quasar | 3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
Size

348KB
MD5

d219d94cabaa00e5abffc599bdeef75d
SHA1

123e511de20beab7bfa2bea5c2206422bc5e8241
SHA256

3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4
SHA512

82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734
SSDEEP

6144:0I6bPXhLApfpMMoDMWZVGZV+RzbLirAeMB2Wku:FmhApypOrAeMB2/u

Score

10^/10

quasar user discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.1.0.0

Botnet

User

erbaevbann3.ddns.net:4444

Mutex

xTSR_MUTEX_tDOmSpZY0vhNMbdmkR

Attributes

encryption_key
Uz3u2uI4Ld2N91oq93Eb
install_name
systemware.exe
log_directory
logs
reconnect_delay
3000
startup_key
System Ware
subdirectory
system

Signatures

Quasar RAT 5 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	12	ip-api.com	Process not Found
	19	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
	2	ip-api.com	Process not Found
	9	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 16 IoCs

resource	yara_rule
behavioral1/memory/1932-1-0x0000000001330000-0x000000000138E000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016dc8-5.dat	family_quasar
behavioral1/memory/2784-10-0x0000000000F50000-0x0000000000FAE000-memory.dmp	family_quasar
behavioral1/memory/2016-31-0x0000000000F50000-0x0000000000FAE000-memory.dmp	family_quasar
behavioral1/memory/1388-49-0x0000000000F50000-0x0000000000FAE000-memory.dmp	family_quasar
behavioral1/memory/1796-84-0x0000000000FD0000-0x000000000102E000-memory.dmp	family_quasar
behavioral1/memory/2724-102-0x00000000011F0000-0x000000000124E000-memory.dmp	family_quasar
behavioral1/memory/1948-120-0x0000000000060000-0x00000000000BE000-memory.dmp	family_quasar
behavioral1/memory/2220-138-0x0000000000A50000-0x0000000000AAE000-memory.dmp	family_quasar
behavioral1/memory/2268-154-0x0000000000220000-0x000000000027E000-memory.dmp	family_quasar
behavioral1/memory/2664-164-0x00000000009C0000-0x0000000000A1E000-memory.dmp	family_quasar
behavioral1/memory/2676-174-0x0000000000060000-0x00000000000BE000-memory.dmp	family_quasar
behavioral1/memory/1220-184-0x0000000000380000-0x00000000003DE000-memory.dmp	family_quasar
behavioral1/memory/1516-194-0x00000000010B0000-0x000000000110E000-memory.dmp	family_quasar
behavioral1/memory/2392-204-0x00000000010B0000-0x000000000110E000-memory.dmp	family_quasar
behavioral1/memory/3012-214-0x00000000012F0000-0x000000000134E000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2784	systemware.exe
2016	systemware.exe
1388	systemware.exe
896	systemware.exe
1796	systemware.exe
2724	systemware.exe
1948	systemware.exe
2220	systemware.exe
2268	systemware.exe
2664	systemware.exe
2676	systemware.exe
1220	systemware.exe
1516	systemware.exe
2392	systemware.exe
3012	systemware.exe

