Malware Analysis Report

2024-08-06 13:18

Sample ID 240703-aekxks1ekk
Target 8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4
SHA256 8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4
Tags
azorult quasar ebayprofiles infostealer spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4

Threat Level: Known bad

The file 8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4 was found to be: Known bad.

Malicious Activity Summary

azorult quasar ebayprofiles infostealer spyware trojan

Azorult

Quasar payload

Quasar family

Quasar RAT

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Maps connected drives based on registry

Enumerates connected drives

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Program crash

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-03 00:07

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 00:07

Reported

2024-07-03 00:10

Platform

win7-20240611-en

Max time kernel

4s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe"

Signatures

Azorult

trojan infostealer azorult

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windef.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\system32\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2392 set thread context of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 3024 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 2392 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 2392 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 2392 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 3024 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 3024 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 2392 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 2392 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 2392 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 2392 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 2392 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 2392 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 2392 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2392 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2392 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2392 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe

"C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe"

C:\Users\Admin\AppData\Local\Temp\vnc.exe

"C:\Users\Admin\AppData\Local\Temp\vnc.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

C:\Users\Admin\AppData\Local\Temp\windef.exe

"C:\Users\Admin\AppData\Local\Temp\windef.exe"

C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe

"C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f

C:\Windows\system32\taskeng.exe

taskeng.exe {B44E0C9E-EBE4-4C22-AFFD-22595C3ACD80} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Temp\vnc.exe

"C:\Users\Admin\AppData\Local\Temp\vnc.exe"

C:\Users\Admin\AppData\Local\Temp\windef.exe

"C:\Users\Admin\AppData\Local\Temp\windef.exe"

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0IKYcAp87Tey.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1532

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"

Network

Country Destination Domain Proto
RU 5.8.88.191:8080 tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
RU 5.8.88.191:443 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 sockartek.icu udp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp

Files

\Users\Admin\AppData\Local\Temp\vnc.exe

MD5 b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 b3a2e3256406330e8b1779199bb2b9865122d766
SHA256 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA512 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

\Users\Admin\AppData\Local\Temp\windef.exe

MD5 b4a202e03d4135484d0e730173abcc72
SHA1 01b30014545ea526c15a60931d676f9392ea0c70
SHA256 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

memory/2392-29-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2628-42-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2628-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2628-32-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2628-30-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/3040-47-0x0000000000480000-0x000000000051C000-memory.dmp

memory/3040-53-0x0000000000480000-0x000000000051C000-memory.dmp

memory/3040-46-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/3040-44-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2616-54-0x0000000000D50000-0x0000000000DAE000-memory.dmp

memory/2852-64-0x0000000000B50000-0x0000000000BAE000-memory.dmp

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

MD5 ffacfd12723631bcf6ab667b5c172b1c
SHA1 d7aadcd33613fb2fabf95c8d435d8b184b092a7d
SHA256 1ef443f303fb584ed97a3454c91d331302fd9b31dc9d92d7f9c2bfcbbf4aa86d
SHA512 5aca74523251205d0c89147ad4d7988a6fbaf260b62d848a860c1f4c4657bf37bf5db6857a72f2f7ef4a0848724e08a8d0e6a2bc637eaa292492feab6baa0c6d

memory/2976-99-0x0000000000880000-0x00000000008DE000-memory.dmp

memory/1272-105-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2228-112-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

memory/2228-113-0x00000000003D0000-0x000000000046C000-memory.dmp

memory/2228-117-0x00000000003D0000-0x000000000046C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MTAYM3ME.txt

MD5 2b1d43d75878d59d7da25ee20a512b55
SHA1 ccf1304b06a7119f3c2363b6a4f0bce5568d13d4
SHA256 ac796099ee24713a7f3c20961ee552f2fa1098245e213a7109d36a2bf85fe21c
SHA512 ef2aacc74e18bb8e96015bcdd594b68fcdc602f7f5980d7d88284c106f19ee12c5d0af31fa2084ea31959745802b769d103c35083914f375d76a5b53ebb89a72

C:\Users\Admin\AppData\Local\Temp\0IKYcAp87Tey.bat

MD5 33de9fad6d7040e8239fff1ca419fa3d
SHA1 9fa8e4ae7b34079bbd28222706ced31e3513bd02
SHA256 8bb84c592b51c6540f50e3d8b848748c989375f737c2fbcbba2a9f0f27528804
SHA512 a92db98a3615591af47dcd97b398485d6966b8ceed0b4a8d50ac350751db6b80accdd1d3b189c10f0af0ced813cf1dca333fa7321310d82b7c41de0ae3f22c45

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 00:07

Reported

2024-07-03 00:10

Platform

win10v2004-20240611-en

Max time kernel

5s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe"

Signatures

Azorult

trojan infostealer azorult

Quasar RAT

trojan spyware quasar
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windef.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1556 set thread context of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\windef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 1556 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 1556 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 5000 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 5000 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 5000 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 1556 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 1556 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 1556 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 1556 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 1556 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 1556 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 1556 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 1556 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe
PID 1556 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Windows\SysWOW64\schtasks.exe
PID 1556 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Windows\SysWOW64\schtasks.exe
PID 1556 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe C:\Windows\SysWOW64\schtasks.exe
PID 4200 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 4200 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 4200 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 4200 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 4200 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 4200 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 2468 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe C:\Windows\SysWOW64\schtasks.exe
PID 2468 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe C:\Windows\SysWOW64\schtasks.exe
PID 2468 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe

"C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe"

C:\Users\Admin\AppData\Local\Temp\vnc.exe

"C:\Users\Admin\AppData\Local\Temp\vnc.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

C:\Users\Admin\AppData\Local\Temp\windef.exe

"C:\Users\Admin\AppData\Local\Temp\windef.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5000 -ip 5000

C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe

"C:\Users\Admin\AppData\Local\Temp\8d4959256e53fb74a296edbd63a8287d142b99804dcfa5e64c991a86c7e440d4.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 548

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Temp\vnc.exe

"C:\Users\Admin\AppData\Local\Temp\vnc.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 520

C:\Users\Admin\AppData\Local\Temp\windef.exe

"C:\Users\Admin\AppData\Local\Temp\windef.exe"

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKrnl0k8GBSB.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2468 -ip 2468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEuF3tBzu9mO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 2228

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Network

Country Destination Domain Proto
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
RU 5.8.88.191:443 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 44.221.84.105:8000 0x21.in tcp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 sockartek.icu udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 5.8.88.191:443 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 sockartek.icu udp
US 52.111.227.14:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\vnc.exe

MD5 b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 b3a2e3256406330e8b1779199bb2b9865122d766
SHA256 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA512 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

C:\Users\Admin\AppData\Local\Temp\windef.exe

MD5 b4a202e03d4135484d0e730173abcc72
SHA1 01b30014545ea526c15a60931d676f9392ea0c70
SHA256 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

memory/1556-19-0x0000000004080000-0x0000000004081000-memory.dmp

memory/4200-20-0x0000000072D5E000-0x0000000072D5F000-memory.dmp

memory/4264-21-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4264-29-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4200-30-0x0000000000870000-0x00000000008CE000-memory.dmp

memory/4200-33-0x0000000005760000-0x0000000005D04000-memory.dmp

memory/4200-34-0x00000000051B0000-0x0000000005242000-memory.dmp

memory/4200-35-0x0000000005250000-0x00000000052B6000-memory.dmp

memory/4200-36-0x0000000005700000-0x0000000005712000-memory.dmp

memory/4200-37-0x00000000063F0000-0x000000000642C000-memory.dmp

memory/2468-45-0x0000000006D20000-0x0000000006D2A000-memory.dmp

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

MD5 aa57e42c1c0c64a80307eac41e55be75
SHA1 4cd2c96c8ea8e4804cc98a48162bef34446ea764
SHA256 2ea7c19e17862f1e6b9d1e4c7faf29f9b32a33cc2bb9821ae67fd41a3248d67b
SHA512 68d96b2b125eb6bbb7cc7cd7b70867fa761d077229953a07369d2f138f4823749fcc3ddf4c10feed6b5fee22d14b6bbfe6c33e6e0816727afddb6d4aee347fc2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log

MD5 10eab9c2684febb5327b6976f2047587
SHA1 a12ed54146a7f5c4c580416aecb899549712449e
SHA256 f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA512 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

C:\Users\Admin\AppData\Local\Temp\XKrnl0k8GBSB.bat

MD5 d3223ed6a9c98bfb0b96dbd542cdd026
SHA1 92b251d7c73301e01457e3f605ae0ac51f36b8f0
SHA256 41eb05a766c717788511859b1c15f47894e46706938cdf7555b692d40c8c4711
SHA512 2135a32e495a7f53dc7d5c0be0ce952ff14d9aa096e7de0f7cafab7aab0af6c83c184e3724031e56f6f103a9fc4fce97a93291dad82b698fc2142192ae534c70

C:\Users\Admin\AppData\Roaming\Logs\07-03-2024

MD5 c8304694c6232a343dd656853b166e23
SHA1 14db6a615d5b9302fec6765145c5a6cb1314ca34
SHA256 314c3ec16fb92eaf83d24bb5ac36fa0ada1f653c72eb851c436557dc51ca2e47
SHA512 264d1e26806178faecd8c9b397a93a047dbfdcb6888db0382c0c2f1514456b74c564491623da1d85f87fb81949b871e8c154f28ab3bbccf50c619f139544cc5f

C:\Users\Admin\AppData\Local\Temp\WEuF3tBzu9mO.bat

MD5 8bb37112ee78bf34e490f31d8d4fcbc1
SHA1 39f333a38e69c87815a406d299f730b10b4b4fbc
SHA256 68bcd408bf122d4fb0e5e90dd8885f71be723b24ac2f153e6053baac838fe2e0
SHA512 cc4a56440a74017738183ab4ad8182502a2ab083d2fcc725e2fca3083e754395074d071e6fe9e7bd0d838d4a9be6613ce57c12dfd024ea2714945bc575c41e4b