Malware Analysis Report

2025-01-22 15:04

Sample ID 240208-byx7pacbh3
Target 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45
SHA256 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45
Tags
новый тег orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45

Threat Level: Known bad

The file 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45 was found to be: Known bad.

Malicious Activity Summary

новый тег orcus rat spyware stealer

Orcurs Rat Executable

Orcus main payload

Orcus family

Orcus

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 01:33

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 01:33

Reported

2024-02-08 01:36

Platform

win7-20231215-en

Max time kernel

131s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2724 set thread context of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 1948 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 1948 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 1948 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2724 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2828 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2328 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 2828 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe

"C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe"

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

"C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {96541568-88E5-4370-88A3-EEC4DA129719} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58576.client.sudorat.top udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
N/A 127.0.0.1:1111 tcp

Files

memory/1948-0-0x0000000001020000-0x000000000131E000-memory.dmp

memory/1948-1-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/1948-2-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/1948-3-0x0000000000210000-0x000000000021E000-memory.dmp

memory/1948-4-0x0000000000A00000-0x0000000000A5C000-memory.dmp

memory/1948-5-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

MD5 f7f991ab98e4011b4f8b1ba5d76c86d7
SHA1 6161a121f2f213286585ee8afb414cb7ddf9a2c2
SHA256 d09027e28bae6a00a7593b742cf4980bfd48994bfd50af71c673ca72a2a9524c
SHA512 88379ff55df6e47ed3398b59e325d82acaf05f7e4c862953f0dcc21f8c892e804fef0d02229c1038adba4e09e445b0a73713452ab8094ec96bdf6f27cbbcb92c

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

MD5 74d76e40ed909ca7e1c84845502d4200
SHA1 68e52a5e876d3ced0acf3be1dab2cfec279c13cd
SHA256 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45
SHA512 4178e42e6548168ffc54f077665c3d39ce4261e1ae03774a8bdef7e00b226ddf5c24e1eb146cbce624e31bdd333089b0639caf1fa78af1649a3dd4f4897e5177

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2724-16-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/1948-18-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2724-17-0x00000000008F0000-0x0000000000BEE000-memory.dmp

memory/2724-19-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/2724-20-0x00000000007F0000-0x0000000000802000-memory.dmp

memory/2724-21-0x0000000002180000-0x00000000021CE000-memory.dmp

memory/2816-23-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2772-25-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2816-26-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2816-28-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2816-29-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2816-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2816-32-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2724-34-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2816-35-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2816-37-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2772-38-0x00000000005C0000-0x0000000000600000-memory.dmp

memory/2816-39-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2816-40-0x0000000004B30000-0x0000000004B70000-memory.dmp

memory/2816-41-0x0000000000740000-0x0000000000758000-memory.dmp

memory/2816-42-0x0000000000860000-0x0000000000870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAA17.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2772-59-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2816-60-0x0000000004B30000-0x0000000004B70000-memory.dmp

memory/2816-61-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2816-62-0x0000000004B30000-0x0000000004B70000-memory.dmp

memory/2816-63-0x0000000004B30000-0x0000000004B70000-memory.dmp

memory/2328-65-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2328-66-0x0000000000E20000-0x000000000111E000-memory.dmp

memory/2328-67-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2328-68-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2152-70-0x0000000000E50000-0x000000000114E000-memory.dmp

memory/2152-71-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2152-72-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2152-73-0x0000000074570000-0x0000000074C5E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 01:33

Reported

2024-02-08 01:36

Platform

win10v2004-20231215-en

Max time kernel

127s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3216 set thread context of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 4548 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 4548 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe
PID 3216 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 180 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 180 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 180 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3216 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe

"C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe"

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

"C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58576.client.sudorat.top udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
US 8.8.8.8:53 52.184.44.31.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 127.0.0.1:1111 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4548-0-0x0000000000B70000-0x0000000000E6E000-memory.dmp

memory/4548-1-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4548-2-0x00000000057B0000-0x00000000057C0000-memory.dmp

memory/4548-3-0x0000000003110000-0x000000000311E000-memory.dmp

memory/4548-4-0x0000000005830000-0x000000000588C000-memory.dmp

memory/4548-5-0x0000000006130000-0x00000000066D4000-memory.dmp

memory/4548-6-0x0000000005C20000-0x0000000005CB2000-memory.dmp

memory/4548-7-0x0000000005C00000-0x0000000005C12000-memory.dmp

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

MD5 2a9d1009e59680f73b7b315491e7b78f
SHA1 5fe5b17c577baccaa91e56725c73ed0d80e58628
SHA256 d699a9a85b358e657f0f1287f357c64c4cf82aab375446629102bbcb4ab0c7e4
SHA512 3eb641a3d04182a73ca7dbf6174412cf0afc8769572f93ed67ff5cfae9018aa89fef40feb990880c9266962b163a0aff01a7b8724079c639338064646c2f79e3

