quasar | 3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

intro.avi.exe
Size

348KB
MD5

d219d94cabaa00e5abffc599bdeef75d
SHA1

123e511de20beab7bfa2bea5c2206422bc5e8241
SHA256

3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4
SHA512

82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734
SSDEEP

6144:0I6bPXhLApfpMMoDMWZVGZV+RzbLirAeMB2Wku:FmhApypOrAeMB2/u

Score

10^/10

quasar user discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.1.0.0

Botnet

User

erbaevbann3.ddns.net:4444

Mutex

xTSR_MUTEX_tDOmSpZY0vhNMbdmkR

Attributes

encryption_key
Uz3u2uI4Ld2N91oq93Eb
install_name
systemware.exe
log_directory
logs
reconnect_delay
3000
startup_key
System Ware
subdirectory
system

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	52	ip-api.com	Process not Found
	69	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe
	5	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5056-1-0x0000000000B00000-0x0000000000B5E000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cb2-11.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	systemware.exe

Executes dropped EXE 14 IoCs

pid	Process
3136	systemware.exe
1280	systemware.exe
2016	systemware.exe
5060	systemware.exe
3840	systemware.exe
2544	systemware.exe
4556	systemware.exe
2380	systemware.exe
2028	systemware.exe
1036	systemware.exe
3128	systemware.exe
3544	systemware.exe
5020	systemware.exe
1276	systemware.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
52	ip-api.com
69	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3452	3136	WerFault.exe	86
836	1280	WerFault.exe	108
860	2016	WerFault.exe	119
3804	5060	WerFault.exe	133
836	3840	WerFault.exe	144
1276	2544	WerFault.exe	155
1808	4556	WerFault.exe	167
4536	2380	WerFault.exe	178
3828	2028	WerFault.exe	189
3356	1036	WerFault.exe	200
2868	3128	WerFault.exe	211
1032	3544	WerFault.exe	222
3656	5020	WerFault.exe	233
3052	1276	WerFault.exe	244

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2676	PING.EXE
1524	PING.EXE
2156	PING.EXE
1932	PING.EXE
2520	PING.EXE
4712	PING.EXE
1456	PING.EXE
4152	PING.EXE
2624	PING.EXE
2204	PING.EXE
2076	PING.EXE
4704	PING.EXE
3484	PING.EXE
1888	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4704	PING.EXE
1524	PING.EXE
3484	PING.EXE
2076	PING.EXE
4712	PING.EXE
4152	PING.EXE
2624	PING.EXE
2204	PING.EXE
1456	PING.EXE
2676	PING.EXE
1932	PING.EXE
2520	PING.EXE
1888	PING.EXE
2156	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4708	schtasks.exe
5020	schtasks.exe
3708	schtasks.exe
3584	schtasks.exe
3712	schtasks.exe
4808	schtasks.exe
5024	schtasks.exe
3620	schtasks.exe
5096	schtasks.exe
1952	schtasks.exe
3420	schtasks.exe
828	schtasks.exe
2564	schtasks.exe
1148	schtasks.exe
5000	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	intro.avi.exe
Token: SeDebugPrivilege	3136	systemware.exe
Token: SeDebugPrivilege	1280	systemware.exe
Token: SeDebugPrivilege	2016	systemware.exe
Token: SeDebugPrivilege	5060	systemware.exe
Token: SeDebugPrivilege	3840	systemware.exe
Token: SeDebugPrivilege	2544	systemware.exe
Token: SeDebugPrivilege	4556	systemware.exe
Token: SeDebugPrivilege	2380	systemware.exe
Token: SeDebugPrivilege	2028	systemware.exe
Token: SeDebugPrivilege	1036	systemware.exe
Token: SeDebugPrivilege	3128	systemware.exe
Token: SeDebugPrivilege	3544	systemware.exe
Token: SeDebugPrivilege	5020	systemware.exe
Token: SeDebugPrivilege	1276	systemware.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3136	systemware.exe
1280	systemware.exe
2016	systemware.exe
5060	systemware.exe
3840	systemware.exe
2544	systemware.exe
4556	systemware.exe
2380	systemware.exe
2028	systemware.exe
1036	systemware.exe
3128	systemware.exe
3544	systemware.exe
5020	systemware.exe
1276	systemware.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1148	5056	intro.avi.exe	84
PID 5056 wrote to memory of 1148	5056	intro.avi.exe	84
PID 5056 wrote to memory of 1148	5056	intro.avi.exe	84
PID 5056 wrote to memory of 3136	5056	intro.avi.exe	86
PID 5056 wrote to memory of 3136	5056	intro.avi.exe	86
PID 5056 wrote to memory of 3136	5056	intro.avi.exe	86
PID 3136 wrote to memory of 3712	3136	systemware.exe	87
PID 3136 wrote to memory of 3712	3136	systemware.exe	87
PID 3136 wrote to memory of 3712	3136	systemware.exe	87
PID 3136 wrote to memory of 524	3136	systemware.exe	90
PID 3136 wrote to memory of 524	3136	systemware.exe	90
PID 3136 wrote to memory of 524	3136	systemware.exe	90
PID 524 wrote to memory of 4020	524	cmd.exe	94
PID 524 wrote to memory of 4020	524	cmd.exe	94
PID 524 wrote to memory of 4020	524	cmd.exe	94
PID 524 wrote to memory of 4152	524	cmd.exe	95
PID 524 wrote to memory of 4152	524	cmd.exe	95
PID 524 wrote to memory of 4152	524	cmd.exe	95
PID 524 wrote to memory of 1280	524	cmd.exe	108
PID 524 wrote to memory of 1280	524	cmd.exe	108
PID 524 wrote to memory of 1280	524	cmd.exe	108
PID 1280 wrote to memory of 1952	1280	systemware.exe	110
PID 1280 wrote to memory of 1952	1280	systemware.exe	110
PID 1280 wrote to memory of 1952	1280	systemware.exe	110
PID 1280 wrote to memory of 3708	1280	systemware.exe	112
PID 1280 wrote to memory of 3708	1280	systemware.exe	112
PID 1280 wrote to memory of 3708	1280	systemware.exe	112
PID 3708 wrote to memory of 4144	3708	cmd.exe	115
PID 3708 wrote to memory of 4144	3708	cmd.exe	115
PID 3708 wrote to memory of 4144	3708	cmd.exe	115
PID 3708 wrote to memory of 2676	3708	cmd.exe	117
PID 3708 wrote to memory of 2676	3708	cmd.exe	117
PID 3708 wrote to memory of 2676	3708	cmd.exe	117
PID 3708 wrote to memory of 2016	3708	cmd.exe	119
PID 3708 wrote to memory of 2016	3708	cmd.exe	119
PID 3708 wrote to memory of 2016	3708	cmd.exe	119
PID 2016 wrote to memory of 5000	2016	systemware.exe	121
PID 2016 wrote to memory of 5000	2016	systemware.exe	121
PID 2016 wrote to memory of 5000	2016	systemware.exe	121
PID 2016 wrote to memory of 4456	2016	systemware.exe	123
PID 2016 wrote to memory of 4456	2016	systemware.exe	123
PID 2016 wrote to memory of 4456	2016	systemware.exe	123
PID 4456 wrote to memory of 1276	4456	cmd.exe	127
PID 4456 wrote to memory of 1276	4456	cmd.exe	127
PID 4456 wrote to memory of 1276	4456	cmd.exe	127
PID 4456 wrote to memory of 4704	4456	cmd.exe	128
PID 4456 wrote to memory of 4704	4456	cmd.exe	128
PID 4456 wrote to memory of 4704	4456	cmd.exe	128
PID 4456 wrote to memory of 5060	4456	cmd.exe	133
PID 4456 wrote to memory of 5060	4456	cmd.exe	133
PID 4456 wrote to memory of 5060	4456	cmd.exe	133
PID 5060 wrote to memory of 4808	5060	systemware.exe	135
PID 5060 wrote to memory of 4808	5060	systemware.exe	135
PID 5060 wrote to memory of 4808	5060	systemware.exe	135
PID 5060 wrote to memory of 3620	5060	systemware.exe	137
PID 5060 wrote to memory of 3620	5060	systemware.exe	137
PID 5060 wrote to memory of 3620	5060	systemware.exe	137
PID 3620 wrote to memory of 2228	3620	cmd.exe	140
PID 3620 wrote to memory of 2228	3620	cmd.exe	140
PID 3620 wrote to memory of 2228	3620	cmd.exe	140
PID 3620 wrote to memory of 2624	3620	cmd.exe	142
PID 3620 wrote to memory of 2624	3620	cmd.exe	142
PID 3620 wrote to memory of 2624	3620	cmd.exe	142
PID 3620 wrote to memory of 3840	3620	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\intro.avi.exe
"C:\Users\Admin\AppData\Local\Temp\intro.avi.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\intro.avi.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1148
- C:\Users\Admin\AppData\Roaming\system\systemware.exe
  "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6T2HNu2APb6J.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4020
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4152
  - - C:\Users\Admin\AppData\Roaming\system\systemware.exe
      "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dz3HVRwSyFzs.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2676
      - C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3scgJcNpUKxT.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4704
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JDPom6sUHpeM.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y428UPl4NNSK.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uvnoVq27Nej1.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4556
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k8BT5bw7ONiB.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M6PVtsG2ktXy.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m3iRaG2BgrA9.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VbeXpgTGe2FL.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSIqXyMqka2J.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3544
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CtkazYl3NWZO.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sVcSLRNaGmbF.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFmQFtDI05s7.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 2200
        29⤵
        Program crash
        
        PID:3052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2192
        27⤵
        Program crash
        
        PID:3656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 2184
        25⤵
        Program crash
        
        PID:1032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1676
        23⤵
        Program crash
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 2228
        21⤵
        Program crash
        
        PID:3356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 2196
        19⤵
        Program crash
        
        PID:3828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 2228
        17⤵
        Program crash
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 2228
        15⤵
        Program crash
        
        PID:1808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 2228
        13⤵
        Program crash
        
        PID:1276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 2200
        11⤵
        Program crash
        
        PID:836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 2228
        9⤵
        Program crash
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2196
        7⤵
        Program crash
        
        PID:860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 2192
        5⤵
        Program crash
        
        PID:836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 2136
    3⤵
    - Program crash
    PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 3136
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1280 -ip 1280
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2016 -ip 2016
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5060 -ip 5060
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3840 -ip 3840
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2544 -ip 2544
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4556 -ip 4556
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2380 -ip 2380
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2028 -ip 2028
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1036 -ip 1036
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3128 -ip 3128
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3544 -ip 3544
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5020 -ip 5020
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1276 -ip 1276
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3scgJcNpUKxT.bat

Filesize
211B

MD5
d72163717ed51fc73c64562a4a418ef6

SHA1
b1d72bb9945ec910a821c702a0b8f5bc20bdf92b

SHA256
cf2067f784bdaf53e4d5cfb3ed7a25fe88adc66c591b5fcb53a245a919794d5d

SHA512
9d7fd41b32af8b9f6f7a64c74257cc9498669ba22bdb2cb2004814f4dda49eaa72e6433acd982a175623b58976f30c03938bf7e809c5a0912c958316a734ae6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6T2HNu2APb6J.bat

Filesize
211B

MD5
dc8afb157b0df7af9c959fc75d693c53

SHA1
455343c9e8eb6ee7c69fbb8a88a88ac2f51832c8

SHA256
6ce7f6b0797f65f7298beb96a71e48dca5955722e72ffbf827ff6990472edc52

SHA512
8851eb57682ad4d6f462d6b64793fc75b086b794e473ca95d8c361c8da76cb967d46da1588b79e2b40eae1e5495bc9fa344abd887b74719b67a7f252e69d703d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CtkazYl3NWZO.bat

Filesize
211B

MD5
6c8ca36a7f009c733ef26f0dd9762c73

SHA1
8953a0ab021770c6c62e4dd5f414e3fc0a52b972

SHA256
a28f669ce0fbc85c263f65df5e100e35d2b6e5aa22d6ed7ec1d1e8c22614dbe7

SHA512
724ec94ca35ad28edd9a849c1cbdbe91123d927b02dab44e326f77fb5e8fe94289e3f454d716f90221649d0bb0d36cc57b118c581d33ef6474b97cbe0cc3eb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDPom6sUHpeM.bat

Filesize
211B

MD5
d07cc3bb14d1279b7a7231ade356cfda

SHA1
8b71981727dd812294a304dbc46e44de655b1d22

SHA256
5549b121db1c3119cce21851dd4a1e4f1bae5b7027656d5c414ac78e93dd1629

SHA512
528b8becf17ae1b8cc352da5570e64fb12a1673c9286908486e98af3a747ade6e7222cb3f9fa19167cf16f51564ca79c0925255d229a4e2605880a4b68ef173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\M6PVtsG2ktXy.bat

Filesize
211B

MD5
e6e21cc52182bdd398c844cc9466762d

SHA1
f402b3589eb8373ff331f8324b9c814465927ebd

SHA256
046790adf569a8a6bad2aaab4da3cd43d9b095c83ba8d61064c1b532a5993e57

SHA512
163e47330893848b2d9ab2c51ca5fe2180bcfb711e1dfb0935c82df3e36bdb4282e73010be2518b3eaf26636315e3570235b3d1d2ffdbfd670056600144562b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbeXpgTGe2FL.bat

Filesize
211B

MD5
883ec990571cb823dbb74948b045de95

SHA1
7fb329d8f2366022e0efd4a38da92c2ecefe842a

SHA256
ce9783ea68aa108496e84d1c85ee4f2ef0796c1ff3dd226fdc98d1f9aff1eb2f

SHA512
dd039c1e46886387757af477f33366daf60876c444d7c256bf085982cd5fc6d68835075a76ce630103673149eba37cc50d78845adcdd7e55cb3ae75dea0e1fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y428UPl4NNSK.bat

Filesize
211B

MD5
d1388e5cbe51febe0a860f43a34bb2f5

SHA1
c319e14cdaeeafb8f4c9d21d908cf59833604714

SHA256
8a49760a5271f6a2619121f6aaa3a4bbb1ae3581c60a7aeeffa22049a27335b2

SHA512
c60469e24253ef6ce2b01a8817a60b750cf6273c25ba8345a4f7be2b971845119e43137b99e0e607435c5f52aeb2ef84b1fb405c43ce7671bcc6034435ec1063

Download Submit
C:\Users\Admin\AppData\Local\Temp\dz3HVRwSyFzs.bat

Filesize
211B

MD5
325874a5977d4b26b37b293af5977499

SHA1
126cbb875ec7e9fa59d189dbb652f3cc877dba3a

SHA256
a2ee2cc7d6180f4b6d2e32c7c9d7a03a9d735c35219c4e28cf52023e6641b880

SHA512
07c5c7313d802d82bc52a7163c99a7655d917dd34d8bdbd71aa9b9ab6fb698e37f77eadfd5164e4bf815283fd3d221f79767233d399f7364f4652f2af53345a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSIqXyMqka2J.bat

Filesize
211B

MD5
ac760ae3213c34634bea9857a50a2853

SHA1
42dc7fb24c939857a655864cbb05112917783642

SHA256
7938ca22b3a18a6e8bec7acd74ac40f8483ccd2e26f702a6703bb2a1025f174d

SHA512
ee7ae32919bf4d8823cfdc045a8ef5278c24762f0bcb6f918508a7571b12afc243cf9ebf11ffa70dc31199698a6503e4dabe4c2aeedfbba6f5d11413cc03278d

Download Submit
C:\Users\Admin\AppData\Local\Temp\k8BT5bw7ONiB.bat

Filesize
211B

MD5
5b6f5fba73a11c7085469304de41cc54

SHA1
c7f0fb6e51898205ca443ddaffcd55b0270e53f8

SHA256
9e9fc88d07b8a8c82177754927e4d24bfe127d45769e78ec4eac020de07f817a

SHA512
0b3390b349e2a12ca113f33ae11e7ef26b060b0fb9aca7f34ed865e68fb76eca147019c1c16ea5c6c4c08ba831bbe502a25e4de47b311d66fc83682db1e62ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3iRaG2BgrA9.bat

Filesize
211B

MD5
86df31095ab30591e10075fd7632495c

SHA1
4715debca8051e7e6344f2bc4ee3b10384d71051

SHA256
9bbbcc90090c78cd2f1ad188d6af50622c391053bb8e0b331b35fa49d9cd968d

SHA512
0c9d72027ff8c04927f32a8958f4541500febcc3a7658ce9ee8b6ab99cc2e275789c55959d66254aa3aaca2bb24ca4140ec9c00550100aed4e279fc1ec68ab6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rFmQFtDI05s7.bat

Filesize
211B

MD5
f4ff8161862a3b133b5c140214ff462a

SHA1
4b994c95440d8dc87e64f82337d94c788a1d9c93

SHA256
09012b6e34d19c0b68b1d3a130538073dba02172eb25225badc5e07bfbfa04e1

SHA512
cb97f0f639405d034d9ba50d0db859bd6e8bbaac2e6de6a8c22fcd4535648786ab03fe2b1299f01578bcf10b1df3683e4297ac9b188cb9180c78cd11e5f6be1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVcSLRNaGmbF.bat

Filesize
211B

MD5
f9f8ac5b71c05ff0e931df0231b237b7

SHA1
da82577fd9fbdd84d8a0c8b7aa139252896b8b90

SHA256
8e0b0b470e515522c5b44de44118938b40e0effebe1e9e11d1f3cf95d3cf06fd

SHA512
1fee988c280c58b82b9f0d0e1162980cafc39841977559b33f3e238d628413fc2b7f7ba29cd7d783587a5134b505ac713299b30f6f1881bdb1216901fac51125

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvnoVq27Nej1.bat

Filesize
211B

MD5
953e900ede49ba97077f535b103c775c

SHA1
883967404797755e75b457669fb63e5deb519df1

SHA256
bd735192389bc32e6bcdc757e6fb7ce3f917a75f666eeab14e02b12005de0246

SHA512
0c2dbf93e054f7c65c610ae8868ea4212d7682294c232f4562080ece4a138dccec6569a8569b40ab48cf7cabd1ad35792cbfecd4c6873582668396c5c7ca716e

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
1dfb60457f3cf590886439ae9ee979de

SHA1
570e26e73f0a37dd159cc5a69c3ea6cc419df029

SHA256
d360fed53814505f4f964b35c72b9e5e108652ab05da26bf8313a24a824a2304

SHA512
52fb23ccd837a5a6f94b34456fbf33350595244ba73d88ad88ac13421a9bf00dce45f78cbef511148cd8b308f1d812f44b45c08bec849ac1eff88a0c14da382c

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
a0769dcbdd0bbf4762b92a769ea92c11

SHA1
8e5881f4e345c2d9d0940a4d034b04ca37b95754

SHA256
73bf54ee017fc3339df4b42d8c5dd8f12ba4ce623a95a3d1dd0f762a7887a171

SHA512
9f095a0a1de5ede47d9f66bd7f8359141ae7ba7744ce9e91642bda0e192e5c290375ed142b5f4decd6f8ffd459ea94d23aa4d8786c8a674f8109700e967c01d8

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
6ece9d280916ce3bb8b9e980f724d15b

SHA1
64e944d86edf6351910e2ce08a75c9ae470b9532

SHA256
cfbcfd95d459d6c963b77a4066e2fc6d30e28ebc78464a2eb4bc238b32aef812

SHA512
0f505929cf45d273955464bdb8a190aa16706566a2d866fbf90b94b52f31295034311b0f9013a3ce82bb919aa41e8e8962dce35305a2380ec3e40f48a0d32e78

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
fcd889d3e6d65df543172865453b9059

SHA1
f2eed4345a58838c5c320bc22addeeca1ffd5f2b

SHA256
5523060a256a339bda45410f16e4830299459aaf9938860817ab278ee736305a

SHA512
1e8b5c056ec1b011cdc20c5b62b8b21bafa5e500238750f8010f7c3d6f64cf279b18660bc2f96b85dc9e87860686f54595a90134093e8df0400c3ff9001d0b25

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
90ed592479f6385f993b3211953f13a0

SHA1
153c4062b31187b944f075f767a3bd1c6cc9bfe7

SHA256
189b6e03243976498cdcec30ff4482d4398a5dabb5cdc477a3569335e82ceb63

SHA512
9d1d401956615f0162172153366fe304ce47e658ee9079c469f4ab15d222e11b7b634e3b1e86e9a626f528d8eef8b93d8d8a49e194a99e0b9e7defef0dbac9e1

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
507e52be39a5687fdd84368b75916faf

SHA1
7e2173dcd196c9f7399c1abd79ff0cc87b536264

SHA256
7ee6c52b2a7374d72eed4ce6610e89feb220ab7c0d9d818c20733bb6786f92f1

SHA512
96a2f9248926fca802bb149b04cafecb532f84b663c90f38f6f2300420bb28833978c41b2bf6d4abfd20af0b5d625143b6412f1b8e96a839fe6a52604b832f6e

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
d3335772f0c49b52c84221f636ae12b8

SHA1
dc9110287a86b871f2aaa5f025d5ae7a92dcce04

SHA256
9fbf3106e9e8e38f184d46521f0a5cbcfb71ee9ea1e5368b000e7271ac2e634f

SHA512
e7970f661f12e17d03fc4feeb0a6e498e4b6b25bbb281b554754ec194a56bd759edc5b7c70294786bd97325dc8c7403c57b21e84bfdf172fa8a242fb87dc6fb9

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
c1e847d31ce4369bb18acb667ef0895d

SHA1
042ea709932741d3a3def3978b101aeb00456d6a

SHA256
1783943e72046e08b0478759cbbd182ec78991fda03d0c7ffde09fc6710bf60b

SHA512
2a23ec293ad1bc6483910614b54888d2fb18eb27e44aefcbd8f597f5cbaffe2e7be1ed4f2498668f7f19594f4a9fc8718718a68a1a7b5f612feb8586c7d33ab8

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
05fa59f17bdda486f7e8d247654c53b6

SHA1
8f9a5059b1f4bff812e1d11f2060ff9532ea18e2

SHA256
029af75f31e5042ff6848ffd718875688bda7d893270392224d66a35469c9913

SHA512
d40a8e1c41bf498e290f242708cc595fddd0d111a6a20443746b973bc33ff01638cbe7a79851502465709b2c39dc7854940a3d3d1c83b6100727f055856216cc

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
6464449c16c62d78e230dff1d7364967

SHA1
d8d1374293750c2cddf7ce0031e019c26d9e7258

SHA256
e51f6127c3ea8a76b10c19e54e4b1e41f472033375df14e7409f83944f39f210

SHA512
69a44ab9287c1f4011dc8f56225caf1d2c39378189790b9cc7ed64d94aad1b791012cf8765eb5eb1c0706d12bdd924b9130644c289797c7a7b54d8c2eef2c2ff

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
234874ea8df5de0d431397033f668fa9

SHA1
cbf193a6b9a9a4e392bf069452891dd2819f035d

SHA256
5aa393a60308a9f522c34736b4c3db318f4ed7ca5f5153244b241a856553e5fb

SHA512
2c9cd0aee242ab0cac227acbd45c02a57873e7e978c8eee545d60f538001b7a3675deebac978fddca75e2d267a41db88fe19ba840e50727a4de20fed9599a505

Download Submit
C:\Users\Admin\AppData\Roaming\system\systemware.exe

Filesize
348KB

MD5
d219d94cabaa00e5abffc599bdeef75d

SHA1
123e511de20beab7bfa2bea5c2206422bc5e8241

SHA256
3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

SHA512
82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734

Download Submit
memory/3136-18-0x0000000006A00000-0x0000000006A0A000-memory.dmp

Filesize
40KB

Download
memory/3136-16-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/3136-23-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/3136-14-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/5056-7-0x00000000067C0000-0x00000000067FC000-memory.dmp

Filesize
240KB

Download
memory/5056-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

Filesize
4KB

Download
memory/5056-6-0x0000000005BD0000-0x0000000005BE2000-memory.dmp

Filesize
72KB

Download
memory/5056-15-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/5056-5-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/5056-4-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/5056-3-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/5056-2-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/5056-1-0x0000000000B00000-0x0000000000B5E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads