Malware Analysis Report

2025-01-22 15:09

Sample ID 240211-bdcp9aag31
Target 398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d
SHA256 398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d
Tags
psevdo orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d

Threat Level: Known bad

The file 398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d was found to be: Known bad.

Malicious Activity Summary

psevdo orcus rat spyware stealer

Orcurs Rat Executable

Orcus family

Orcus

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-11 01:01

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-11 01:01

Reported

2024-02-11 01:03

Platform

win7-20231215-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2380 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2380 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2380 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 2780 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2304 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2304 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2780 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2828 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 2912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 1304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 1304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 1304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 2828 wrote to memory of 1304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

Processes

C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe

"C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe"

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

"C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E084490F-2E67-4FA3-9C48-EB22B0FD7F36} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13642.client.sudorat.top udp
AZ 37.26.3.143:13642 13642.client.sudorat.top tcp
N/A 127.0.0.1:1111 tcp
US 8.8.8.8:53 13642.client.sudorat.ru udp
RU 31.44.184.52:13642 tcp
AZ 37.26.3.143:13642 13642.client.sudorat.top tcp
RU 31.44.184.52:13642 tcp
AZ 37.26.3.143:13642 13642.client.sudorat.top tcp
RU 31.44.184.52:13642 tcp
AZ 37.26.3.143:13642 13642.client.sudorat.top tcp
RU 31.44.184.52:13642 tcp

Files

memory/2380-0-0x0000000000C70000-0x0000000000F6E000-memory.dmp

memory/2380-1-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2380-2-0x00000000004F0000-0x0000000000530000-memory.dmp

memory/2380-3-0x00000000002B0000-0x00000000002BE000-memory.dmp

memory/2380-4-0x0000000000990000-0x00000000009EC000-memory.dmp

memory/2380-5-0x0000000000440000-0x0000000000452000-memory.dmp

\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

MD5 33fb4c25d6d27630a20791a37547a11d
SHA1 a1d4d6c542fdfab4b8f3b4eec566a73631e4bb37
SHA256 398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d
SHA512 e934731c40efa489f10540d0ae0b6008636993d6c0b324ccfcf37325c39e752a366aa2b22501b6f451e3dffdd818f79488df0653e34c6193468d064317c13536

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2380-16-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2304-17-0x00000000001A0000-0x000000000049E000-memory.dmp

memory/2304-19-0x0000000004FD0000-0x0000000005010000-memory.dmp

memory/2304-18-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2304-20-0x0000000000770000-0x0000000000782000-memory.dmp

memory/2304-21-0x0000000000A00000-0x0000000000A4E000-memory.dmp

memory/2780-23-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2780-24-0x0000000000810000-0x0000000000850000-memory.dmp

memory/2592-25-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2592-27-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2592-29-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2592-31-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2592-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2592-34-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2304-36-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2592-37-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2592-39-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2592-40-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2592-41-0x00000000046D0000-0x0000000004710000-memory.dmp

memory/2284-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2780-52-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2284-56-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2284-57-0x0000000000BD0000-0x0000000000C10000-memory.dmp

memory/2592-58-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/2592-59-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

memory/2592-60-0x0000000000D70000-0x0000000000D80000-memory.dmp

memory/2284-61-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2592-62-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2592-63-0x00000000046D0000-0x0000000004710000-memory.dmp

memory/2912-66-0x0000000001380000-0x000000000167E000-memory.dmp

memory/2912-65-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2912-67-0x0000000004DF0000-0x0000000004E30000-memory.dmp

memory/2912-68-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1304-70-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1304-71-0x0000000000230000-0x0000000000270000-memory.dmp

memory/1304-72-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-11 01:01

Reported

2024-02-11 01:03

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3456 set thread context of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 3312 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 3312 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe
PID 3456 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3456 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe

"C:\Users\Admin\AppData\Local\Temp\398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe"

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

"C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe"

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13642.client.sudorat.top udp
AZ 37.26.3.143:13642 13642.client.sudorat.top tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 127.0.0.1:1111 tcp
US 8.8.8.8:53 13642.client.sudorat.ru udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 31.44.184.52:13642 tcp
AZ 37.26.3.143:13642 13642.client.sudorat.top tcp
US 8.8.8.8:53 13642.client.sudorat.ru udp
RU 31.44.184.52:13642 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
AZ 37.26.3.143:13642 13642.client.sudorat.top tcp
US 8.8.8.8:53 13642.client.sudorat.ru udp
RU 31.44.184.52:13642 tcp
AZ 37.26.3.143:13642 13642.client.sudorat.top tcp
US 8.8.8.8:53 13642.client.sudorat.ru udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp
RU 31.44.184.52:13642 tcp

Files

memory/3312-0-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3312-1-0x0000000000AC0000-0x0000000000DBE000-memory.dmp

memory/3312-2-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/3312-3-0x0000000003220000-0x000000000322E000-memory.dmp

memory/3312-4-0x0000000005760000-0x00000000057BC000-memory.dmp

memory/3312-5-0x0000000006090000-0x0000000006634000-memory.dmp

memory/3312-6-0x0000000005B80000-0x0000000005C12000-memory.dmp

memory/3312-7-0x00000000059F0000-0x0000000005A02000-memory.dmp

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

MD5 33fb4c25d6d27630a20791a37547a11d
SHA1 a1d4d6c542fdfab4b8f3b4eec566a73631e4bb37
SHA256 398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d
SHA512 e934731c40efa489f10540d0ae0b6008636993d6c0b324ccfcf37325c39e752a366aa2b22501b6f451e3dffdd818f79488df0653e34c6193468d064317c13536

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

MD5 522534633ce302500ad63a43419b11d7
SHA1 7273786b1d54130f7fb748d1624e8a8aaea9f90b
SHA256 6e748e147cbf5658d6fc10cd64e8dbf8c63d2eda2398a96902456cae69ef5f18
SHA512 8253c8c118c270a8152c6a0e38cc16d011437ef79daadc13fdcd8276bcf4ec3d6bc4521a4dd636b5a5ee61edbdc6699aec3d408512e053cd0d5dae97e0b88871

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

MD5 e6f5d7f645f2f1a267043b0203e5dd93
SHA1 9b9b3474579fbb994163036d2072377f85c0762c
SHA256 4609e5ffe3cdb1bef9873e195747c3d6f38c234568e8b6197092a7e98e953fdd
SHA512 14ce934611b064dc5a0b8a5c51193be54fc3e18968b510a21b73dc99a701574de7c8bacb6ad2a426408efef373b4fe725fcef1e5b19d4b4c126212d563ba3768

memory/3456-23-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3312-24-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3456-25-0x0000000004E70000-0x0000000004E80000-memory.dmp

memory/3456-26-0x00000000056F0000-0x000000000573E000-memory.dmp

C:\Users\Admin\AppData\Roaming\sqlauth\securewordpress.exe

MD5 383f2db4ae80719317b4e70f4ad182ce
SHA1 4338f82df84d026d115b3059c4c8b0abdb207c27
SHA256 13f43d557d344e1af6aa7f41673adb18d43d4d24335c8f77275e9ae1bb162263
SHA512 f6a4d3de69bd08da3ca17fd16536182b0309f8d72b934776001596fe957969c934260c499c92e743a069b9528c236eabb4077e13e1daf5cbf9dea167bf96d235

memory/3456-28-0x0000000006050000-0x00000000060EC000-memory.dmp

memory/2068-29-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/2068-32-0x0000000005A90000-0x0000000005AA0000-memory.dmp

memory/3456-33-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3492-34-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3492-35-0x00000000059B0000-0x00000000059C8000-memory.dmp

memory/3492-36-0x0000000006810000-0x0000000006820000-memory.dmp

memory/3492-37-0x0000000006B50000-0x0000000006B5A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\securewordpress.exe.log

MD5 663b8d5469caa4489d463aa9bc18124f
SHA1 e57123a7d969115853ea631a3b33826335025d28
SHA256 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA512 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

memory/2068-39-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3492-40-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/4464-42-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/4464-43-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

memory/4464-44-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/1000-46-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/1000-47-0x0000000074EA0000-0x0000000075650000-memory.dmp