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

MD5 a62f10244bfc7ac326c3f1509633d837
SHA1 78718eccad87a529d0ce497ea2dcc151075fc170
SHA256 e8a0a2db481aed0f0c969f7a112c6068a910e4e7b9e2301c02b68fafdc6c121c
SHA512 93a1946843927f8e98617d6383c8ed100cc0e61c849b07cc755a61ea898254a60ebb290b20abce0d2aa35014a823c1e26ceafe0cf3901ac767df8cd66d372488

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

MD5 f10c627484d209f98d62332cc20af71d
SHA1 c0387c1bdcc41d1e95c6d2c3e6324046c2a1ed65
SHA256 95507ba52cfea43c0bbd1d78656660816267bf3608f6a3b495c913d9a7069d7e
SHA512 280dd97829e49fef4cd4adebe8b7d91ae5726018e852267b96d8da951517670270a92731a2df8185320bcdba27832cb33c4b5c2702913fc212db79ac6468205d

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4548-24-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/3216-23-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/3216-25-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/3216-26-0x0000000005040000-0x0000000005052000-memory.dmp

memory/3216-27-0x0000000005500000-0x000000000554E000-memory.dmp

memory/3216-29-0x0000000005E60000-0x0000000005EFC000-memory.dmp

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

MD5 ea30aef27161241655b98f5f14b5917a
SHA1 ab7c954cb58ae8306708f434085eec06dfdf93c8
SHA256 e3df5826de0c88f30761eadc33d9048194c9cfc5e946b031e9603fb124fb08db
SHA512 995a26afb367ef328057da35e43d2539fd922680dc8bd64ec6721501a174c57c7bf2c735a94286967b9f4a508031cd7ed2ebd9c6c18cd1361c809b1f00a64037

memory/1208-30-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/3216-34-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1672-33-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1208-35-0x0000000005E00000-0x0000000005E10000-memory.dmp

memory/1672-36-0x0000000005F40000-0x0000000005F58000-memory.dmp

memory/1672-37-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

memory/1672-38-0x0000000006C00000-0x0000000006C0A000-memory.dmp

memory/1672-41-0x00000000074A0000-0x0000000007506000-memory.dmp

memory/1672-42-0x0000000007B30000-0x0000000008148000-memory.dmp

memory/1672-43-0x00000000075B0000-0x00000000075C2000-memory.dmp

memory/1672-44-0x0000000007610000-0x000000000764C000-memory.dmp

memory/1672-45-0x0000000007650000-0x000000000769C000-memory.dmp

memory/1672-46-0x00000000077E0000-0x00000000078EA000-memory.dmp

memory/1672-47-0x0000000008150000-0x0000000008312000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\linuxapi.exe.log

MD5 663b8d5469caa4489d463aa9bc18124f
SHA1 e57123a7d969115853ea631a3b33826335025d28
SHA256 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA512 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

memory/1208-49-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1672-50-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1672-51-0x0000000005770000-0x0000000005780000-memory.dmp

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

MD5 211a8427d5f87809aa121e5306a9d541
SHA1 ee3bc008d806224ea29e9ae9f0b3aafa9f424741
SHA256 23ba6e789edef4ee3e478e7ff70d3af4256460ef51503b5f8841cf7388ea80ee
SHA512 28c221c85a0c89bfc4c3217c4ceefc9c7e0440d3d8a7ee60efe6cbe210cdf8756a33ecc2518b72c57e6dcdeeef72744a2ab72a5e937f1843b9355f0fd5935953

memory/3276-54-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/3276-53-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/3276-55-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe

MD5 d5d7c73cb9fcf38f74239627588bfed3
SHA1 84774a93e5cb0ac519a1094b0d2f00d6c678e263
SHA256 165c24b04d51fa8602c4075cc9dfc9e7d818ca3dd33c151ea92647b8096ed22b
SHA512 e329028c33ca6db03d4a902e3212c6ad8ba42f273a70d2bc3b676d9aeba60578cb4fe042b4c0f6e4bfd3d46e8f1cda71761220490b91957cd9cb7fd3be43827c

memory/2884-57-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/2884-58-0x0000000005890000-0x00000000058A0000-memory.dmp

memory/2884-59-0x0000000074A80000-0x0000000075230000-memory.dmp