quasar | 3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

intro.avi.exe
Size

348KB
MD5

d219d94cabaa00e5abffc599bdeef75d
SHA1

123e511de20beab7bfa2bea5c2206422bc5e8241
SHA256

3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4
SHA512

82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734
SSDEEP

6144:0I6bPXhLApfpMMoDMWZVGZV+RzbLirAeMB2Wku:FmhApypOrAeMB2/u

Score

10^/10

quasar user discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.1.0.0

Botnet

User

erbaevbann3.ddns.net:4444

Mutex

xTSR_MUTEX_tDOmSpZY0vhNMbdmkR

Attributes

encryption_key
Uz3u2uI4Ld2N91oq93Eb
install_name
systemware.exe
log_directory
logs
reconnect_delay
3000
startup_key
System Ware
subdirectory
system

Signatures

Quasar RAT 5 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe
	2	ip-api.com	Process not Found
	11	ip-api.com	Process not Found
	18	ip-api.com	Process not Found
	20	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 17 IoCs

resource	yara_rule
behavioral1/memory/2516-1-0x00000000011F0000-0x000000000124E000-memory.dmp	family_quasar
behavioral1/files/0x0008000000019234-5.dat	family_quasar
behavioral1/memory/2316-10-0x00000000000C0000-0x000000000011E000-memory.dmp	family_quasar
behavioral1/memory/1764-31-0x0000000000FA0000-0x0000000000FFE000-memory.dmp	family_quasar
behavioral1/memory/2200-49-0x00000000002E0000-0x000000000033E000-memory.dmp	family_quasar
behavioral1/memory/2368-67-0x0000000001110000-0x000000000116E000-memory.dmp	family_quasar
behavioral1/memory/1520-85-0x0000000001110000-0x000000000116E000-memory.dmp	family_quasar
behavioral1/memory/2896-103-0x0000000001110000-0x000000000116E000-memory.dmp	family_quasar
behavioral1/memory/2032-121-0x00000000012D0000-0x000000000132E000-memory.dmp	family_quasar
behavioral1/memory/2416-139-0x00000000001C0000-0x000000000021E000-memory.dmp	family_quasar
behavioral1/memory/744-155-0x0000000000A90000-0x0000000000AEE000-memory.dmp	family_quasar
behavioral1/memory/2568-165-0x0000000000A90000-0x0000000000AEE000-memory.dmp	family_quasar
behavioral1/memory/2520-175-0x0000000000C50000-0x0000000000CAE000-memory.dmp	family_quasar
behavioral1/memory/2956-185-0x0000000000CA0000-0x0000000000CFE000-memory.dmp	family_quasar
behavioral1/memory/1324-195-0x0000000000170000-0x00000000001CE000-memory.dmp	family_quasar
behavioral1/memory/1516-205-0x0000000000F10000-0x0000000000F6E000-memory.dmp	family_quasar
behavioral1/memory/276-215-0x00000000011D0000-0x000000000122E000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2316	systemware.exe
1764	systemware.exe
2200	systemware.exe
2368	systemware.exe
1520	systemware.exe
2896	systemware.exe
2032	systemware.exe
2416	systemware.exe
744	systemware.exe
2568	systemware.exe
2520	systemware.exe
2956	systemware.exe
1324	systemware.exe
1516	systemware.exe
276	systemware.exe

Loads dropped DLL 64 IoCs

pid	Process
2516	intro.avi.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
11	ip-api.com
18	ip-api.com
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2372	2316	WerFault.exe	33
332	1764	WerFault.exe	42
1732	2200	WerFault.exe	50
3060	2368	WerFault.exe	58
2868	1520	WerFault.exe	66
880	2896	WerFault.exe	74
1860	2032	WerFault.exe	82
1312	2416	WerFault.exe	90
1628	744	WerFault.exe	98
2704	2568	WerFault.exe	106
2652	2520	WerFault.exe	114
2360	2956	WerFault.exe	122
928	1324	WerFault.exe	130
1656	1516	WerFault.exe	138
1748	276	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1164	PING.EXE
1656	PING.EXE
2860	PING.EXE
2308	PING.EXE
2484	PING.EXE
2888	PING.EXE
3028	PING.EXE
2844	PING.EXE
2244	PING.EXE
2700	PING.EXE
3040	PING.EXE
2988	PING.EXE
2508	PING.EXE
2796	PING.EXE
2176	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2700	PING.EXE
2988	PING.EXE
3040	PING.EXE
2888	PING.EXE
1164	PING.EXE
2844	PING.EXE
2860	PING.EXE
2308	PING.EXE
2508	PING.EXE
2244	PING.EXE
2796	PING.EXE
1656	PING.EXE
2176	PING.EXE
2484	PING.EXE
3028	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2348	schtasks.exe
2104	schtasks.exe
2996	schtasks.exe
2400	schtasks.exe
2496	schtasks.exe
2056	schtasks.exe
2620	schtasks.exe
2712	schtasks.exe
1296	schtasks.exe
2740	schtasks.exe
1628	schtasks.exe
1016	schtasks.exe
1588	schtasks.exe
1536	schtasks.exe
2772	schtasks.exe
2924	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	intro.avi.exe
Token: SeDebugPrivilege	2316	systemware.exe
Token: SeDebugPrivilege	1764	systemware.exe
Token: SeDebugPrivilege	2200	systemware.exe
Token: SeDebugPrivilege	2368	systemware.exe
Token: SeDebugPrivilege	1520	systemware.exe
Token: SeDebugPrivilege	2896	systemware.exe
Token: SeDebugPrivilege	2032	systemware.exe
Token: SeDebugPrivilege	2416	systemware.exe
Token: SeDebugPrivilege	744	systemware.exe
Token: SeDebugPrivilege	2568	systemware.exe
Token: SeDebugPrivilege	2520	systemware.exe
Token: SeDebugPrivilege	2956	systemware.exe
Token: SeDebugPrivilege	1324	systemware.exe
Token: SeDebugPrivilege	1516	systemware.exe
Token: SeDebugPrivilege	276	systemware.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2316	systemware.exe
1764	systemware.exe
2200	systemware.exe
2368	systemware.exe
1520	systemware.exe
2896	systemware.exe
2032	systemware.exe
2416	systemware.exe
744	systemware.exe
2568	systemware.exe
2520	systemware.exe
2956	systemware.exe
1324	systemware.exe
1516	systemware.exe
276	systemware.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2348	2516	intro.avi.exe	31
PID 2516 wrote to memory of 2348	2516	intro.avi.exe	31
PID 2516 wrote to memory of 2348	2516	intro.avi.exe	31
PID 2516 wrote to memory of 2348	2516	intro.avi.exe	31
PID 2516 wrote to memory of 2316	2516	intro.avi.exe	33
PID 2516 wrote to memory of 2316	2516	intro.avi.exe	33
PID 2516 wrote to memory of 2316	2516	intro.avi.exe	33
PID 2516 wrote to memory of 2316	2516	intro.avi.exe	33
PID 2316 wrote to memory of 2740	2316	systemware.exe	34
PID 2316 wrote to memory of 2740	2316	systemware.exe	34
PID 2316 wrote to memory of 2740	2316	systemware.exe	34
PID 2316 wrote to memory of 2740	2316	systemware.exe	34
PID 2316 wrote to memory of 2796	2316	systemware.exe	36
PID 2316 wrote to memory of 2796	2316	systemware.exe	36
PID 2316 wrote to memory of 2796	2316	systemware.exe	36
PID 2316 wrote to memory of 2796	2316	systemware.exe	36
PID 2316 wrote to memory of 2372	2316	systemware.exe	38
PID 2316 wrote to memory of 2372	2316	systemware.exe	38
PID 2316 wrote to memory of 2372	2316	systemware.exe	38
PID 2316 wrote to memory of 2372	2316	systemware.exe	38
PID 2796 wrote to memory of 2632	2796	cmd.exe	39
PID 2796 wrote to memory of 2632	2796	cmd.exe	39
PID 2796 wrote to memory of 2632	2796	cmd.exe	39
PID 2796 wrote to memory of 2632	2796	cmd.exe	39
PID 2796 wrote to memory of 2700	2796	cmd.exe	40
PID 2796 wrote to memory of 2700	2796	cmd.exe	40
PID 2796 wrote to memory of 2700	2796	cmd.exe	40
PID 2796 wrote to memory of 2700	2796	cmd.exe	40
PID 2796 wrote to memory of 1764	2796	cmd.exe	42
PID 2796 wrote to memory of 1764	2796	cmd.exe	42
PID 2796 wrote to memory of 1764	2796	cmd.exe	42
PID 2796 wrote to memory of 1764	2796	cmd.exe	42
PID 1764 wrote to memory of 1588	1764	systemware.exe	43
PID 1764 wrote to memory of 1588	1764	systemware.exe	43
PID 1764 wrote to memory of 1588	1764	systemware.exe	43
PID 1764 wrote to memory of 1588	1764	systemware.exe	43
PID 1764 wrote to memory of 796	1764	systemware.exe	45
PID 1764 wrote to memory of 796	1764	systemware.exe	45
PID 1764 wrote to memory of 796	1764	systemware.exe	45
PID 1764 wrote to memory of 796	1764	systemware.exe	45
PID 1764 wrote to memory of 332	1764	systemware.exe	47
PID 1764 wrote to memory of 332	1764	systemware.exe	47
PID 1764 wrote to memory of 332	1764	systemware.exe	47
PID 1764 wrote to memory of 332	1764	systemware.exe	47
PID 796 wrote to memory of 996	796	cmd.exe	48
PID 796 wrote to memory of 996	796	cmd.exe	48
PID 796 wrote to memory of 996	796	cmd.exe	48
PID 796 wrote to memory of 996	796	cmd.exe	48
PID 796 wrote to memory of 2988	796	cmd.exe	49
PID 796 wrote to memory of 2988	796	cmd.exe	49
PID 796 wrote to memory of 2988	796	cmd.exe	49
PID 796 wrote to memory of 2988	796	cmd.exe	49
PID 796 wrote to memory of 2200	796	cmd.exe	50
PID 796 wrote to memory of 2200	796	cmd.exe	50
PID 796 wrote to memory of 2200	796	cmd.exe	50
PID 796 wrote to memory of 2200	796	cmd.exe	50
PID 2200 wrote to memory of 2056	2200	systemware.exe	51
PID 2200 wrote to memory of 2056	2200	systemware.exe	51
PID 2200 wrote to memory of 2056	2200	systemware.exe	51
PID 2200 wrote to memory of 2056	2200	systemware.exe	51
PID 2200 wrote to memory of 1656	2200	systemware.exe	53
PID 2200 wrote to memory of 1656	2200	systemware.exe	53
PID 2200 wrote to memory of 1656	2200	systemware.exe	53
PID 2200 wrote to memory of 1656	2200	systemware.exe	53

C:\Users\Admin\AppData\Local\Temp\intro.avi.exe
"C:\Users\Admin\AppData\Local\Temp\intro.avi.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\intro.avi.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2348
- C:\Users\Admin\AppData\Roaming\system\systemware.exe
  "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\wX7gsLsAtsSy.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2700
  - - C:\Users\Admin\AppData\Roaming\system\systemware.exe
      "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XyH8oxPYdLPB.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:796
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:996
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2988
      - C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1I3aItGYvII2.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kauwfvaloi1F.bat" "
        9⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uVPSbzYvjKAT.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\q65Ok2h7dq6C.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sDitS2cgj8cj.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWaFp5wucYLw.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KDvnyDydMV7r.bat" "
        19⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:276
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuGL7M1N5Stn.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuQU2Ws5qVsD.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuTGdXNKipNv.bat" "
        25⤵
        
        PID:796
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EhUQmmIcHCz3.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\j50O8uVNz3YS.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        31⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIVl3F9BQxDI.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 276 -s 1420
        31⤵
        Program crash
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1428
        29⤵
        Program crash
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1408
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1432
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1436
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1440
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1440
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1432
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1416
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1424
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1432
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1420
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1420
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1424
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1456
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1I3aItGYvII2.bat

Filesize
211B

MD5
a31904a5e6b634f5350dc1fc08ad305a

SHA1
c41dece7364f02550a97685f3c19204378971cf3

SHA256
1689671c72a2b36a34115936bc813c8f3aa98a1a5b0ad866eeea43dfe862a8de

SHA512
3542b29914a7a9b44f319509a96775e02e2f4a217ae181e16e9671232a76fd5abadf81c9a1712ff1100b2aae32f888cd30ac52f13099d9205aa6369563697f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\BWaFp5wucYLw.bat

Filesize
211B

MD5
327adffd1308ace486aabbd6b708a0c1

SHA1
020aeb001434531abe63a51f6d3c2d5b5ce768ae

SHA256
61dd0f1ec7884436fa69ee1c1b969c0970206c6ba65f615049af36dfcdb87e79

SHA512
f55df3ec21bbc2e6c64f3fa5385baee1cd08ae36350226ec643bd2bb5b01b1a110c490c5038c04da88f6b0829e1e0d17f5b4d9b3f8e597415f3bc12724dbe96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EhUQmmIcHCz3.bat

Filesize
211B

MD5
01442491d5bb72437f424e7689e40853

SHA1
5e1011cf43a5e4304713849a2d1eb1ddf13e5379

SHA256
1cf11d35c79f95097e3b7c5af8341610667689aa6e6bd985c28b1caab06ea862

SHA512
8e6746833ea7f7eb6c13c91da241fae666a0c7ebaddfd8f9f94fca54cb6c85f4a6e33667635543ff1602e463acf80512be6a786e660d7bf82fe0f1a1d45ef105

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuQU2Ws5qVsD.bat

Filesize
211B

MD5
c1bc1b9011e4e1a29279239e67f34981

SHA1
277da5a61666db66d86b024417bbf20614f34c60

SHA256
68e21ab8ff6f9a917707eaea0d449e9596a03787490607ca152688bb81e40505

SHA512
c18f470479e5b8bb541d2fff522930d8d9c20adb3e3efa0dc4b4fce8dc8929b207359ae2778a68ffa46f935de0cf8a1710cd5a92209d42e85a3dfc3a47fc43d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDvnyDydMV7r.bat

Filesize
211B

MD5
d750c116d578e63dfdef296e3c42773b

SHA1
957eaf811328c9cbaae7ab7499739665e2f42a35

SHA256
8bf1afb35dc612c388543947ffae10c1d92fd412236ab1ef59e6357d6e877f97

SHA512
6590a07ecbf8be121b006f1053752af3feaf0bf7a96d0c742cbe540b4e8ddca7a6607611b60b32e93f01afe366ab2e20be89539ae8ee16ed2be4fd56e479c60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kauwfvaloi1F.bat

Filesize
211B

MD5
10a30893fbe0692f19a1ead1583e2acc

SHA1
063f7bf27272ae801365537cb4ce23d8be6aab92

SHA256
f97bbb9b50ebb63dc8fa23bbe7cc5537cc6c6ba2c609f6ebea0bd1555f2dd9c7

SHA512
77b16c023752502175ff93e1da990d5181a4e1a1982e307179a2f7eca6cc6737ea7619460b0767a6e5ffff1c0b3c020ade181b98fd67693674dc2cb3e0e87ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuGL7M1N5Stn.bat

Filesize
211B

MD5
57cdb1c6beac58cc276bfdd4b6addbec

SHA1
e80a8780801ef2b06c8d2afc7797cd6f468d0efc

SHA256
8b1ce9e38ad5fecb12ca0db223f265f9fe982906a25ac36b01f9c5ba890bc1a4

SHA512
ee9066e1d9c60f55d9b7ed0d931df2f3ab1484103e0a7e18e6df9b7bd4d1a39cecf5fa39dd2ea287a40f0cd534bd887d0b02168c095d045cf2a4034f613606be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyH8oxPYdLPB.bat

Filesize
211B

MD5
8bbabd51f35d0d600d390872e2009627

SHA1
9015aac5c2319c04abf918837cb2578e3917e8e3

SHA256
3d9f68aec7e27cf39d846b9f2237905ec13d1a78a524d15bee04cded3f670cee

SHA512
14c64f93f2da46a868aaa0c6e1034def0fd6b426d556873b9fb325607ba472a113eed55fc03de2e64da89915edd70fee2c360fddd3aa4bf7f38718f47cdb6a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\j50O8uVNz3YS.bat

Filesize
211B

MD5
0b8ce781c859ffa47fd6c7401de12387

SHA1
4aa41be65d2cf89c36b576e262285112cbf99df2

SHA256
5635ca6b8f331b32aed4eb11437143fe733a6fba5d693fb380ba9b6752354c50

SHA512
0cba331cc1a659d647ab43ef004b29b2fecfeae14f69167ee78eb7185a96d253ee08fdbf4aab9cdcb549e5c35d4c583eef73c1467dbf7ce3831e077a91ca60a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\q65Ok2h7dq6C.bat

Filesize
211B

MD5
6fbd698858a9b6b418d8474298386fe5

SHA1
3c7a4c763435f49fc41d76fe9eca738bb13eddbf

SHA256
460f3ce85ff6fd2362f7914e1322b612b571873303b3e2514ba0ef2c06831939

SHA512
5e5310320ba7984b1fb63aec0008decf85024ae4727eeb0295ffe636588d38ac60626c419b9ebd6a3689beb8ef5058edb29ad17eecf90700af084c27fe855c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\sDitS2cgj8cj.bat

Filesize
211B

MD5
11179fb4cc39ec46b805aa0a482a34b4

SHA1
3cc1463aff51411361fb51b4cd1851aff48bcf1d

SHA256
10c5dc4bee7036408257f74543ecdf91439dc4eecd6c2c6ed56f0c4fbd3bb782

SHA512
7a541603ed936cec19bc61e6439bde69d42f01a36559a71fb131ef2cf5e8e418e72e13216aa88eb909ae0916114a5a24bdb72d43d1bc8effda0f4dd135d603c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIVl3F9BQxDI.bat

Filesize
211B

MD5
105e8aa78c78f7e9044fbc579769bbbe

SHA1
b848aaf1b6bf26e31b9ce4c897125a561bd8bf93

SHA256
04b3735dfc759a5754d61580f5a01fa3e00a3c57f7bea3063bd83a158a9e1a66

SHA512
466a5a60b1d7b735030fa7cfe5cf64e3fa70789949c7a32a41f0899487ed737182071e7bce3d2b35e620108a4cbbdb35268e28f69d6da681c73ad3f88f3f17b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVPSbzYvjKAT.bat

Filesize
211B

MD5
bea5ba13a8e24a36350ae4f61d5569b1

SHA1
de78f6f1f5dcf1163df37a92daf6007220f85b01

SHA256
d96a64a929e0e70c726570592c5cfc0a097142ef5040dc71a24c591eb3f3196d

SHA512
426e79b59897450adc3d72470881fa4371c3c0e295891edd750b45b86dbe1a3383c4ed58c5573047d1971463b5fe9a483680c05c6fc11c765158b7299e2a15f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuTGdXNKipNv.bat

Filesize
211B

MD5
bdaffd763eb043bf632cc4f563360ac9

SHA1
0d28b3d35e1fee0174fc55815475c782ce839d29

SHA256
552d8d46a85689a572f38ca70d2879762c20fd6c1c870017fc6ecf8d97359ba6

SHA512
23c7db869e9663f56d0756a06f5562fb1e6ff26de52906169a692f337e1822cb1f9459e19d60326835f1bbd7d85f73c9c6c931ce7182f8ee32d8106e63ee4b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wX7gsLsAtsSy.bat

Filesize
211B

MD5
b8a4c9063b032e80c5c31b649cb106a2

SHA1
64ea6ccda71acc8be0bddbb6ff2926b89608ff4a

SHA256
a1cc06953db84d04fa6743fec3d2af90bf6b79df13fb90b6ea6bdd1075b1f2c6

SHA512
1a5e44c1f940433f0ca39afddd81b603adeb443b42f2961dce2ec555697278b96fcb4f3ab8b513b0965239e56111c2e4ae7835859a7f2acca4059063bd929ec1

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
03a550513f1738e1aa03d49593e4a24b

SHA1
dcd6541225b18a1a0e7e2478feeca7a9d9d771dc

SHA256
72d911d7eee8296f266fff40673d568da487afab385dc9ee948eba57ad9633eb

SHA512
e308f1b25ccdf88e7f0ac81c176c61371f548e30ad76087dc78d889da35276df3161bf84b98a4363810d722b48ccb6d99b8adb68b309988a975118502657fe18

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
1223f4cb348acbc8415d475037c91a74

SHA1
5d6b602e6b1ce603434c5e9afa755c3265a10a26

SHA256
07ab4c86e8246fd09e414f486423de73ae70486b9bcce323354aba01f2050ddc

SHA512
8bb5f6e9d6d9d974707f0e8a263cd562f5525cf4d6870b2fa93a2fe3fba9c3c0df5a08b17fbe1c9f8788e158ecee77bf264d2702a86aa3714905cd2640f7f760

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
be349256207d06c58865bd43d3c335af

SHA1
169067cdad6944d5c66a22f642ade822f3bce00c

SHA256
84b03b7f7a1978fb6931afbe9933e5f98270b588c0b597c7d0dfc46a52f320f1

SHA512
6eafca20832beebdcb90638cf3c38162cbac87bf2b71fcfe6009031a253a8931ad2160df55a717278c721b1f64626bce95c438047fce418937d465e446e3f8d0

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
737eeb9f5421be5cb6239bd6cf9ec792

SHA1
38ad0f915b01338dfdd284afeeabb2110678c74f

SHA256
a2239dae4c85633387750d2500e749a7a994f24d27bb9240850c2c5d01573a05

SHA512
90174cfab81df9278e6b085368fbde6685d8bbdade0ee3cd89a6d9bdb68747d12dc0e6ccb1bdb737b0184b03fc68c52bf7101e8156b9bd830e91265fe3f7cfde

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
2d79b9a314c9d20f58b391b359f687c1

SHA1
e3d814ac2ee5e3d1243f4698af791bd15447ba4f

SHA256
cdd8720a067b3aa24d31e95ecf66ac2c115fb6fb9746fde7f5bc5f8b906bc562

SHA512
9984bf983b031d654441cbf4fcc4fb9b3c6fbaff9ea0752e6f2b34a382f67abee06b66e91312531267a03bf4aa0de781c80a0c23c58b40aa797c5f11da096e6e

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
195c267ef20eafb46649182b1ef762eb

SHA1
c33cf8bb40c9c966b7cc9a9f4d24ba783deb8c83

SHA256
5d85e3fbd26255a295301ef0e39482cd958c80a998fce2f3319c8839893ddb71

SHA512
72d306dbd451ead2f2497c81c422c2278abcf6ec19f3344c84b3483a44445c5e463ee022c9c4ff72f26f9f4dc7c75e40b514ec813e6149a5d1d5eba173725def

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
e4208732091f5e2280065b4e229223c0

SHA1
5c079589b18794b288673c6f1cc6a0bb3566a638

SHA256
adb2f18f298234b1f35db29be5fb6e0cd292a9605c81625bca3cd54eb740d92a

SHA512
c6fd8e2637132363460b4d24cd849a40300bab4291db7ad2b6cb2bba3c7d2a1773401e857412b761073ac9e9631ca00e3e49e82a0a4fd2bf802d237ee91dbc56

Download Submit
\Users\Admin\AppData\Roaming\system\systemware.exe

Filesize
348KB

MD5
d219d94cabaa00e5abffc599bdeef75d

SHA1
123e511de20beab7bfa2bea5c2206422bc5e8241

SHA256
3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

SHA512
82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734

Download Submit
memory/276-215-0x00000000011D0000-0x000000000122E000-memory.dmp

Filesize
376KB

Download
memory/744-155-0x0000000000A90000-0x0000000000AEE000-memory.dmp

Filesize
376KB

Download
memory/1324-195-0x0000000000170000-0x00000000001CE000-memory.dmp

Filesize
376KB

Download
memory/1516-205-0x0000000000F10000-0x0000000000F6E000-memory.dmp

Filesize
376KB

Download
memory/1520-85-0x0000000001110000-0x000000000116E000-memory.dmp

Filesize
376KB

Download
memory/1764-31-0x0000000000FA0000-0x0000000000FFE000-memory.dmp

Filesize
376KB

Download
memory/2032-121-0x00000000012D0000-0x000000000132E000-memory.dmp

Filesize
376KB

Download
memory/2200-49-0x00000000002E0000-0x000000000033E000-memory.dmp

Filesize
376KB

Download
memory/2316-29-0x00000000740A0000-0x000000007478E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-11-0x00000000740A0000-0x000000007478E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-10-0x00000000000C0000-0x000000000011E000-memory.dmp

Filesize
376KB

Download
memory/2316-12-0x00000000740A0000-0x000000007478E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-67-0x0000000001110000-0x000000000116E000-memory.dmp

Filesize
376KB

Download
memory/2416-139-0x00000000001C0000-0x000000000021E000-memory.dmp

Filesize
376KB

Download
memory/2516-13-0x00000000740A0000-0x000000007478E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-0-0x00000000740AE000-0x00000000740AF000-memory.dmp

Filesize
4KB

Download
memory/2516-2-0x00000000740A0000-0x000000007478E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-1-0x00000000011F0000-0x000000000124E000-memory.dmp

Filesize
376KB

Download
memory/2520-175-0x0000000000C50000-0x0000000000CAE000-memory.dmp

Filesize
376KB

Download
memory/2568-165-0x0000000000A90000-0x0000000000AEE000-memory.dmp

Filesize
376KB

Download
memory/2896-103-0x0000000001110000-0x000000000116E000-memory.dmp

Filesize
376KB

Download
memory/2956-185-0x0000000000CA0000-0x0000000000CFE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads