Analysis Overview
SHA256
4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b
Threat Level: Known bad
The file 4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b was found to be: Known bad.
Malicious Activity Summary
Quasar family
Azorult
Detects executables containing common artifacts observed in infostealers
Quasar payload
Detects Windows executables referencing non-Windows User-Agents
Quasar RAT
Detects executables containing common artifacts observed in infostealers
Detects Windows executables referencing non-Windows User-Agents
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Maps connected drives based on registry
Enumerates connected drives
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: MapViewOfSection
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-19 19:59
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-19 19:59
Reported
2024-03-19 20:02
Platform
win7-20240220-en
Max time kernel
2s
Max time network
30s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Loads dropped DLL
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\system32\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2920 set thread context of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | C:\Windows\system32\svchost.exe |
| PID 2872 set thread context of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe | C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe
"C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe
"C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\system32\taskeng.exe
taskeng.exe {835697D5-90AD-4A3F-8AA1-E7690A5D46BE} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
Network
| Country | Destination | Domain | Proto |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| RU | 5.8.88.191:8080 | tcp |
Files
\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/2692-29-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2872-30-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/2692-33-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2600-36-0x0000000000DC0000-0x0000000000E1E000-memory.dmp
memory/2584-39-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2692-43-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2584-42-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp
memory/2584-45-0x00000000001A0000-0x000000000023C000-memory.dmp
memory/2692-53-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2584-54-0x00000000001A0000-0x000000000023C000-memory.dmp
memory/2600-55-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/2584-56-0x00000000001A0000-0x000000000023C000-memory.dmp
memory/2600-57-0x0000000004AF0000-0x0000000004B30000-memory.dmp
memory/2584-58-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2600-67-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/296-66-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/296-68-0x0000000000260000-0x00000000002BE000-memory.dmp
memory/296-69-0x0000000004A80000-0x0000000004AC0000-memory.dmp
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | 0dfb90421e49a673881eb0028b04ba17 |
| SHA1 | f8fde621583e7a372477b4c39350042e396a3633 |
| SHA256 | ceb12b534e75ee77c966f7f0d8f9668b7a8e39ef2e5108ecf805d2eca897741c |
| SHA512 | 9c1d12d939133cd18176c5cdcda606781ed4e624af9ff96170906323b6d6fd077e40a9ce15207276bc05146aa6b3e922a7b17560b08f47f0b4dae52bdf0c4311 |
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2064-111-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2228-117-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/2228-119-0x0000000001340000-0x000000000139E000-memory.dmp
memory/324-122-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp
memory/2228-123-0x0000000004850000-0x0000000004890000-memory.dmp
memory/324-124-0x00000000004A0000-0x000000000053C000-memory.dmp
memory/324-126-0x00000000004A0000-0x000000000053C000-memory.dmp
memory/324-125-0x0000000000020000-0x0000000000021000-memory.dmp
memory/324-130-0x00000000004A0000-0x000000000053C000-memory.dmp
memory/2228-131-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/296-132-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/296-133-0x0000000004A80000-0x0000000004AC0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-19 19:59
Reported
2024-03-19 20:02
Platform
win10v2004-20240226-en
Max time kernel
3s
Max time network
141s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2100 set thread context of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe | C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vnc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vnc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe
"C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe
"C:\Users\Admin\AppData\Local\Temp\4d76ac906021bbc02781841d340f03eaae289d58ce4ed1457e5b539717afb30b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1420 -ip 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 548
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 520
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGMzgdNxgLPR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4964 -ip 4964
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| RU | 5.8.88.191:443 | tcp | |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sockartek.icu | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sockartek.icu | udp |
Files
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | eee7f966ba589b70604495c2fa56a19d |
| SHA1 | a63d10708c5060190aa7786ad4318b198878e82f |
| SHA256 | 05b51afec2a127e94f28dbe8b2e4e91fc7c3f936953ee6e0ae777cd3fe69ffa1 |
| SHA512 | 233618d80dd8d58fec1445871c65982bea4ba40921b49d1d5acac010dccee249a4825345209decd52fe21b714fc3dd6f04601f0cc47f50b814059f94dc7d83db |
C:\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
C:\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | d8d3cee32ad434a9b56883cc1508f53c |
| SHA1 | aca7265f24f42056ace6c1420b3c1e37d5cc3d05 |
| SHA256 | 63f239f07baf0a72523dc8bea06b407d879a5195170f80ee610e44b80d9d2dd5 |
| SHA512 | 8a87e936a4f3be599646febbdd8e863a15fef984c36b29995e7ec914aaa3d0425a5883a27f04fa78e04556e7c6b67a177fdfbf23fe3f10a3e82da303552d82bd |
memory/2100-19-0x00000000021E0000-0x00000000021E1000-memory.dmp
memory/1328-20-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3804-26-0x0000000000A90000-0x0000000000AEE000-memory.dmp
memory/3804-29-0x00000000736D0000-0x0000000073E80000-memory.dmp
memory/3804-30-0x0000000005BE0000-0x0000000006184000-memory.dmp
memory/1328-31-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3804-32-0x0000000005510000-0x00000000055A2000-memory.dmp
memory/3804-35-0x0000000005460000-0x0000000005470000-memory.dmp
memory/3804-36-0x00000000055B0000-0x0000000005616000-memory.dmp
memory/3804-37-0x0000000005B90000-0x0000000005BA2000-memory.dmp
memory/3804-38-0x0000000006890000-0x00000000068CC000-memory.dmp
memory/3804-46-0x00000000736D0000-0x0000000073E80000-memory.dmp
memory/4964-45-0x00000000736D0000-0x0000000073E80000-memory.dmp
memory/4964-47-0x0000000005220000-0x0000000005230000-memory.dmp
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | 3bc88002ee0c6dc3678d75e34faa7068 |
| SHA1 | e67113f376936b7e975c4d40c745c7d4cfefee2d |
| SHA256 | 9e16f307d052dfb5af1d3634a8913a24dcf37e756f8f002dbe1e215435ddcd46 |
| SHA512 | d6c0a363be71ae45607b60273344c824d24c011c5a7174994a8202a8d33540e9eba8d9906cb806962eab1bf23daf6f1b7cfbd54c01d27b3335212dfd6ac6a6d7 |
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | 225611c9ffc13c80257e8b4e76515d40 |
| SHA1 | 0c9147e25ad7fa6b668cb469ba671668f2c13940 |
| SHA256 | 368586103c38883079c0da26a55a885da79716dfc05e4592d4b2840423e17b01 |
| SHA512 | c0a5afed9b59542f81798109de38b11805be4e8b0d4b4c3ae152bbd4d9df61a891a0acd851333f0c3e22c4ad0c57067741b44324aa2ee0ad4ecc26cc06dc982b |
C:\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | a6745dbe1e0fd432a4fb5c6a25603057 |
| SHA1 | 908bfaebdbb38d79d4814d789a3fcbc7aceffc35 |
| SHA256 | e1baa6b409ad0365421bab33b6a4770584a9d1e98584a9e62c1c2b0a5acaa4ee |
| SHA512 | 458be042f649c1a324ce490d04815b0e71712f3d2a639f94c8609433238d0bfdb7e75bb1e3c7288d188f9cf7ace105d2d6ec1e92d543e29c1e0e3a6f4c794444 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
| MD5 | 10eab9c2684febb5327b6976f2047587 |
| SHA1 | a12ed54146a7f5c4c580416aecb899549712449e |
| SHA256 | f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928 |
| SHA512 | 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50 |
C:\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | e3003c545b2650ceac01b94547e6adb9 |
| SHA1 | bde4126fc060e2938240eac6db18a08d4a8f0979 |
| SHA256 | ad7efe1757410a9b09490e9e80b30ada78baf00638c785b888646de6bd8c330f |
| SHA512 | 5ec6e1276af5bd766d6452890bf66a9484ad34f0cd366eed2fad9f97c537eaf653f4115e2aa445974b461e6695556cc99847535214845d1ed8a71d5d4df8d0d0 |
memory/3588-69-0x00000000736D0000-0x0000000073E80000-memory.dmp
memory/3588-70-0x00000000054C0000-0x00000000054D0000-memory.dmp
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | 0c8614efc1ec5166f64059e5ec975248 |
| SHA1 | 9c2ed3650487d2d2ff729432c41428038529d379 |
| SHA256 | 2bce199386e67a0a69f1fabc18ea3cc53ca77aba14fc4fb03f1debdf7d014813 |
| SHA512 | b233212550bf4b477bb2874144a7fcc87d911a081cc054dc2904c50ccca38c4d2cfae0f5317b2d2ebe94acfcf558aaa3865ecb07ec875013d7f461c36fa8bd9c |
memory/3588-81-0x00000000736D0000-0x0000000073E80000-memory.dmp
memory/4964-83-0x0000000006950000-0x000000000695A000-memory.dmp
memory/4964-84-0x00000000736D0000-0x0000000073E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uGMzgdNxgLPR.bat
| MD5 | 48025b23267574e2f9c6a3bc34d80426 |
| SHA1 | 7d26cfd137aba8911dcbf953baee67a984fffe8d |
| SHA256 | ed6e7f5952f22a6f6d66aa1bacfc9285394cee708bf49ac24598f17257d13c02 |
| SHA512 | bde1df50bd0a646555a35d47174403c5ed23bb85513c115f1219d4e19d0482455496ef38ed0d1ad03d4bbfa654b05c7e93ed5effa8146a173ca5a96ea91442a5 |
memory/4964-89-0x00000000736D0000-0x0000000073E80000-memory.dmp
memory/1556-91-0x00000000736D0000-0x0000000073E80000-memory.dmp
memory/1556-92-0x00000000055E0000-0x00000000055F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-19-2024
| MD5 | 51f95458e402df51098c260f4c5694e5 |
| SHA1 | d83bbaead0a5a1ee99957914e7f86fc1c67e1713 |
| SHA256 | cfe636bbc49b755fcb29053bb324c552192dcafa6e98649c5e051cd896ee19c7 |
| SHA512 | 851d549c5690b1a2e622872dd80e99326403b0593e2d6c32c691a38fe1c3abc095826a25acf5469978a404597bbcdd862ac6763fe7c006e0d026ae08af4d1366 |
memory/1556-95-0x00000000736D0000-0x0000000073E80000-memory.dmp
memory/1556-96-0x00000000055E0000-0x00000000055F0000-memory.dmp