89-0x00000000076E0000-0x00000000076F1000-memory.dmp
memory/4716-90-0x0000000007710000-0x000000000771E000-memory.dmp
memory/4716-91-0x0000000007720000-0x0000000007734000-memory.dmp
memory/4716-92-0x0000000007820000-0x000000000783A000-memory.dmp
memory/4716-93-0x0000000007800000-0x0000000007808000-memory.dmp
memory/4716-96-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/1716-106-0x0000000007720000-0x000000000776A000-memory.dmp
memory/1716-107-0x0000000008380000-0x00000000086D4000-memory.dmp
memory/1716-108-0x000000007F400000-0x000000007F410000-memory.dmp
memory/1716-118-0x0000000009C90000-0x0000000009D33000-memory.dmp
memory/1716-119-0x000000000A060000-0x000000000A071000-memory.dmp
memory/1716-120-0x000000000A0A0000-0x000000000A0B4000-memory.dmp
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | f428ac3563771640ac06d98b8c4262b7 |
| SHA1 | 934545b3db75988d318e331a73e33c3721400d17 |
| SHA256 | 56304c18fa596a27a1bbf75ea2e99e7904bc225803a272f60e84923a999b8d75 |
| SHA512 | 22e0b6082de2915de43d0688f35c5fbbfd875f094a2c7fea1a610e86bccbc8c3ed1935c1e94b1b0a4563ba60dd77200b3df53c12cd06e480ec59bdc2ef1c216d |
memory/4704-134-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/1716-133-0x0000000074EC0000-0x0000000075670000-memory.dmp
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | eb7b19818483009d795992fa2fde7f3b |
| SHA1 | 1950efa7f0cff161c2a96bcbee125235b2e72196 |
| SHA256 | 220943b60b3ab09be0dd443cac0b2f4e88c57fe4f5d6cbacea1207c8fe87b2cc |
| SHA512 | c7bd5f54e097ba031c2fd985e31bdc9088ebfafced73a1008288a045885fef969c4a0c3651c30bd266d12351d6dd1dedd230c2c7be073f62a66f75a85ceec104 |
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | 0240cfb570918f76ec1c585f8adc6d1e |
| SHA1 | b01cf277ec37236b40892fc874735e50462b773c |
| SHA256 | 1d5a801b7d86ac8bf44b3d4818237522e6e977b512eaef80cbefcfe650b4317a |
| SHA512 | 29e438009d0863672fe9edec454c2940013a63acd0140739ab3f4de8cc02bdd00be6e0005bacde7c6bc85cdec90aba340bcf9d2dca4586b52434754742ff2cc6 |
memory/3404-135-0x00007FFC08EE0000-0x00007FFC099A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\err_91ae58d9b49a47b0933d6314024a6ff7.dat
| MD5 | bcac4c57b271023c4d2c6b8dee8dc451 |
| SHA1 | 7a1a46390b8c885cf38f456c2c6a9031f0051c92 |
| SHA256 | d1f40b4d7c60d1e04d28b090d81dd2a920b2993c7381b8cfac74f5ea8879e537 |
| SHA512 | 246c9657ef61193a4c882d8df933c4aca1e867e415607db80cd47d120e496bc475ea82813d11663151ca01616666820de05a617aa69134ef7f72575ca06c846e |
C:\Program Files (x86)\Chrome Update\Chrome Network.exe
| MD5 | 8b598e079074ae69a94c6e58e1d50030 |
| SHA1 | 8e6349943524b9b76196667b5218970eb173e080 |
| SHA256 | 29dcfbb59252ada5d4365a4d2d3e98476e26e7407c4d975069ed3bdded8ff497 |
| SHA512 | e5583424126f16e2ede1173667631c1b19639eabd231b265fb6f6ccd7a8a5a8c4b74313a4cdf0c0dae584f7ef28fc633765b38f928b1a895aa859b31ae5b3d7a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1ccd6b0b1f67900bbdfd2070b7c9221e |
| SHA1 | ca348e9d44c233565043a327fd1b297366a50900 |
| SHA256 | 11a50caa3c7b0d7acaab0156bc0396914852172617503268381ae5f4ac9c32f5 |
| SHA512 | 5db257f6bdfa5315a162fea471fd171f997b4f8a336c70cbc5f2137ba7b5229f412630874ecf868d1e254047c750865e9ac7033e0fe67c9b7ecccbd3d75e5160 |
C:\Users\Admin\AppData\Local\Temp\System Files.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System Files.exe.log
| MD5 | 4eaca4566b22b01cd3bc115b9b0b2196 |
| SHA1 | e743e0792c19f71740416e7b3c061d9f1336bf94 |
| SHA256 | 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb |
| SHA512 | bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1 |