quasar | 3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

intro.avi.exe
Size

348KB
MD5

d219d94cabaa00e5abffc599bdeef75d
SHA1

123e511de20beab7bfa2bea5c2206422bc5e8241
SHA256

3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4
SHA512

82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734
SSDEEP

6144:0I6bPXhLApfpMMoDMWZVGZV+RzbLirAeMB2Wku:FmhApypOrAeMB2/u

Score

10^/10

quasar user discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.1.0.0

Botnet

User

erbaevbann3.ddns.net:4444

Mutex

xTSR_MUTEX_tDOmSpZY0vhNMbdmkR

Attributes

encryption_key
Uz3u2uI4Ld2N91oq93Eb
install_name
systemware.exe
log_directory
logs
reconnect_delay
3000
startup_key
System Ware
subdirectory
system

Signatures

Quasar RAT 5 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	23	ip-api.com	Process not Found
	53	ip-api.com	Process not Found
	68	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe
	6	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1596-1-0x0000000000A00000-0x0000000000A5E000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b92-11.dat	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	systemware.exe

Executes dropped EXE 13 IoCs

pid	Process
2660	systemware.exe
376	systemware.exe
4040	systemware.exe
3152	systemware.exe
1440	systemware.exe
840	systemware.exe
4204	systemware.exe
224	systemware.exe
1420	systemware.exe
2092	systemware.exe
3548	systemware.exe
2420	systemware.exe
2356	systemware.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com
53	ip-api.com
68	ip-api.com
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4368	2660	WerFault.exe	86
4700	376	WerFault.exe	108
4440	4040	WerFault.exe	120
1320	3152	WerFault.exe	133
2096	1440	WerFault.exe	145
1888	840	WerFault.exe	156
5020	4204	WerFault.exe	167
872	224	WerFault.exe	178
2100	1420	WerFault.exe	189
1712	2092	WerFault.exe	200
2640	3548	WerFault.exe	211
1392	2420	WerFault.exe	222
4172	2356	WerFault.exe	233

