azorult | 82d83d04586cc7b9baa77b20e8a942e5bb590d1ad1e10d6f3d2a6c9216cf32cc

Analysis

max time kernel
24s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
Size

2.0MB
MD5

cc38554b00499e85149b2c1c0a22473e
SHA1

13382965ec47a60dcf07aeadd7414f215099f564
SHA256

f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05
SHA512

0efe34a59ef8990aa40db6066128f44108c0bce914e450ba69cafae0664c3190cdbdfd0511e42a25e8f4d880e456ef2ccedcd690603e102ae4dcdf7170b2790c
SSDEEP

24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB

Score

10^/10

azorult quasar ebayprofiles infostealer spyware trojan

Malware Config

Extracted

Family

azorult

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes

encryption_key
MWhG6wsClMX8aJM2CVXT
install_name
winsock.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win defender run
subdirectory
SubDir

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

Processes:

f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

flow	ioc
94	ip-api.com
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
42	ip-api.com

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
behavioral2/memory/1436-25-0x00000000000A0000-0x00000000000FE000-memory.dmp	family_quasar
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	family_quasar
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

Executes dropped EXE 3 IoCs

Processes:

vnc.exewindef.exewinsock.exe

pid process

3724 vnc.exe
1436 windef.exe
3924 winsock.exe

pid	process
3724	vnc.exe
1436	windef.exe
3924	winsock.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

description	ioc	process
File opened (read-only)	\??\o:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\q:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\y:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\b:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\e:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\i:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\j:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\m:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\u:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\v:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\z:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\h:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\k:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\l:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\n:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\s:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\p:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\t:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\a:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\g:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\r:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\w:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
File opened (read-only)	\??\x:	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-api.com
94 ip-api.com

flow	ioc
42	ip-api.com
94	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	autoit_exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vnc.exef8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

description	pid	process	target process
PID 3724 set thread context of 4564	3724	vnc.exe	svchost.exe
PID 5044 set thread context of 3648	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2640 3924 WerFault.exe winsock.exe
1828 3432 WerFault.exe winsock.exe
4472 3356 WerFault.exe winsock.exe
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1616 schtasks.exe
4596 schtasks.exe
1664 schtasks.exe
4596 schtasks.exe
1612 schtasks.exe
2312 schtasks.exe
2108 schtasks.exe
4980 schtasks.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2544 PING.EXE
2312 PING.EXE
2224 PING.EXE

pid	pid_target	process	target process
2640	3924	WerFault.exe	winsock.exe
1828	3432	WerFault.exe	winsock.exe
4472	3356	WerFault.exe	winsock.exe

pid	process
1616	schtasks.exe
4596	schtasks.exe
1664	schtasks.exe
4596	schtasks.exe
1612	schtasks.exe
2312	schtasks.exe
2108	schtasks.exe
4980	schtasks.exe

pid	process
2544	PING.EXE
2312	PING.EXE
2224	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

pid	process
5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vnc.exe

pid process

3724 vnc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

windef.exewinsock.exe

description pid process

Token: SeDebugPrivilege 1436 windef.exe
Token: SeDebugPrivilege 3924 winsock.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winsock.exe

pid process

3924 winsock.exe

pid	process
3724	vnc.exe

description	pid	process
Token: SeDebugPrivilege	1436	windef.exe
Token: SeDebugPrivilege	3924	winsock.exe

pid	process
3924	winsock.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exevnc.exewindef.exewinsock.exe

description	pid	process	target process
PID 5044 wrote to memory of 3724	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	vnc.exe
PID 5044 wrote to memory of 3724	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	vnc.exe
PID 5044 wrote to memory of 3724	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	vnc.exe
PID 5044 wrote to memory of 1436	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	windef.exe
PID 5044 wrote to memory of 1436	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	windef.exe
PID 5044 wrote to memory of 1436	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	windef.exe
PID 3724 wrote to memory of 4564	3724	vnc.exe	svchost.exe
PID 3724 wrote to memory of 4564	3724	vnc.exe	svchost.exe
PID 3724 wrote to memory of 4564	3724	vnc.exe	svchost.exe
PID 5044 wrote to memory of 3648	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
PID 5044 wrote to memory of 3648	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
PID 5044 wrote to memory of 3648	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
PID 5044 wrote to memory of 3648	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
PID 3724 wrote to memory of 4564	3724	vnc.exe	svchost.exe
PID 5044 wrote to memory of 3648	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
PID 5044 wrote to memory of 2312	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	schtasks.exe
PID 5044 wrote to memory of 2312	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	schtasks.exe
PID 5044 wrote to memory of 2312	5044	f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe	schtasks.exe
PID 3724 wrote to memory of 4564	3724	vnc.exe	svchost.exe
PID 1436 wrote to memory of 2108	1436	windef.exe	schtasks.exe
PID 1436 wrote to memory of 2108	1436	windef.exe	schtasks.exe
PID 1436 wrote to memory of 2108	1436	windef.exe	schtasks.exe
PID 1436 wrote to memory of 3924	1436	windef.exe	winsock.exe
PID 1436 wrote to memory of 3924	1436	windef.exe	winsock.exe
PID 1436 wrote to memory of 3924	1436	windef.exe	winsock.exe
PID 3924 wrote to memory of 4980	3924	winsock.exe	schtasks.exe
PID 3924 wrote to memory of 4980	3924	winsock.exe	schtasks.exe
PID 3924 wrote to memory of 4980	3924	winsock.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
"C:\Users\Admin\AppData\Local\Temp\f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
- Maps connected drives based on registry
PID:4564

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2108

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h34DgxAh3k6t.bat" "
4⤵
PID:1416

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:2924

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:2312

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
5⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 2268
4⤵
- Program crash
PID:2640

C:\Users\Admin\AppData\Local\Temp\f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe
"C:\Users\Admin\AppData\Local\Temp\f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05.exe"
2⤵
PID:3648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3924 -ip 3924
1⤵
PID:4868

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4596

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
3⤵
PID:3432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sE7hV6DXz8Nk.bat" "
4⤵
PID:3408

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:2744

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:2224

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
5⤵
PID:3356

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8dCMaVKJbSz0.bat" "
6⤵
PID:4936

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:3412

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:2544

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
7⤵
PID:2536

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 2284
6⤵
- Program crash
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 2276
4⤵
- Program crash
PID:1828

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
2⤵
PID:3984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3432 -ip 3432
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3356 -ip 3356
1⤵
PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winsock.exe.log
Filesize
701B

MD5
5de8527438c860bfa3140dc420a03e52

SHA1
235af682986b3292f20d8d71a8671353f5d6e16d

SHA256
d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92

SHA512
77c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dCMaVKJbSz0.bat
Filesize
208B

MD5
57c4a9a8dea799623d8fe328edb2a5ba

SHA1
57682f819c6dc34b0c2d85d348662e48dab96cf4

SHA256
58b9601e7ba5ff86c882277c8079487e8b3cafaf7390b3f3e7bb983e41caeeac

SHA512
53d632c012b67b804ddaaa77dc2a436e9951af6d771ca1e184465220269eb21a8c5319b4029833d4b92aa152f7eb4d9db9af8baa9b31f76d21fcdd8fa9e0435d

Download Submit
C:\Users\Admin\AppData\Local\Temp\h34DgxAh3k6t.bat
Filesize
208B

MD5
86acb8eb14ce400d634c58cc862c450c

SHA1
ee0820228287e8657639c66ee3bdf22de8c643d7

SHA256
72c3c39c4ef0725387ab4f364dd7b41120ba2968e4e72fafdec0f26f7ee1f23f

SHA512
c0fc4250378fc6905702f88788057f123d1a782769e45e565a322b2f607c29b16b316d58a1ea739c6146aa638e971ce28a0dd11bacb64f7eb8298d823323fd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\sE7hV6DXz8Nk.bat
Filesize
208B

MD5
36ee81178737c23558bfe459dcb79b76

SHA1
c715370134395cba4b03ed201a15df5cd07ba93c

SHA256
3c91e7e45a360ebed21e5e84ec8c52323849ae4e87dd26f008bda8a43cac4f99

SHA512
378d2ee67cd36a155217a0424d4dc13c4d49d5333e453dd166625968f69cf25332b3ca81b7807cf6a35f1361308c81b61e94430fbed5f2ca844306e6bca99c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
405KB

MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
349KB

MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\12-24-2023
Filesize
224B

MD5
053fa8e4a7513874e1badcac8b0de155

SHA1
b367dc4eb0aa7e0ce8f49977093ce23060abc211

SHA256
69912509aca9eff237548517e5592b9f6987423d3f8270ce3423af3db9d10d66

SHA512
fca6c54ecc0b0e9c8e7c1be442da9d0ce01051f7354c716f9778464edbc2dcdb098c24e6d241efe3a7351329ebdaf66be4afa4292b78dcdb0251e544d878bfcb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\12-24-2023
Filesize
224B

MD5
2fcc02183e774ccaab29529dcaafb049

SHA1
18e1f60382a58a35a79b6f271b917649cd5d5bda

SHA256
bc4350dde6eadd6d2d4d05159ce75b5183238d178da5b64e7ced0736e81d16d8

SHA512
1be2276cafaf1c9e9ad9b2cb58ef3a9cdbd08c9a5151cf343e57b05f56268fa2616330b91627b0de4d1e79bebe51f9f0c991eceffcef4d31a21c612a5f334f7c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\12-24-2023
Filesize
224B

MD5
1e8d7d3839270cfb16b940375c137c38

SHA1
4c5d91163243d2b9f3eb9ec1969091e2a8d9cb97

SHA256
0df954061245149d2b8d235a94d192cdd311e0f1aed11e44b24c3641dd570b2a

SHA512
ab628435f5f4e849d3720f745a663baf98d3aab990c739cb1d997bc332e5d87f9c628dc2e5f664141445fe1652d78022ec13a6dfe5d9696a0d3da5fc83d482ff

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
320KB

MD5
b819b498c30484e1339cb0b62ae16469

SHA1
7cb9bb3000e83defe97917aadc2fc6ba1d5a58b7

SHA256
a710b07b428281396466e4d72f139375fafa8b97b6e35e78fa33dd374807ea25

SHA512
f3f0e4d7bb37b6a0c0aa0be35eb7ffb23e697e8f5553c6b010adf1c44345b9e75dd7f03dd2f62417533d8d02a42246a8b405ca9f5c095ab668fca42fe9e698b0

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
17KB

MD5
c13af1b646cc7e14daa0f7c20fead7a9

SHA1
2697fe4f6e4bbe5700f648a81c284347448fc831

SHA256
b9c140ef92663d9d0e46b2b08f61636db93d9a0df783de5b1ced655f4c250dcc

SHA512
5a20b16c8237c5d933f89cd493dd58be7791e992cc7b32d0e97d1920de08a15da6d1a7d59873343ea5ef605f8ef75b2885d45471cb00bfdf000e4b14a20c9421

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
Filesize
1.9MB

MD5
481ab63005137e84adb15913abe1e1c0

SHA1
56f9829897e8bc2f97997e7946ece643efbf4fbc

SHA256
7d47986e668ee72e2fadbf7f0557520ffc2fcaebe07c72c115ef6df3d4973df9

SHA512
4193399e4acd2f4f0bb587c2969d64c8980c4dbc2bcc363dbdcf019919ee73f939ba259a2f0e81f258c689992df8921c30b808b3b8087b459d506e37245989dc

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
Filesize
2.0MB

MD5
542c152245e0d9179daa8000143aa6ca

SHA1
a7af28dfc2882c142e08b191aaba5bd61666c1f6

SHA256
57d5e1c687e56c532b8037bac467f3e17edffdf02c94820aa2d94246d0dc81bd

SHA512
df257c1b4412f2340780312053a53842182bfedb545b84737abe23aa67369769d25990bdbe6f5f26599f9148b87d536af9360865cf1d046d51fac01fd9e74374

Download Submit
memory/436-113-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/436-114-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/436-116-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/1124-92-0x00000000001D0000-0x000000000026C000-memory.dmp

Filesize
624KB

Download
memory/1124-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1124-88-0x00000000001D0000-0x000000000026C000-memory.dmp

Filesize
624KB

Download
memory/1124-117-0x00000000001D0000-0x000000000026C000-memory.dmp

Filesize
624KB

Download
memory/1436-44-0x0000000005920000-0x0000000005932000-memory.dmp

Filesize
72KB

Download
memory/1436-27-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/1436-25-0x00000000000A0000-0x00000000000FE000-memory.dmp

Filesize
376KB

Download
memory/1436-36-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/1436-41-0x00000000049E0000-0x0000000004A72000-memory.dmp

Filesize
584KB

Download
memory/1436-42-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/1436-43-0x0000000004B80000-0x0000000004BE6000-memory.dmp

Filesize
408KB

Download
memory/1436-54-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/1436-45-0x0000000005D60000-0x0000000005D9C000-memory.dmp

Filesize
240KB

Download
memory/2004-85-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/2004-109-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/2536-143-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/2536-140-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2536-139-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3356-131-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3356-128-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3356-137-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3356-127-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3356-132-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3432-118-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3432-119-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3432-108-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3432-124-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3648-33-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/3648-20-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/3924-56-0x0000000006220000-0x000000000622A000-memory.dmp

Filesize
40KB

Download
memory/3924-63-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3924-58-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3924-52-0x0000000072BA0000-0x0000000073350000-memory.dmp

Filesize
7.7MB

Download
memory/3924-53-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3984-102-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3984-93-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4564-30-0x0000000000D70000-0x0000000000E0C000-memory.dmp

Filesize
624KB

Download
memory/4564-57-0x0000000000D70000-0x0000000000E0C000-memory.dmp

Filesize
624KB

Download
memory/4564-32-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4564-40-0x0000000000D70000-0x0000000000E0C000-memory.dmp

Filesize
624KB

Download
memory/5044-19-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download