Analysis Overview
SHA256
97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02
Threat Level: Known bad
The file 97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02 was found to be: Known bad.
Malicious Activity Summary
Azorult
Quasar RAT
Quasar payload
Detects Windows executables referencing non-Windows User-Agents
Detects executables containing common artifacts observed in infostealers
Quasar family
Detects executables containing common artifacts observed in infostealers
Detects Windows executables referencing non-Windows User-Agents
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Maps connected drives based on registry
Enumerates connected drives
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-24 22:46
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-24 22:46
Reported
2024-03-24 22:49
Platform
win7-20240221-en
Max time kernel
4s
Max time network
76s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Loads dropped DLL
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2352 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | C:\Windows\system32\svchost.exe |
| PID 1912 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe | C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe
"C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe
"C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwh8ubmA0NzE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1540
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | sockartek.icu | udp |
Files
\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/2836-29-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1912-30-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/2528-35-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2836-33-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2528-40-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2528-39-0x0000000000420000-0x00000000004BC000-memory.dmp
memory/2528-37-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp
memory/2836-47-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2528-51-0x0000000000420000-0x00000000004BC000-memory.dmp
memory/2836-52-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3028-55-0x0000000000C50000-0x0000000000CAE000-memory.dmp
memory/3028-56-0x0000000073AB0000-0x000000007419E000-memory.dmp
memory/3028-57-0x0000000004B20000-0x0000000004B60000-memory.dmp
memory/2712-65-0x0000000000AB0000-0x0000000000B0E000-memory.dmp
memory/2712-66-0x0000000073AB0000-0x000000007419E000-memory.dmp
memory/2712-67-0x0000000004220000-0x0000000004260000-memory.dmp
memory/3028-68-0x0000000073AB0000-0x000000007419E000-memory.dmp
memory/2528-70-0x0000000000420000-0x00000000004BC000-memory.dmp
memory/2712-71-0x0000000073AB0000-0x000000007419E000-memory.dmp
memory/2712-72-0x0000000004220000-0x0000000004260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uwh8ubmA0NzE.bat
| MD5 | 3b85d3d4591629b7cbc18b4d0b52d189 |
| SHA1 | c5e680af36f87aea2a882c491b027561764f6f5b |
| SHA256 | 34c4af7a9610b1455b0fa2f7e4e54a651574d8d49378d4c381000406aca0ab05 |
| SHA512 | 15c5eea7d23663ab3fba25fdb396e77c2a01e22bf75f0c7cda12540c095f3ed63e371eaeea411c93da0b8f0d9cab73cf00bd6d7ce06e8841b17d75a3019fe676 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-24 22:46
Reported
2024-03-24 22:49
Platform
win10v2004-20240226-en
Max time kernel
7s
Max time network
156s
Command Line
Signatures
Azorult
Quasar RAT
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3116 set thread context of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | C:\Windows\system32\svchost.exe |
| PID 4572 set thread context of 684 | N/A | C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe | C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe
"C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe
"C:\Users\Admin\AppData\Local\Temp\97e34ef135f5b5c122541d0fe4f959e92a79ff8e7dd79599d7de830ad77bbe02.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b7jWOYtKGSx1.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3360 -ip 3360
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 2276
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5080 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IVJyqiFH4KZN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1544 -ip 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 2260
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4U1Ba8xgH5Uj.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5164 -ip 5164
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | sockartek.icu | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | sockartek.icu | udp |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 21.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sockartek.icu | udp |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | 684bc0f4a085808fb8ab0dd5b843127b |
| SHA1 | 8bb78e4c2f9897d4e570893f569ee38ba84d4292 |
| SHA256 | 3a99c9ef158d3095f8d1efd50b1ac811bfbe87a2f65a7a6ec67c4997d0ff0f16 |
| SHA512 | d35b88b51c93959731b3e2e90b27189ee9771d753afd096ac5564c1385a6ab9671d301311c75d19248dce186015b5cf76e38e6e3b21d956f469f9ce0282c651e |
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | a2355d64b8671cbb02c64f6a39d0363b |
| SHA1 | 09f4188d2edbbd111bbd8ed6ed8319310e946315 |
| SHA256 | ab5315137b6e675186781c023cf081924ce0bb42ae724b32a4839acfedcdca96 |
| SHA512 | d7c790b041ad7e7fe7dbbf35f12be1397af685346af1e2fc4cec5e9fe60f6e934623efde3f36917686579d7b12485888bb592aab753d9d4095b71baa6bfbede9 |
C:\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/684-20-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4572-19-0x0000000004010000-0x0000000004011000-memory.dmp
memory/4128-27-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/3444-34-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/3444-30-0x0000000000C20000-0x0000000000CBC000-memory.dmp
memory/4128-31-0x0000000000B50000-0x0000000000BAE000-memory.dmp
memory/684-36-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3444-38-0x0000000000C20000-0x0000000000CBC000-memory.dmp
memory/4128-41-0x0000000005A40000-0x0000000005FE4000-memory.dmp
memory/4128-42-0x0000000005530000-0x00000000055C2000-memory.dmp
memory/4128-43-0x0000000005440000-0x0000000005450000-memory.dmp
memory/4128-44-0x00000000058D0000-0x0000000005936000-memory.dmp
memory/4128-45-0x00000000066D0000-0x00000000066E2000-memory.dmp
memory/4128-46-0x0000000006B10000-0x0000000006B4C000-memory.dmp
memory/3360-53-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/4128-54-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/3360-55-0x0000000005250000-0x0000000005260000-memory.dmp
memory/3360-57-0x0000000006C00000-0x0000000006C0A000-memory.dmp
memory/3444-58-0x0000000000C20000-0x0000000000CBC000-memory.dmp
memory/3360-59-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/3360-60-0x0000000005250000-0x0000000005260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b7jWOYtKGSx1.bat
| MD5 | 939d2b6c72f421ee9aa46005c0b131f4 |
| SHA1 | 64559fdc3e0200ba3298abc37f06bfb6aeb583ed |
| SHA256 | c6b2f5741f70d9ebdba8a0e24a58ca5650ab1df5a4f7c794eac49b35d31a46aa |
| SHA512 | 5b7bc2a7fdc9df0ff437f1d5a101de1eb0473fc2a2d97cac60a7d9d03d9832d2f992897f38369847846551570dd37185405b47369258c7e9aa61b348c3037d6b |
memory/3360-65-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/1544-67-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/1544-68-0x0000000005720000-0x0000000005730000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-24-2024
| MD5 | ff80afe06aead1606133f519ba9a76bc |
| SHA1 | 7e79eac30582e92a2dc285962dda59f119aa81e9 |
| SHA256 | 217f1b26524a7e6d3886ddce63e4abe5be337b8a485827a687a2135ff67f5338 |
| SHA512 | e9c9f807d554ac4b3a91a44e82c08d23aa1e35dc403070c9a70af57697e7d788b0ecb15eaebf0883f5e3845436407dd4326ed4f616f8bcd2a65a6ce4a7d23f1a |
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | 0d4b42f0d3086cbca4b264272374c28c |
| SHA1 | 4a42f2b7219f915c2808a390a10b064b61cb070a |
| SHA256 | 973c8f9524dc9ca49172fb8aee2e41d76be214d3b5d7ce757e00a634420e64c4 |
| SHA512 | 3ddb4cf7ec13292554c9ad9f090b56fc7fce0bfbbeba89544b1be36691b02f8af2898f8f6dcc9c6ca99e086992735d34939e8c54eb6d7e832c1b8bda0f4e8c75 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
| MD5 | 10eab9c2684febb5327b6976f2047587 |
| SHA1 | a12ed54146a7f5c4c580416aecb899549712449e |
| SHA256 | f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928 |
| SHA512 | 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50 |
memory/5256-92-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/5204-95-0x0000000000540000-0x0000000000541000-memory.dmp
memory/5256-94-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/5204-96-0x00000000004A0000-0x000000000053C000-memory.dmp
memory/5204-97-0x00000000004A0000-0x000000000053C000-memory.dmp
memory/5204-101-0x00000000004A0000-0x000000000053C000-memory.dmp
memory/5256-112-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/1544-113-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/1544-114-0x0000000005720000-0x0000000005730000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IVJyqiFH4KZN.bat
| MD5 | f8400d42a690bba80555b8f1b2e913b2 |
| SHA1 | dbe4a96992e85144d61efe5cff122b3997d283c6 |
| SHA256 | c9dc86f5f9c70499238bd9f84d03c303035f7a46ad74ff5310f94ab8c8368658 |
| SHA512 | 7231366c282c5b4eb4cf6dbd48511844daac205a6c8f61be7adb3c419ee886631f554d2b44d960837b37c0df99d35fcf9379fa32b14863b719034ec5e90e82fc |
memory/1544-119-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/5204-120-0x00000000004A0000-0x000000000053C000-memory.dmp
memory/5164-122-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/5164-123-0x0000000004F90000-0x0000000004FA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-24-2024
| MD5 | 5ce567502ac71ea67e14a4e42586a89d |
| SHA1 | 70c9222a4b6e4e30bc3788319693a71e1cbb200d |
| SHA256 | cb92297dddaf1b44df730be3863506ee94615caab0159c4d8d28d82d3eb16934 |
| SHA512 | 20052bab8b543ba9ddee61904e9ed94c795caa4aa78e616dbbcb036aff7095147f424042fad8c8045be869f7af356af9592b12270d05568ab109aa4006ed7208 |
memory/5164-126-0x0000000073200000-0x00000000739B0000-memory.dmp
memory/5164-127-0x0000000004F90000-0x0000000004FA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4U1Ba8xgH5Uj.bat
| MD5 | e437ac43c9b8ec835bb5581fd1113d98 |
| SHA1 | f354a806ca0530fd7c2ef089387b0ba5bc000e74 |
| SHA256 | 7668784668f425e5dd842c554f567ba01fe71fddf49ce0b0fead52b81cf660a5 |
| SHA512 | 4659930e084f770b00b0dfa287f753c6d00f9c41cc6819d756529da2aff6f36a2bfe3f361563b8c1d8458ed4ba1de44f1d3bee3606f9aa496386a7d7e730bdbd |