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4600	PING.EXE
1712	PING.EXE
1632	PING.EXE
4496	PING.EXE
636	PING.EXE
4700	PING.EXE
2916	PING.EXE
1228	PING.EXE
3308	PING.EXE
4728	PING.EXE
3792	PING.EXE
1548	PING.EXE
640	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
3308	PING.EXE
636	PING.EXE
4600	PING.EXE
4728	PING.EXE
3792	PING.EXE
1548	PING.EXE
4700	PING.EXE
1712	PING.EXE
640	PING.EXE
2916	PING.EXE
1632	PING.EXE
4496	PING.EXE
1228	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2476	schtasks.exe
440	schtasks.exe
1616	schtasks.exe
3564	schtasks.exe
1028	schtasks.exe
3408	schtasks.exe
696	schtasks.exe
5000	schtasks.exe
4668	schtasks.exe
3828	schtasks.exe
2936	schtasks.exe
5092	schtasks.exe
5076	schtasks.exe
4692	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	intro.avi.exe
Token: SeDebugPrivilege	2660	systemware.exe
Token: SeDebugPrivilege	376	systemware.exe
Token: SeDebugPrivilege	4040	systemware.exe
Token: SeDebugPrivilege	3152	systemware.exe
Token: SeDebugPrivilege	1440	systemware.exe
Token: SeDebugPrivilege	840	systemware.exe
Token: SeDebugPrivilege	4204	systemware.exe
Token: SeDebugPrivilege	224	systemware.exe
Token: SeDebugPrivilege	1420	systemware.exe
Token: SeDebugPrivilege	2092	systemware.exe
Token: SeDebugPrivilege	3548	systemware.exe
Token: SeDebugPrivilege	2420	systemware.exe
Token: SeDebugPrivilege	2356	systemware.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2660	systemware.exe
376	systemware.exe
4040	systemware.exe
3152	systemware.exe
1440	systemware.exe
840	systemware.exe
4204	systemware.exe
224	systemware.exe
1420	systemware.exe
2092	systemware.exe
3548	systemware.exe
2420	systemware.exe
2356	systemware.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1616	1596	intro.avi.exe	84
PID 1596 wrote to memory of 1616	1596	intro.avi.exe	84
PID 1596 wrote to memory of 1616	1596	intro.avi.exe	84
PID 1596 wrote to memory of 2660	1596	intro.avi.exe	86
PID 1596 wrote to memory of 2660	1596	intro.avi.exe	86
PID 1596 wrote to memory of 2660	1596	intro.avi.exe	86
PID 2660 wrote to memory of 3408	2660	systemware.exe	88
PID 2660 wrote to memory of 3408	2660	systemware.exe	88
PID 2660 wrote to memory of 3408	2660	systemware.exe	88
PID 2660 wrote to memory of 2572	2660	systemware.exe	90
PID 2660 wrote to memory of 2572	2660	systemware.exe	90
PID 2660 wrote to memory of 2572	2660	systemware.exe	90
PID 2572 wrote to memory of 3892	2572	cmd.exe	93
PID 2572 wrote to memory of 3892	2572	cmd.exe	93
PID 2572 wrote to memory of 3892	2572	cmd.exe	93
PID 2572 wrote to memory of 4728	2572	cmd.exe	96
PID 2572 wrote to memory of 4728	2572	cmd.exe	96
PID 2572 wrote to memory of 4728	2572	cmd.exe	96
PID 2572 wrote to memory of 376	2572	cmd.exe	108
PID 2572 wrote to memory of 376	2572	cmd.exe	108
PID 2572 wrote to memory of 376	2572	cmd.exe	108
PID 376 wrote to memory of 5092	376	systemware.exe	111
PID 376 wrote to memory of 5092	376	systemware.exe	111
PID 376 wrote to memory of 5092	376	systemware.exe	111
PID 376 wrote to memory of 4360	376	systemware.exe	113
PID 376 wrote to memory of 4360	376	systemware.exe	113
PID 376 wrote to memory of 4360	376	systemware.exe	113
PID 4360 wrote to memory of 1780	4360	cmd.exe	116
PID 4360 wrote to memory of 1780	4360	cmd.exe	116
PID 4360 wrote to memory of 1780	4360	cmd.exe	116
PID 4360 wrote to memory of 3792	4360	cmd.exe	118
PID 4360 wrote to memory of 3792	4360	cmd.exe	118
PID 4360 wrote to memory of 3792	4360	cmd.exe	118
PID 4360 wrote to memory of 4040	4360	cmd.exe	120
PID 4360 wrote to memory of 4040	4360	cmd.exe	120
PID 4360 wrote to memory of 4040	4360	cmd.exe	120
PID 4040 wrote to memory of 3564	4040	systemware.exe	122
PID 4040 wrote to memory of 3564	4040	systemware.exe	122
PID 4040 wrote to memory of 3564	4040	systemware.exe	122
PID 4040 wrote to memory of 5016	4040	systemware.exe	124
PID 4040 wrote to memory of 5016	4040	systemware.exe	124
PID 4040 wrote to memory of 5016	4040	systemware.exe	124
PID 5016 wrote to memory of 1168	5016	cmd.exe	127
PID 5016 wrote to memory of 1168	5016	cmd.exe	127
PID 5016 wrote to memory of 1168	5016	cmd.exe	127
PID 5016 wrote to memory of 1548	5016	cmd.exe	129
PID 5016 wrote to memory of 1548	5016	cmd.exe	129
PID 5016 wrote to memory of 1548	5016	cmd.exe	129
PID 5016 wrote to memory of 3152	5016	cmd.exe	133
PID 5016 wrote to memory of 3152	5016	cmd.exe	133
PID 5016 wrote to memory of 3152	5016	cmd.exe	133
PID 3152 wrote to memory of 1028	3152	systemware.exe	135
PID 3152 wrote to memory of 1028	3152	systemware.exe	135
PID 3152 wrote to memory of 1028	3152	systemware.exe	135
PID 3152 wrote to memory of 1684	3152	systemware.exe	138
PID 3152 wrote to memory of 1684	3152	systemware.exe	138
PID 3152 wrote to memory of 1684	3152	systemware.exe	138
PID 1684 wrote to memory of 4160	1684	cmd.exe	142
PID 1684 wrote to memory of 4160	1684	cmd.exe	142
PID 1684 wrote to memory of 4160	1684	cmd.exe	142
PID 1684 wrote to memory of 640	1684	cmd.exe	143
PID 1684 wrote to memory of 640	1684	cmd.exe	143
PID 1684 wrote to memory of 640	1684	cmd.exe	143
PID 1684 wrote to memory of 1440	1684	cmd.exe	145

C:\Users\Admin\AppData\Local\Temp\intro.avi.exe
"C:\Users\Admin\AppData\Local\Temp\intro.avi.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\intro.avi.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1616
- C:\Users\Admin\AppData\Roaming\system\systemware.exe
  "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R8g4O3KTDBZA.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4728
  - - C:\Users\Admin\AppData\Roaming\system\systemware.exe
      "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ktx4cEBJMm7n.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3792
      - C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xU0CAMeXjESl.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7F6GCh12t4tF.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSTwlTv2vosP.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8pO6YgSp6aq3.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4204
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BpRgahyiBnuj.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:224
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuWGatfXMUfr.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QH8wH8MAsgcc.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4496
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6XKyXfUos0Qb.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1228
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F75c1q7raskf.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3308
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muFpiL5DEjFO.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zFEEO6QYVRFN.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 2176
        27⤵
        Program crash
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 2192
        25⤵
        Program crash
        
        PID:1392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 2184
        23⤵
        Program crash
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 2220
        21⤵
        Program crash
        
        PID:1712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 2224
        19⤵
        Program crash
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1076
        17⤵
        Program crash
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 2180
        15⤵
        Program crash
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 2196
        13⤵
        Program crash
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 2200
        11⤵
        Program crash
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 2228
        9⤵
        Program crash
        
        PID:1320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 2232
        7⤵
        Program crash
        
        PID:4440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1924
        5⤵
        Program crash
        
        PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1980
    3⤵
    - Program crash
    PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2660 -ip 2660
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 376 -ip 376
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4040 -ip 4040
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3152 -ip 3152
1⤵
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1440 -ip 1440
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 840 -ip 840
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4204 -ip 4204
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 224 -ip 224
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1420 -ip 1420
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2092 -ip 2092
1⤵
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3548 -ip 3548
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2420 -ip 2420
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2356 -ip 2356
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6XKyXfUos0Qb.bat

Filesize
211B

MD5
bb275647e8b7466292ee0287aa64ff4f

SHA1
3abe438422fb16e309b93d4aee7d6e96dc9c98da

SHA256
fe04ecdf44eab3974b0c82e9b82009db54f030e9461065f11919c46eee97c41e

SHA512
eaa34c90d6f7a41e0867c65c0b602f657d1017ca45fe4609837d0b8fe807df2c72d22a899f7541c88e8481ee1c44d2697f25f3451b07babab7a01ac610a857b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F6GCh12t4tF.bat

Filesize
211B

MD5
4510189eccc465c94a43e53f1332898f

SHA1
daecfffcb2b6512716de059a708d855fbe4dad78

SHA256
632eb7d371f4a2e237e13ee80c0f93f630e2455946bd251213d9af8dbda5cacb

SHA512
7e05ffc2ff7371817c291b26c40c41345529524955d8919e876d6b4dffec3482b89915616100b88e6c2d4c0e5ff15de38a75acf9936ddb488cca8c33b51147bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pO6YgSp6aq3.bat

Filesize
211B

MD5
d047211c22ab94b4f318214474b400d9

SHA1
b3197375b808db333194b7418766242803ac4cd0

SHA256
c8415c14d99f34114a36389e2dd66906314b9c48c327aa829b7ff2f64b712cf6

SHA512
65a74ce991d6378ccb5e89c991bea319bdcfd11b53d779ebd253ed3fb383267b7876c846a9b5e01fe1dae114653b7f71882f75d58be7623498b25190058635d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BpRgahyiBnuj.bat

Filesize
211B

MD5
4b3763dbb765f0b86dbfde17b02c81be

SHA1
ca7e5307b90e3fbb590fbe4de22b9859ccda068c

SHA256
3ba1181190acd38cddc75eef4c7675c9f0fd892588316f91b1ecc0f63d03b325

SHA512
8701470918d1fea88999c38e279ccc7ebbae38f06aa2d16d3f05efc33a96802108441dae9a0d868f2d911608b21457cf6c62620838a915d31bbbe60011d32591

Download Submit
C:\Users\Admin\AppData\Local\Temp\F75c1q7raskf.bat

Filesize
211B

MD5
dd9f04c244763c33b41b4efd5c31ec19

SHA1
4e9a19482751209454016daebbb6974dd66e9810

SHA256
24502f657282d74575518b1ffa09395fa141411194f1db5a3966463caab559d5

SHA512
b71bffee568ae907c05113586f6861d72b22239e8aee4a74ee30a472ffedfd3f264f1774a35a072ab901eb44e96005ec51e8efe29efce0538fdb6063c13ef9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ktx4cEBJMm7n.bat

Filesize
211B

MD5
531b57ff6872097b9b320a1cd404919e

SHA1
8d342534cafc3478c65871e4f35694cc0ffab01b

SHA256
4b081e2960b393e8300c1f0beab5be47deeed56310bc6d291835b78dc824df12

SHA512
0f8dfa05fdc46f42483d5120fb4c95e30346997bbd6cf46e8c49194edd1a1f820eb09e6fd1512a3f0cdcdef07aa08fdb2dbc7383b8f8f020a80483377146f037

Download Submit
C:\Users\Admin\AppData\Local\Temp\QH8wH8MAsgcc.bat

Filesize
211B

MD5
7344903e5ac63cd1e2ba1721acd2b7fb

SHA1
62e2c3240b298007150001b86b2181bcd9c451da

SHA256
879ff7ef9adf0654eb913c5e2d683d93332b20cc602e2be17a329dff418000a1

SHA512
1671290546e3ca980849cb813e848d151cbd0186028107c5df9031c8c1cbe64b762fb8aa65089efd280334bbe5de29bd2a3de5fb713384e810d8960287c4a4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8g4O3KTDBZA.bat

Filesize
211B

MD5
b9c122b47f0668cc2ccb79f540dc8a42

SHA1
505971504b2eb1dc4c581cbdb85f3fdc668fc61a

SHA256
baca49a83270c3e1135bcb672c1c4f6d68922a7dd0f268eb3d7a83e63f2e01df

SHA512
4a612fe8d62430d356475e0d545deb11bf0c3661ba6b2b004be16c13d7d37e95c5839b8adbc6d782295979f18443ce31d24ef86de718da74adcf10ed18917a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuWGatfXMUfr.bat

Filesize
211B

MD5
5f24a6db55053028d558ec88e4752279

SHA1
5dcc6d6a7132b79668c8752c1741ff2da0a83baa

SHA256
aa0e89534d85207f876fbc41f890bb74a0a18fc2d2fc528685d7a872a33b19da

SHA512
bc9f4a101b533c58c8d3cc9ef63b892f8cb13656e159d1362a7750cce1db5b3dc62f510e84f6f1915ae576490f4cb19efb705ad4ddb857c6c5a198897b0affcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\muFpiL5DEjFO.bat

Filesize
211B

MD5
d36934c5b4ad1a215b294baf93dc5633

SHA1
6bf568e52984d1e940b0d7679a89addff21f1e39

SHA256
4c3947c5f9d8b4a0f95f7d4b2c716eeca2f1234784ecc2328abc24d0f99d39a0

SHA512
ebe4d3086fe63b8aaaed00741042637034037b62ae0edfc2e9fde2e705cf1961a7704aad631fd0b205420bddc09d9ef4943c2a9104507af3d73633c8b6f20710

Download Submit
C:\Users\Admin\AppData\Local\Temp\xSTwlTv2vosP.bat

Filesize
211B

MD5
a7581f204e98e7118f16b3ba77a37ee8

SHA1
e7866376edd0faab9fd08ed10003a2572c8a42d8

SHA256
32ec6b7843e80fb54a2ef63a08faa5d643bb01b12f08ed183cc3e2d4ae7bbf88

SHA512
14ff177c43cbc4727efaf7e37974929edc03fc2d6673ae0a371a0df9085a96e45be423a87d55044cd29339d9e4211cd5745e3f8d31dd612984ffedd4e970e2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xU0CAMeXjESl.bat

Filesize
211B

MD5
2e53d698b552f06e2306500d4c99f80d

SHA1
464c648a2e05690c9c0856120b9be0ff3a2b389f

SHA256
46ab647fba0b4ffc46ae2caf8155c296bb57f07e5bda7cfa02156634d8a33549

SHA512
be4f50be416f273ed8fec5b7179fb922359c1f654bb9fc6a49facc828292cb51f5fa5f65e95ec994adf2596e09199da5ab31b7430a239cb5fdfc167d56f2449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zFEEO6QYVRFN.bat

Filesize
211B

MD5
287ce04f83b601c23a3d378a13f9637e

SHA1
26dcc07111e21f70d4ca4cfbbc8c069696f9b184

SHA256
537bbed885f2a5a8f51a054b790ecc255d775769f3aa667ea1b82debf3adafc6

SHA512
595ea8083a45caf7b3b44e63a8871ba81d101ff681d77f55b21f799860e58e5bc06aa5055dc479bbbf397b3a5b94088256477af8fdbec34be36891e23c3b8f8d

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
ef408384e650041f85332eb7bbd6b589

SHA1
57465bb0c3ed0f4cb6c14993fd62d91687a53de9

SHA256
293c08f461283652d00458a380fa7e64b326de3f484bccf5a61aad4bb76b55d8

SHA512
f64bb5c5ab27d6521c848d9653dd050f303868b58db505569f2ec527e59e33acf4a7c13cd163e46ac051554bcf9c18f99763a4ab4dc33b1d0298deb0bb1b809a

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
36630a7e0790aad1ec33aebbca5da48c

SHA1
6b2bdfd0870c6cdb356ac003aa853d72536ace67

SHA256
6e0c688a0f57b75436a2ce994fb9c00e458d6e354f31f332f8873290eff4ad64

SHA512
cf585f381ce6d202b54138571991206d3c3899618d109951e443755903bcdb7d19f4870f0067751525b8e21614ca9794491cd99b49f230ca698a62f7726a68ee

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
1da7087bef120438929aeb35a7712155

SHA1
880098bba157a6eb486f7aaacfc76557f91b662d

SHA256
175f1cc51ea37f352b0f20f68ee97fdfc961d4fd2d4cf40780c168b01ce30e61

SHA512
c033735e9ac31f472c96a2f440100313caade4ac8434c851491fcda0ca8ba7bdf788b4dc64623dfa76b432d2943023fe4c65597d6ebb18b11bd83800b11c8485

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
25669f15a2a81d9e7edd79ad3a13b65f

SHA1
9ac4f16472dc3015ee27a8d9e34c5175b95057f6

SHA256
4f4472d39472db5595db37f0a9329aeb409e0940339f72fb5b09304638dd1bc2

SHA512
dc802ac9437252676fa380d858ab6b52434fe4adb47fe4daefad6eeb3679adfafa06d793c94f0e33cfd78d0c7783e7c79a9a86f7899fccdf82b3710d1b12af91

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
111a0d0bdda3f04dac7a8317c9a0ceee

SHA1
4a3bcab467020250a0b4d6ec878908882ecdd12a

SHA256
cefd8c2bd843d26150653b0113e8820b39cd380aaf86ce16200a9c9a26cf819d

SHA512
8ab621343232c0fc6d6d91c86950358d93e3e7a6ac14c6c5909abf2d1d95861f6960fbd655ca8ba27a00a1cc3bcec3e4f1e3b5d7d4afd74e74cd52f40e7052ba

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
20fe12d25d876280e8f6e9f2b0d0b2af

SHA1
75fac855357657378384b88b66793911e6949579

SHA256
e725933879a24fc5767898019a622d655f1a0e115e05757fd052074861987635

SHA512
65172325bd2dec971d8b1be59e985bbd602eda114cbdf385700516d1420f78a33f1bf19946c0d1da494cb1a9d6f9a5fb64a1bc932d7feae53ef3f6ff394b21e8

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
198de5d179985202031a3d44a104ef93

SHA1
605d37cf6a6534d5f94fa59eb7e969f76b7d62a8

SHA256
5f56450bf6eeb41d30432b2021d21cccaae477e62cc1110572c4e721292cdcab

SHA512
232a532230ddd4e3b90e6ca0df406768ab7fe5950ffc7bded5b32abad1672f75271b25899c43db747f0bfe2ceb0e43e2ba5256ae55321a6ea69b924e062ccc05

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
e4927a43cf7705a1b9bdd1bbd3a1695f

SHA1
fd07ea402c0c79b0975de36b62b579ca492fa666

SHA256
a54317d97b2101be20ec91ff63a921544e1fa78fc37a1a3d77ef713a13c4ba22

SHA512
63db4592155c89a4d24ad3897814e749d4b78f0ebf4c93b903efb978d179324856bd638d79047e59b4c49517b87f8e86f31084192b8b9a92af32dc4f0462ae3a

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
1b84f90ccd3e92a1ca92cc1bf07bfc4e

SHA1
9250da93b83b787341008a5d943d61aa168fe0c5

SHA256
25077da8a08ef0300e314c232ff3ab36c08d2a3b1f7803342a98d29169cb652f

SHA512
1de3c0dad116b35889b3ab90e56bd01db315f9fec93602f868d787718a6af07f776b9ce253a5f1d9084d6bd326f3a0656b83a6c8f92f7c80db1de4f5f4e3cb25

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
5a5307baeca0e09087547024d98081e0

SHA1
acb48d289be4382a744353707ea2f43bf705bf30

SHA256
ff4f518ba7bf856e4490f0c9d9bbebb4f62e8280cf278789f4410cc68db8dcdc

SHA512
26ec4043a5f646d02ca0900cb9d902f9ee634b5916a6b34bf317ce966a28afbce5cd0ca4763c1df2f15a6b4a27ed8ddd48e13e462e5a4ba16da6cfdca7747c3e

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
31b2450d5bbc96fc412e7823ad2107fe

SHA1
69ad069ecac35093d7e842b1ec081c43d5de0f79

SHA256
822eabf7517e1f1e7db8fc3bc59de1302b83e15d75fe1a673631be03bb64cb70

SHA512
4408ba745a0328d7aa1502f740ef5c40223ae53173aa8e2bc8efe8973dc5307bd3c5040dbddb56a99e8ee40612e704b475b4877235657901f14f5a73347663b6

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
1345699d1698606acd56ef613d8dd6c9

SHA1
cda69c322ed223736a4f64e62db0020b0e3cac00

SHA256
9f4451aae9824c0e15d06572e26cec1a362da9e662028e0565a5f6991b293cd8

SHA512
5798dd66792ff68ad7cd22e036c643bb96edda03e348d5965f8d0f0b71910f4bc621e47f0764465b86e8065d3feac9ccddf9d7b1047944d9dcecd6900c594d3e

Download Submit
C:\Users\Admin\AppData\Roaming\system\systemware.exe

Filesize
348KB

MD5
d219d94cabaa00e5abffc599bdeef75d

SHA1
123e511de20beab7bfa2bea5c2206422bc5e8241

SHA256
3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

SHA512
82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734

Download Submit
memory/1596-6-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

Filesize
72KB

Download
memory/1596-0-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/1596-7-0x00000000066C0000-0x00000000066FC000-memory.dmp

Filesize
240KB

Download
memory/1596-15-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1596-5-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/1596-4-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1596-3-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/1596-2-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/1596-1-0x0000000000A00000-0x0000000000A5E000-memory.dmp

Filesize
376KB

Download
memory/2660-16-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2660-19-0x00000000069F0000-0x00000000069FA000-memory.dmp

Filesize
40KB

Download
memory/2660-23-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2660-14-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads