Malware Analysis Report

2025-01-22 15:11

Sample ID 240209-bp17zsdf9w
Target f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a
SHA256 f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a
Tags
orcus новый тег rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a

Threat Level: Known bad

The file f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a was found to be: Known bad.

Malicious Activity Summary

orcus новый тег rat spyware stealer

Orcurs Rat Executable

Orcus main payload

Orcus

Orcus family

Orcurs Rat Executable

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-09 01:19

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-09 01:19

Reported

2024-02-09 01:22

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 1560 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 1560 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 4464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 732 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe

"C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

"C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58576.client.sudorat.top udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
N/A 127.0.0.1:1111 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58576.client.sudorat.ru udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
US 8.8.8.8:53 58576.client.sudorat.ru udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 58576.client.sudorat.ru udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
US 8.8.8.8:53 58576.client.sudorat.ru udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/1560-0-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/1560-1-0x0000000000E80000-0x000000000117E000-memory.dmp

memory/1560-2-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/1560-3-0x0000000001C70000-0x0000000001C7E000-memory.dmp

memory/1560-4-0x0000000005D80000-0x0000000005DDC000-memory.dmp

memory/1560-5-0x0000000006480000-0x0000000006A24000-memory.dmp

memory/1560-6-0x0000000005ED0000-0x0000000005F62000-memory.dmp

memory/1560-7-0x00000000063C0000-0x00000000063D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 23f4e9c9b708ba86f0b4746fcefd7caf
SHA1 b233e4c368018bf50941b785190abd88129fc8ca
SHA256 f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a
SHA512 fcec609cb9375b40bcae6f2a529c7bf2d0e0ad91674984addb6180d388216c80d3e6373d9949c16f5937bb9ba76993f29ec08e4079260a46015e99b62759a329

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 109f8c097742cdc9afa3d0a90aff4612
SHA1 3697aa697e693e48033bd73ee8cf8d5e7c3e68ba
SHA256 7acef07badd2289bc0dff4fabeee4fe6e1952e67bde33638d760c27ad63439ae
SHA512 d56b955b0693dba8197696b2bcda1ec82cf28ddf655edc51528dc23588dd19dd7cf8ab3b9f55ddc7343a91371d5b287322b6326edb6287abe8b5da856386e6e6

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 c8982c0541af9ed129968e7e0f98baf9
SHA1 2bfcb72c5981bc65c272f6d517b6cfa886d99ffd
SHA256 8ff22ca1cefbbf9aeedb9428d7ad43f9e764f6f43916ce1fe6eec46191924058
SHA512 59b9e2af3e6d510a22fc778e5d09997b431b41614a5743959288e77b5833687a145b720929b80a46191b97a95240d0886f940be8f71362a04367a58ad6a75d8e

memory/1560-24-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4464-23-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4464-25-0x0000000005280000-0x0000000005290000-memory.dmp

memory/4464-26-0x00000000060C0000-0x000000000610E000-memory.dmp

memory/4464-28-0x0000000006340000-0x00000000063DC000-memory.dmp

memory/732-29-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4464-33-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/2428-32-0x0000000074E30000-0x00000000755E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uploadstrack.exe.log

MD5 663b8d5469caa4489d463aa9bc18124f
SHA1 e57123a7d969115853ea631a3b33826335025d28
SHA256 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA512 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

memory/2428-35-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/732-36-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/4108-38-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4108-40-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

memory/1600-41-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/732-42-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/1600-43-0x0000000005740000-0x0000000005750000-memory.dmp

memory/2428-44-0x0000000005D30000-0x0000000005D48000-memory.dmp

memory/2428-45-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/2428-46-0x0000000006B30000-0x0000000006B3A000-memory.dmp

memory/4108-47-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/1600-49-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/2428-50-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/2428-51-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/1340-53-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/1340-54-0x0000000005320000-0x0000000005330000-memory.dmp

memory/1340-55-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3848-57-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3848-58-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

memory/3848-59-0x0000000074E30000-0x00000000755E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-09 01:19

Reported

2024-02-09 01:22

Platform

win7-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2692 set thread context of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 1936 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 1936 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 1936 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2692 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2024 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2892 wrote to memory of 2352 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe

"C:\Users\Admin\AppData\Local\Temp\f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

"C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {87044ABB-E622-43E7-B6D1-08F34BD5FF06} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58576.client.sudorat.top udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
N/A 127.0.0.1:1111 tcp
US 8.8.8.8:53 58576.client.sudorat.ru udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp

Files

memory/1936-1-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/1936-0-0x0000000001220000-0x000000000151E000-memory.dmp

memory/1936-2-0x0000000004B90000-0x0000000004BD0000-memory.dmp

memory/1936-3-0x00000000002F0000-0x00000000002FE000-memory.dmp

memory/1936-4-0x0000000004920000-0x000000000497C000-memory.dmp

memory/1936-5-0x00000000004B0000-0x00000000004C2000-memory.dmp

\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 23f4e9c9b708ba86f0b4746fcefd7caf
SHA1 b233e4c368018bf50941b785190abd88129fc8ca
SHA256 f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a
SHA512 fcec609cb9375b40bcae6f2a529c7bf2d0e0ad91674984addb6180d388216c80d3e6373d9949c16f5937bb9ba76993f29ec08e4079260a46015e99b62759a329

memory/2692-16-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/1936-17-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/2692-19-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2692-18-0x0000000000E20000-0x000000000111E000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2692-20-0x0000000000590000-0x00000000005DE000-memory.dmp

memory/2388-21-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2388-23-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2388-25-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 aed5d653cb4074b594b32e42020ec58c
SHA1 6f3129d9af739533cc5554b9bd12cb382af64435
SHA256 7f2ef7fdc0a8f54b90bcda2343e555e36fca9b9ccce090aa4700e793f39ace66
SHA512 f961d04f9630c7f7f1e13637babcc248b14f9e4cc304adb739f722288764f7787dc5ae61ef88e0391d3e24b059f00b7e5c1395766631cb55da025df6e94b73cb

memory/2388-27-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2388-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2388-31-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2692-33-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/2388-34-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2388-36-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2572-37-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2388-39-0x0000000000840000-0x0000000000858000-memory.dmp

memory/2388-38-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2572-40-0x0000000004C50000-0x0000000004C90000-memory.dmp

memory/2388-41-0x0000000004C70000-0x0000000004CB0000-memory.dmp

memory/2388-42-0x00000000008C0000-0x00000000008D0000-memory.dmp

memory/2572-43-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2388-44-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2388-45-0x0000000004C70000-0x0000000004CB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 d5853b4e532cdb1fede30b6208bf224d
SHA1 f74eac4c6c22053c323e2a9b7786fd5166f65f97
SHA256 b7ed2319c234e0f3bafc9d85c2cf373847d0c90f23f57b9f943d652b12842b0e
SHA512 87e0bfe07d5a46786de5753740aeaec695bd45d4975d9d186683fc050a145031658b6df6e909c80b667fbd59103dea3d799348aee62bd75beb031b602e7a3927

memory/2024-47-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2024-48-0x00000000011D0000-0x00000000014CE000-memory.dmp

memory/2024-49-0x0000000004C50000-0x0000000004C90000-memory.dmp

memory/2024-50-0x0000000073E50000-0x000000007453E000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 a2c605bed6694b8d279a7bbe051e22ee
SHA1 4807c1a2cd4c19246af8d06d86c0275e881ff6fb
SHA256 46e619397e42adbca2c4965104a7933c945de462716bd632f87ea59c32a44bb3
SHA512 89e964ce8aeb0b67c709b03fd31e22c8a42862285d13b54258080f068a89beb9bd15a818f84da0f93a3e1cd77784bd0eaec6c1a27ae9782d35cbadac664bf749

memory/2352-52-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2352-53-0x00000000003D0000-0x0000000000410000-memory.dmp

memory/2352-54-0x0000000073E50000-0x000000007453E000-memory.dmp