Loads dropped DLL 64 IoCs

pid	Process
1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
768	WerFault.exe
768	WerFault.exe
768	WerFault.exe
768	WerFault.exe
768	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
1280	WerFault.exe
1280	WerFault.exe
1280	WerFault.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
9	ip-api.com
12	ip-api.com
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2568	2784	WerFault.exe	34
768	2016	WerFault.exe	42
1964	1388	WerFault.exe	50
2004	896	WerFault.exe	58
2080	1796	WerFault.exe	66
2716	2724	WerFault.exe	74
1856	1948	WerFault.exe	82
2180	2220	WerFault.exe	90
2396	2268	WerFault.exe	99
1560	2664	WerFault.exe	107
2276	2676	WerFault.exe	115
2956	1220	WerFault.exe	123
1280	1516	WerFault.exe	131
2140	2392	WerFault.exe	139
1584	3012	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1044	PING.EXE
2236	PING.EXE
1424	PING.EXE
3000	PING.EXE
2616	PING.EXE
1040	PING.EXE
2280	PING.EXE
2976	PING.EXE
2680	PING.EXE
1744	PING.EXE
2708	PING.EXE
1648	PING.EXE
2172	PING.EXE
2644	PING.EXE
608	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1040	PING.EXE
608	PING.EXE
2680	PING.EXE
3000	PING.EXE
2616	PING.EXE
2644	PING.EXE
2172	PING.EXE
1648	PING.EXE
1424	PING.EXE
1044	PING.EXE
2976	PING.EXE
2708	PING.EXE
2280	PING.EXE
2236	PING.EXE
1744	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2592	schtasks.exe
2624	schtasks.exe
1732	schtasks.exe
540	schtasks.exe
1328	schtasks.exe
1620	schtasks.exe
2876	schtasks.exe
1164	schtasks.exe
2376	schtasks.exe
328	schtasks.exe
2080	schtasks.exe
2176	schtasks.exe
1560	schtasks.exe
2892	schtasks.exe
2560	schtasks.exe
1768	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
Token: SeDebugPrivilege	2784	systemware.exe
Token: SeDebugPrivilege	2016	systemware.exe
Token: SeDebugPrivilege	1388	systemware.exe
Token: SeDebugPrivilege	896	systemware.exe
Token: SeDebugPrivilege	1796	systemware.exe
Token: SeDebugPrivilege	2724	systemware.exe
Token: SeDebugPrivilege	1948	systemware.exe
Token: SeDebugPrivilege	2220	systemware.exe
Token: SeDebugPrivilege	2268	systemware.exe
Token: SeDebugPrivilege	2664	systemware.exe
Token: SeDebugPrivilege	2676	systemware.exe
Token: SeDebugPrivilege	1220	systemware.exe
Token: SeDebugPrivilege	1516	systemware.exe
Token: SeDebugPrivilege	2392	systemware.exe
Token: SeDebugPrivilege	3012	systemware.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2784	systemware.exe
2016	systemware.exe
1388	systemware.exe
896	systemware.exe
1796	systemware.exe
2724	systemware.exe
1948	systemware.exe
2220	systemware.exe
2268	systemware.exe
2664	systemware.exe
2676	systemware.exe
1220	systemware.exe
1516	systemware.exe
2392	systemware.exe
3012	systemware.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2080	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	32
PID 1932 wrote to memory of 2080	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	32
PID 1932 wrote to memory of 2080	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	32
PID 1932 wrote to memory of 2080	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	32
PID 1932 wrote to memory of 2784	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	34
PID 1932 wrote to memory of 2784	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	34
PID 1932 wrote to memory of 2784	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	34
PID 1932 wrote to memory of 2784	1932	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	34
PID 2784 wrote to memory of 2592	2784	systemware.exe	35
PID 2784 wrote to memory of 2592	2784	systemware.exe	35
PID 2784 wrote to memory of 2592	2784	systemware.exe	35
PID 2784 wrote to memory of 2592	2784	systemware.exe	35
PID 2784 wrote to memory of 2612	2784	systemware.exe	37
PID 2784 wrote to memory of 2612	2784	systemware.exe	37
PID 2784 wrote to memory of 2612	2784	systemware.exe	37
PID 2784 wrote to memory of 2612	2784	systemware.exe	37
PID 2784 wrote to memory of 2568	2784	systemware.exe	39
PID 2784 wrote to memory of 2568	2784	systemware.exe	39
PID 2784 wrote to memory of 2568	2784	systemware.exe	39
PID 2784 wrote to memory of 2568	2784	systemware.exe	39
PID 2612 wrote to memory of 2588	2612	cmd.exe	40
PID 2612 wrote to memory of 2588	2612	cmd.exe	40
PID 2612 wrote to memory of 2588	2612	cmd.exe	40
PID 2612 wrote to memory of 2588	2612	cmd.exe	40
PID 2612 wrote to memory of 2976	2612	cmd.exe	41
PID 2612 wrote to memory of 2976	2612	cmd.exe	41
PID 2612 wrote to memory of 2976	2612	cmd.exe	41
PID 2612 wrote to memory of 2976	2612	cmd.exe	41
PID 2612 wrote to memory of 2016	2612	cmd.exe	42
PID 2612 wrote to memory of 2016	2612	cmd.exe	42
PID 2612 wrote to memory of 2016	2612	cmd.exe	42
PID 2612 wrote to memory of 2016	2612	cmd.exe	42
PID 2016 wrote to memory of 1164	2016	systemware.exe	43
PID 2016 wrote to memory of 1164	2016	systemware.exe	43
PID 2016 wrote to memory of 1164	2016	systemware.exe	43
PID 2016 wrote to memory of 1164	2016	systemware.exe	43
PID 2016 wrote to memory of 1204	2016	systemware.exe	45
PID 2016 wrote to memory of 1204	2016	systemware.exe	45
PID 2016 wrote to memory of 1204	2016	systemware.exe	45
PID 2016 wrote to memory of 1204	2016	systemware.exe	45
PID 2016 wrote to memory of 768	2016	systemware.exe	47
PID 2016 wrote to memory of 768	2016	systemware.exe	47
PID 2016 wrote to memory of 768	2016	systemware.exe	47
PID 2016 wrote to memory of 768	2016	systemware.exe	47
PID 1204 wrote to memory of 1652	1204	cmd.exe	48
PID 1204 wrote to memory of 1652	1204	cmd.exe	48
PID 1204 wrote to memory of 1652	1204	cmd.exe	48
PID 1204 wrote to memory of 1652	1204	cmd.exe	48
PID 1204 wrote to memory of 1424	1204	cmd.exe	49
PID 1204 wrote to memory of 1424	1204	cmd.exe	49
PID 1204 wrote to memory of 1424	1204	cmd.exe	49
PID 1204 wrote to memory of 1424	1204	cmd.exe	49
PID 1204 wrote to memory of 1388	1204	cmd.exe	50
PID 1204 wrote to memory of 1388	1204	cmd.exe	50
PID 1204 wrote to memory of 1388	1204	cmd.exe	50
PID 1204 wrote to memory of 1388	1204	cmd.exe	50
PID 1388 wrote to memory of 2176	1388	systemware.exe	51
PID 1388 wrote to memory of 2176	1388	systemware.exe	51
PID 1388 wrote to memory of 2176	1388	systemware.exe	51
PID 1388 wrote to memory of 2176	1388	systemware.exe	51
PID 1388 wrote to memory of 2744	1388	systemware.exe	53
PID 1388 wrote to memory of 2744	1388	systemware.exe	53
PID 1388 wrote to memory of 2744	1388	systemware.exe	53
PID 1388 wrote to memory of 2744	1388	systemware.exe	53

C:\Users\Admin\AppData\Local\Temp\3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
"C:\Users\Admin\AppData\Local\Temp\3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2080
- C:\Users\Admin\AppData\Roaming\system\systemware.exe
  "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\YBLmYYTl8u0p.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2976
  - - C:\Users\Admin\AppData\Roaming\system\systemware.exe
      "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1164
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOesGdHt5cMZ.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1424
      - C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TtqTcrNCdulB.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\baC1l0PwNqW7.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pe5fZMcPYnB7.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zqa2UhHEyhqx.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\s9SOrkaRr7ZA.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NXyMErnCZy7a.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bkHTvxbKWhUJ.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:556
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Un45QbngJMrY.bat" "
        21⤵
        
        PID:380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IJs8MJDdtFey.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGz8rsWQqTB0.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tImjMWild8ZF.bat" "
        27⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1R2he1xyl2Ta.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        31⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YndtvgyHZn4K.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1436
        31⤵
        Program crash
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1448
        29⤵
        Program crash
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1424
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:1280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 1448
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1420
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1436
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1440
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:2396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1424
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1428
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1444
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 1432
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1424
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1436
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1420
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1460
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1R2he1xyl2Ta.bat

Filesize
211B

MD5
28c63e2a681861756247599e3d3578d4

SHA1
0cc4d4bebed3fc8a49a428bf1cd302f563ac6403

SHA256
b2952915ba556bfd6783b201a9581b74b6c24978de2e4f9c3a7b4c613622d84d

SHA512
4ae03b105675d82e531857bf6c9dde9b19a52a1ab7c2e76052ab16dc66d428cb20272988ec940549e81ce1c38e4ecbeae058ed7ba57c5f5d0890ba2a3d833522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJs8MJDdtFey.bat

Filesize
211B

MD5
b12123695b36932c6f6e4c7ff21f1454

SHA1
214403ecc2aa290d6725b39b408e07170f5b9807

SHA256
3027cbfbd1a627abcd726341144610e73eaa70c7a35e7f5565a19d7f428ee5e2

SHA512
37cad550dd485ece70e14dd9794cf6aa1ebcf2c2bd779bbce1a7aaae366420f012d4be33a949e0be6c8e6438b9605122323e7f96743c6a66147c910533d5552e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXyMErnCZy7a.bat

Filesize
211B

MD5
67030659cdf111391119a1aeae024486

SHA1
8c4359aba27b57eee005cb9f46a7c18371c4746c

SHA256
181acabaee0bb1ef99fa1569ff53d31eeee88d4fa7f920ce9fe31110d63b1ca9

SHA512
5081d079eb57cf1562f5bf7da7a9303e6ddb5df3325866c28c96dd8b839155d7d58ed8e9195c56b7dc8e9a2195fbcc54b012d2b0514525c8f200835fa2da56e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pe5fZMcPYnB7.bat

Filesize
211B

MD5
b057d6e1145d189bd28edef17f8e54b4

SHA1
246e40a877ac5d040bf77f396f2a372729357ab0

SHA256
90f2fefe8331ba57c6938fff171f0a3165ce7729d2e0e52a574923f62c1dbed8

SHA512
9b68830b3a3980c1ab4d758effea8e418255a4ebe0cf561ec5ada281777d1c0fcbd0d4176cfb7d5b2a1dc351a98937897a91b48a82d582765c66df8046252ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtqTcrNCdulB.bat

Filesize
211B

MD5
fd4dd235c99e0178867e930630f0762b

SHA1
a734937b112aa7af724b36cbb24b24873c6f1a2c

SHA256
cbe7c5d29f6c39803c6c9b48fca5b6bfb7beea2e6e244c9dc039d2bb4796e9f4

SHA512
3af93b929b4aaf83a3d2dd8d8e79113e3a99d9b75ab7f04ac643460809f08e873b889c6f70050e5a98a80d1f9d45694d9d864e6c2493a4a39399459c6159fbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Un45QbngJMrY.bat

Filesize
211B

MD5
5d047c3b5d00b7b7b9d998ce48f9792d

SHA1
f7df2e63e999683f511348087152feb6fcf1bd98

SHA256
cf94a6b9adda77e795d8104d6aed9c96a83b0d5d786d0393374ec3f66e6e0df3

SHA512
28880282506b6300e850aac1344ae593e33c9f20465211fdb84128acadff4c1fe7d6c31c0514026410cc5734ec80de1929d68ed3d285fdb13d51f1a125792f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBLmYYTl8u0p.bat

Filesize
211B

MD5
07631fc81b080c55f334ff8771425aae

SHA1
9a78fe9b4a44fd204a9a85de0a6c5668ec7c0e1d

SHA256
b9370d6d4e5686e62c6e4341d82ea1a208367ca9537563f74760230b20df23cb

SHA512
b14485ebf2fdb45c290e3a7f20a61db4ebeaed0c8077b67da358b6b02fe365997f70db15e255709eae1195e2fde8543fcbdbf5bb27f236f059916658ba502867

Download Submit
C:\Users\Admin\AppData\Local\Temp\YndtvgyHZn4K.bat

Filesize
211B

MD5
7c7bf5f4bfc30e240ae708096a10f497

SHA1
a368fa3e736847e062804611a98fcba82cd5dd86

SHA256
acddbd95c665506007fa1d36b69a2c5468f96cea949777185a777b11154541b6

SHA512
c2510fdf0aafb38527c7a5531792e8578c3fa3696269574c2525e82dfe1a02c043ab3f6b065f2da644a8fa935b00e0ccbb9ced90f537ee5b3562f0431ff90768

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zqa2UhHEyhqx.bat

Filesize
211B

MD5
e4b57797050a48281e6ef14327d89da4

SHA1
b7246b261eb09c26f394bd8ad727ce30a5ed4ff1

SHA256
b595a6b7d061956c3ebdb1cda09a2f59690b14f4d36d622c5379faaf436b2597

SHA512
3bb58712e6316eb73498f49a3295141522f5267eed492bd9a3f293f7e9519935ff454ed233606be868a4a43f0079241962b6359b5b3679635ee09b44670c51f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\baC1l0PwNqW7.bat

Filesize
211B

MD5
29f7befeef0fcf238edaffc10a907dc5

SHA1
46f5f95b268c1997995d584de406a554b5898bdc

SHA256
2cf992d9cdef26445248a6e96595aa92e91305fa54f9c1a26fd62d7feb8f6fe7

SHA512
202139434019bc96305230812a715ceb2aefd4fdd9367e6fe994a8902ef9513bbc0be41edec84ebb16d99438111ff44e50a045d74615ee6855fa28377e29162e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkHTvxbKWhUJ.bat

Filesize
211B

MD5
5bbf5528d5a8187f211b33b672deab30

SHA1
021f7688985663eefe2237f0ec06631a979591f9

SHA256
b12f47942b3cf272b98991f0db9daad082f32777459d00494ce1ec0ea19ef7ad

SHA512
2d0678be4e5a83e5f0198eb1d3747adf9c59dd59ff021f49c69cf64e6a42ce49446b7aca5b9afff1ab09c690f6feaa2ad1dbd888f3eb02425b52b537a8666456

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOesGdHt5cMZ.bat

Filesize
211B

MD5
3e62851eb4191f5dd9a4b7b317c0ab0c

SHA1
de97ecf7637c2d190e1f6850afa3d56e053bc278

SHA256
a1827ded3469bc2fc768b695821d96848280f5c96c21efe8466f2d14e8c23935

SHA512
650cb790af7c71552da109c0e451cac6f37aacd5efcfca5891d440302b3e97a0f0fc08b121cb3e6b6150579e926e2df307f4c6b568cbe0f5075825cf2be911de

Download Submit
C:\Users\Admin\AppData\Local\Temp\s9SOrkaRr7ZA.bat

Filesize
211B

MD5
2cc059ed82d82245f5c3b75f8ed3aea3

SHA1
89a910e221f26b19d358822afc5d8fa275e15f7a

SHA256
b59d7f9c69d09cb22189440245e2d1beb1df4c4bfb9cc87296817af520f468ab

SHA512
5f9bbcb891b0745b073a657e36123b9886162739e25c586dc912f233d6fd80421447749f6c618ba79778c50bf193a05f7962cb6665215de9a4fba694ea09d8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tImjMWild8ZF.bat

Filesize
211B

MD5
c4385762a3f0246efb196e7ad47fc4c7

SHA1
fd9d3dbcce8801f9a82bbdc063c567478cb3c07e

SHA256
f624c2bf9e57adf8e71bcadbbbd270ab38510ed7655a7c9a0b244c8056232a33

SHA512
3f2200ba382bdb78af058d32887dcffd32a2da830d62cc7ad3eb8c99fe86ec1f45d91784b47c617190af8312e5fa38a981cbb8c1b135563e34addc9644f5a657

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGz8rsWQqTB0.bat

Filesize
211B

MD5
1c56793b88367dfa95c9dcc227873887

SHA1
9f4dfe373c1883e99ebbcd0a340b9ee9bf7fd81f

SHA256
b27fa118bfcdfa8e9e82bf3749749aaa9ded919b5ab76b1e4279c5e4d535a39c

SHA512
417c05cc27f67ecaa4eb1f639224343b1c218ce37015e9c856ae813fcd53a5a8bca1e0af8e0b41df135e8542ce98be0d9e7bbd966c42fcb91b3ab5fe759584b4

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
d8a5575913571e38c1c57f1cbe055567

SHA1
e0f040177a66031548efc00add5899150934aa8c

SHA256
b0bdc098c8a40608b313c9ec548549d1f14c67bb4535fd5d101f3f39009973ea

SHA512
2d057016bbf3945c9cceca8595939074dca3e1b2d814e649f085d2cf8855461cc69ab80753982ced3b56b74b877c607b39cd621b2fbd3f709c4141ecef28a319

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
7b89818f999e235a3bd5bac0e9d9fe64

SHA1
cb854c8098f463834bf9fc0ce8a2b823eb09b614

SHA256
8115d12c884d60ce8b2dddf31c87c54e4f2565ff5b20ac308116f159f77ef68e

SHA512
8980786b168f00b83838fb9d7a3c747d6ba694c931dbd9edc22344e225235f2d4d91856b53e958f046dfe26627c0bad344dd39aa68c5c20d2e937b1e69c6e842

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
2e88b12adf9e9b2d91e8fce476822f94

SHA1
acb479cc645ff6572f0b7152118ee4078cd2005c

SHA256
c1dddcae6483682c278c62a5c06e640d0fd2413c063ca9472efbe70c1346dc77

SHA512
785cd1137dca66addcf0866dd4caddb22067ba946524d353b22fbfa19f0d9066a379fdb28858eeb751eefb51a02523840bc3be4d31b761c35dd6669d069baabb

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
b60c580cdbfa7f1f78379f7511039917

SHA1
1ca80f4678af53f83916e1513083d1c0246d55d9

SHA256
378410c8e6e59f15f7f97b3076d754ca03158c6f8cc23cc98accb9aa84f33cc9

SHA512
631205cd9d3de81cb152d8c7a8c73770e939722cf17d7519da0fdeecfb60a8f16e485f29d21bddb6c24615f008ad11b727e5f6e41f1389d134d7878910a85364

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
bbdef160ab439614b2b6d2d09ec6bf16

SHA1
574ab6494ace1288fd7526ee234d0458522fef02

SHA256
91d31e28dcccb7149c83228c2c0e8df0117304b9edf948421716b739c1539f7d

SHA512
841bc7f66724ff20ec3c7a8640613e9f7e510db46ef860e93fafa27613696752b787276989d194497941c73bb5adf852c2c5f9cad14b56d83ae9d86712c545f3

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
f853bf2a6db644999a8d8ed7ea96f249

SHA1
8adaad51e0d4aef81574af054f4e239b02f587a9

SHA256
f7cb993ea58046f0aeae55d26eea9639a78298ff151c0f84021b46a3cabc1d2c

SHA512
9268cc37d7d236cd33d09283a8bcb2c3e1de92c13f22441d931b782fae28f058ce9b03ea62afed03c9520374a6a458a5b0215138a5893dd4dadc700293216f28

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
71fc0142828982019590295034790834

SHA1
a8267972f9544a8129bcacbb021369bbb2e3621a

SHA256
ae9f4b5ea1148c21eea1358ccbc6ed608c749de1fff2e62bdb95d99e59f3af78

SHA512
d5bebcd4f370a76c84f9e4f37b21d9041848ec8a14d00c60741af99462fb2a43ec0fb4c7fa27ced227dd15305de9e2cb776d8412ff2ce5da15d212316df450e9

Download Submit
\Users\Admin\AppData\Roaming\system\systemware.exe

Filesize
348KB

MD5
d219d94cabaa00e5abffc599bdeef75d

SHA1
123e511de20beab7bfa2bea5c2206422bc5e8241

SHA256
3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

SHA512
82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734

Download Submit
memory/1220-184-0x0000000000380000-0x00000000003DE000-memory.dmp

Filesize
376KB

Download
memory/1388-49-0x0000000000F50000-0x0000000000FAE000-memory.dmp

Filesize
376KB

Download
memory/1516-194-0x00000000010B0000-0x000000000110E000-memory.dmp

Filesize
376KB

Download
memory/1796-84-0x0000000000FD0000-0x000000000102E000-memory.dmp

Filesize
376KB

Download
memory/1932-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/1932-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-1-0x0000000001330000-0x000000000138E000-memory.dmp

Filesize
376KB

Download
memory/1932-13-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-120-0x0000000000060000-0x00000000000BE000-memory.dmp

Filesize
376KB

Download
memory/2016-31-0x0000000000F50000-0x0000000000FAE000-memory.dmp

Filesize
376KB

Download
memory/2220-138-0x0000000000A50000-0x0000000000AAE000-memory.dmp

Filesize
376KB

Download
memory/2268-154-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/2392-204-0x00000000010B0000-0x000000000110E000-memory.dmp

Filesize
376KB

Download
memory/2664-164-0x00000000009C0000-0x0000000000A1E000-memory.dmp

Filesize
376KB

Download
memory/2676-174-0x0000000000060000-0x00000000000BE000-memory.dmp

Filesize
376KB

Download
memory/2724-102-0x00000000011F0000-0x000000000124E000-memory.dmp

Filesize
376KB

Download
memory/2784-11-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-12-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-10-0x0000000000F50000-0x0000000000FAE000-memory.dmp

Filesize
376KB

Download
memory/2784-29-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-214-0x00000000012F0000-0x000000000134E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads