quasar | 3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
Size

348KB
MD5

d219d94cabaa00e5abffc599bdeef75d
SHA1

123e511de20beab7bfa2bea5c2206422bc5e8241
SHA256

3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4
SHA512

82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734
SSDEEP

6144:0I6bPXhLApfpMMoDMWZVGZV+RzbLirAeMB2Wku:FmhApypOrAeMB2/u

Score

10^/10

quasar user discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.1.0.0

Botnet

User

erbaevbann3.ddns.net:4444

Mutex

xTSR_MUTEX_tDOmSpZY0vhNMbdmkR

Attributes

encryption_key
Uz3u2uI4Ld2N91oq93Eb
install_name
systemware.exe
log_directory
logs
reconnect_delay
3000
startup_key
System Ware
subdirectory
system

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	71	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
	5	ip-api.com	Process not Found
	53	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/344-1-0x00000000000F0000-0x000000000014E000-memory.dmp	family_quasar
behavioral2/files/0x0009000000023c4e-11.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	systemware.exe

Executes dropped EXE 14 IoCs

pid	Process
4672	systemware.exe
4108	systemware.exe
2896	systemware.exe
3628	systemware.exe
1592	systemware.exe
3988	systemware.exe
4768	systemware.exe
372	systemware.exe
3236	systemware.exe
2588	systemware.exe
540	systemware.exe
3272	systemware.exe
2196	systemware.exe
4756	systemware.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
53	ip-api.com
71	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4684	4672	WerFault.exe	85
4036	4108	WerFault.exe	97
1372	2896	WerFault.exe	110
2252	3628	WerFault.exe	120
4788	1592	WerFault.exe	130
2936	3988	WerFault.exe	139
4356	4768	WerFault.exe	148
5064	372	WerFault.exe	157
4168	3236	WerFault.exe	166
2768	2588	WerFault.exe	175
3060	540	WerFault.exe	184
4712	3272	WerFault.exe	193
4528	2196	WerFault.exe	202
3100	4756	WerFault.exe	211

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2668	PING.EXE
4380	PING.EXE
4040	PING.EXE
2684	PING.EXE
3064	PING.EXE
3700	PING.EXE
3904	PING.EXE
2364	PING.EXE
4072	PING.EXE
964	PING.EXE
3108	PING.EXE
4348	PING.EXE
3700	PING.EXE
3544	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
964	PING.EXE
4380	PING.EXE
3700	PING.EXE
3108	PING.EXE
4072	PING.EXE
4040	PING.EXE
3544	PING.EXE
3064	PING.EXE
3904	PING.EXE
2364	PING.EXE
4348	PING.EXE
2668	PING.EXE
2684	PING.EXE
3700	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2120	schtasks.exe
264	schtasks.exe
212	schtasks.exe
4876	schtasks.exe
5052	schtasks.exe
2372	schtasks.exe
3492	schtasks.exe
3560	schtasks.exe
4036	schtasks.exe
4964	schtasks.exe
4392	schtasks.exe
1092	schtasks.exe
1244	schtasks.exe
5084	schtasks.exe
980	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
Token: SeDebugPrivilege	4672	systemware.exe
Token: SeDebugPrivilege	4108	systemware.exe
Token: SeDebugPrivilege	2896	systemware.exe
Token: SeDebugPrivilege	3628	systemware.exe
Token: SeDebugPrivilege	1592	systemware.exe
Token: SeDebugPrivilege	3988	systemware.exe
Token: SeDebugPrivilege	4768	systemware.exe
Token: SeDebugPrivilege	372	systemware.exe
Token: SeDebugPrivilege	3236	systemware.exe
Token: SeDebugPrivilege	2588	systemware.exe
Token: SeDebugPrivilege	540	systemware.exe
Token: SeDebugPrivilege	3272	systemware.exe
Token: SeDebugPrivilege	2196	systemware.exe
Token: SeDebugPrivilege	4756	systemware.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4672	systemware.exe
4108	systemware.exe
2896	systemware.exe
3628	systemware.exe
1592	systemware.exe
3988	systemware.exe
4768	systemware.exe
372	systemware.exe
3236	systemware.exe
2588	systemware.exe
540	systemware.exe
3272	systemware.exe
2196	systemware.exe
4756	systemware.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 1092	344	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	83
PID 344 wrote to memory of 1092	344	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	83
PID 344 wrote to memory of 1092	344	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	83
PID 344 wrote to memory of 4672	344	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	85
PID 344 wrote to memory of 4672	344	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	85
PID 344 wrote to memory of 4672	344	3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe	85
PID 4672 wrote to memory of 4876	4672	systemware.exe	86
PID 4672 wrote to memory of 4876	4672	systemware.exe	86
PID 4672 wrote to memory of 4876	4672	systemware.exe	86
PID 4672 wrote to memory of 4516	4672	systemware.exe	88
PID 4672 wrote to memory of 4516	4672	systemware.exe	88
PID 4672 wrote to memory of 4516	4672	systemware.exe	88
PID 4516 wrote to memory of 812	4516	cmd.exe	91
PID 4516 wrote to memory of 812	4516	cmd.exe	91
PID 4516 wrote to memory of 812	4516	cmd.exe	91
PID 4516 wrote to memory of 4348	4516	cmd.exe	93
PID 4516 wrote to memory of 4348	4516	cmd.exe	93
PID 4516 wrote to memory of 4348	4516	cmd.exe	93
PID 4516 wrote to memory of 4108	4516	cmd.exe	97
PID 4516 wrote to memory of 4108	4516	cmd.exe	97
PID 4516 wrote to memory of 4108	4516	cmd.exe	97
PID 4108 wrote to memory of 2120	4108	systemware.exe	99
PID 4108 wrote to memory of 2120	4108	systemware.exe	99
PID 4108 wrote to memory of 2120	4108	systemware.exe	99
PID 4108 wrote to memory of 3664	4108	systemware.exe	101
PID 4108 wrote to memory of 3664	4108	systemware.exe	101
PID 4108 wrote to memory of 3664	4108	systemware.exe	101
PID 3664 wrote to memory of 4540	3664	cmd.exe	104
PID 3664 wrote to memory of 4540	3664	cmd.exe	104
PID 3664 wrote to memory of 4540	3664	cmd.exe	104
PID 3664 wrote to memory of 4072	3664	cmd.exe	106
PID 3664 wrote to memory of 4072	3664	cmd.exe	106
PID 3664 wrote to memory of 4072	3664	cmd.exe	106
PID 3664 wrote to memory of 2896	3664	cmd.exe	110
PID 3664 wrote to memory of 2896	3664	cmd.exe	110
PID 3664 wrote to memory of 2896	3664	cmd.exe	110
PID 2896 wrote to memory of 264	2896	systemware.exe	111
PID 2896 wrote to memory of 264	2896	systemware.exe	111
PID 2896 wrote to memory of 264	2896	systemware.exe	111
PID 2896 wrote to memory of 5108	2896	systemware.exe	113
PID 2896 wrote to memory of 5108	2896	systemware.exe	113
PID 2896 wrote to memory of 5108	2896	systemware.exe	113
PID 5108 wrote to memory of 3388	5108	cmd.exe	117
PID 5108 wrote to memory of 3388	5108	cmd.exe	117
PID 5108 wrote to memory of 3388	5108	cmd.exe	117
PID 5108 wrote to memory of 4040	5108	cmd.exe	118
PID 5108 wrote to memory of 4040	5108	cmd.exe	118
PID 5108 wrote to memory of 4040	5108	cmd.exe	118
PID 5108 wrote to memory of 3628	5108	cmd.exe	120
PID 5108 wrote to memory of 3628	5108	cmd.exe	120
PID 5108 wrote to memory of 3628	5108	cmd.exe	120
PID 3628 wrote to memory of 980	3628	systemware.exe	122
PID 3628 wrote to memory of 980	3628	systemware.exe	122
PID 3628 wrote to memory of 980	3628	systemware.exe	122
PID 3628 wrote to memory of 3268	3628	systemware.exe	124
PID 3628 wrote to memory of 3268	3628	systemware.exe	124
PID 3628 wrote to memory of 3268	3628	systemware.exe	124
PID 3268 wrote to memory of 388	3268	cmd.exe	127
PID 3268 wrote to memory of 388	3268	cmd.exe	127
PID 3268 wrote to memory of 388	3268	cmd.exe	127
PID 3268 wrote to memory of 2668	3268	cmd.exe	129
PID 3268 wrote to memory of 2668	3268	cmd.exe	129
PID 3268 wrote to memory of 2668	3268	cmd.exe	129
PID 3268 wrote to memory of 1592	3268	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe
"C:\Users\Admin\AppData\Local\Temp\3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1092
- C:\Users\Admin\AppData\Roaming\system\systemware.exe
  "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r0au1IadLtRI.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:812
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4348
  - - C:\Users\Admin\AppData\Roaming\system\systemware.exe
      "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wFhQUhCkIxIy.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4072
      - C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VHrEOQh6YZ5S.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4040
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bsj6jJKdQp7J.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\32B0Dc3CYT8n.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iZJMfIKx0qV4.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G6KLopDFZTOd.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeGR3FfKYeSp.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hHw3BrRBwiCa.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p5xtJf171ebk.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKGfzKSuSulW.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmX9Fe0RbezW.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGvfnga68gUG.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3108
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rW2BH5CD5lLx.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 2192
        29⤵
        Program crash
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 2208
        27⤵
        Program crash
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1928
        25⤵
        Program crash
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 2224
        23⤵
        Program crash
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1212
        21⤵
        Program crash
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 2192
        19⤵
        Program crash
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 2224
        17⤵
        Program crash
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 2224
        15⤵
        Program crash
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 2224
        13⤵
        Program crash
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2224
        11⤵
        Program crash
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2196
        9⤵
        Program crash
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 2180
        7⤵
        Program crash
        
        PID:1372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 2228
        5⤵
        Program crash
        
        PID:4036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 2216
    3⤵
    - Program crash
    PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4672 -ip 4672
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4108 -ip 4108
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2896 -ip 2896
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3628 -ip 3628
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1592 -ip 1592
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3988 -ip 3988
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4768 -ip 4768
1⤵
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 372 -ip 372
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3236 -ip 3236
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2588 -ip 2588
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 540 -ip 540
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3272 -ip 3272
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2196 -ip 2196
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4756 -ip 4756
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32B0Dc3CYT8n.bat

Filesize
211B

MD5
a4e729c56683fcf3daae28a227f29dd4

SHA1
84c4fb7963539a79eead7456ae0c8e9051835b21

SHA256
d8caddbe3f20eb0368878f26299586a634cf68b26ae7874474ec54fcf77e0c93

SHA512
62083fc3a3b2cac9e53d928a3830c7527b1e463653a0ec29bd5dbc5dd25778c8b61ed78ed5fcdf0f8079b037b29acaa284eb9b40baf939f011539c0d4853b502

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bsj6jJKdQp7J.bat

Filesize
211B

MD5
820f1ca8916e797be8ec6626c95cfb15

SHA1
b182ebb309377c592ffd3e9838fa16e6e67ab272

SHA256
7b9472177db874765694203df80265c1720f00a56e791c98d3faee5462952ccd

SHA512
878a202f659d9509a037127fe2aca0c645b0b32859b67f4f7618d2bd99e83fbe87a39a905028226cc50be4e9832cafc751fd6444902849c3cda22dc8c9da5b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G6KLopDFZTOd.bat

Filesize
211B

MD5
05a4eb9e8ee419ab607824aa30cf499a

SHA1
7b9d504fc14591f305e6bd751526f45193c8c08c

SHA256
917d9df87f5a1b7d38a9b94fe59ebefffdba9ad0a87b08b54fc293e1d5e2e889

SHA512
6a6c09b1f4dc721752dc2c0aea5b7a27e0ae1829c9ffd51c461d695a88d5b7aef75a099eea4a4623c6a658319989ab001c9c97902a56a7857fc03c07770ba4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmX9Fe0RbezW.bat

Filesize
211B

MD5
0ae0fa77a99d16a7e042e3d2b4096a35

SHA1
679ecf0992e53df0175555fe1518b8be65ec4548

SHA256
1730e6be8439a64f597d2a86f26aa3f0b6ff739662023112deb5a1d9698ce608

SHA512
6647a2741edcd17b175b41e4c29a9f140596ff78a71b50f46af276be84d46cac69e9b939da613552cc16a62829693efd11a4046b366ca531d08629fb7cecbc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\VHrEOQh6YZ5S.bat

Filesize
211B

MD5
b1dd648ad5bfe98325ab5e1e4611b3f1

SHA1
d0a369465355986834671086fa7dee14605e6eb5

SHA256
eb164e5cb583b09b9fab464bfe7a3102b5d3a16fb6910fd2003eac63c2346ff5

SHA512
5681da0dec823ec7e7129d382f234603aa09cdb386ca794b33a9716cc4d80e033f09015b8d99fe10da06e11d6ffd2e36f756198cb4960593281ee0b2622eaa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\hHw3BrRBwiCa.bat

Filesize
211B

MD5
0f954de877627e4eb88eb013141014f2

SHA1
8f135f84754e91e00889f08469fbb368dfa424a2

SHA256
1e73b0497d5223c5becb51765d7c8df29b1f1b468115cc17476de886620ccf47

SHA512
03a5776f9e020b997b023a6f65e6fd18c29534d769a131429ca01de8f1dee09238a94821496e640c4600759799d22570a2cb4fb446b44e03dd48d9333f3813cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iZJMfIKx0qV4.bat

Filesize
211B

MD5
fb09e9b1a7e03875a9aa1d370b107b78

SHA1
5b71fc55eb89f97bce989f1293937e453bf3c743

SHA256
c951ccd5a74e874caff0b134b5fa85da20f396748c9ff207109817d777dd40fb

SHA512
0b15f8fb3a23e5d092bbec3f66dd26faa5a26c2e9dca80aef7b39d23655bfddb7a5f081b746ebae589c5f7ab371b1059ee11513c23c5039b1e425729b8f0eac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGvfnga68gUG.bat

Filesize
211B

MD5
a0cb32048c0251088ed2c107c4de9933

SHA1
b13d3a37e08759d46dbb21b0b211e228d905ac1a

SHA256
ab732d8e4b6b7e5bab12addd828b78f626a57eca54f0b02181fcc7fe108edc33

SHA512
d85b9353d8bd534a4520e5ba4a9a602751b5259e5e393ff070d53b9ab734dfd5caab874492c37c3568d3e4c534ac2f861381781ae2e639d737d84c4260145533

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5xtJf171ebk.bat

Filesize
211B

MD5
3797d11a2ead91f241236378efbbf258

SHA1
82b87cad6db0bf41835e525fed45a3857140e60e

SHA256
cc8798e08cb0ef7bb14ce891d7b79f7a3c3cd205d436914dd12c4aaa476db4c0

SHA512
633d34a70b57ac170cbe5f05bcfb44b3f856f7964f544d9116d47efd82aefe4c76dcc988ca6b842548dab93aaa4caa9f066772cffb00bb67816e3c885fe6cc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKGfzKSuSulW.bat

Filesize
211B

MD5
f57fd52901ae3ded09625cb5607cf17f

SHA1
83a4da0e334f0580e163a52a625a7f8a63df2210

SHA256
032b0eb8773b66831871b9c90a255d60b23554cab790db477bfe8f30d750d8c2

SHA512
5e61aed83cb433fc4f1ae62fa5eb71f044bca120ad686c974d691f84910779d0a6a3b15355f4cd9bcd4541c036d7f4fbf4cc752c3346eadbbf4016568178e110

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0au1IadLtRI.bat

Filesize
211B

MD5
695ba8f9302a31ee8aac48559a270eb2

SHA1
ad48618e3da1aadafc07f90605e4fc16fdfe962f

SHA256
70b6c4b94297ad28b4a084534c2956dd2f6010b6879a59b84f47c9d4d7392522

SHA512
3bc70537ac5c1dd73be908549cc23a4909a38ce2c8d120b7b425cbee3ec30cc94bacaebd9deffba97071ed4763022c6b77fc64ae5397c4d020956fe981918689

Download Submit
C:\Users\Admin\AppData\Local\Temp\rW2BH5CD5lLx.bat

Filesize
211B

MD5
9452e273917648a4a443c71717fafe6d

SHA1
fb9c54c3f3fd5c64311073b8b11879eb71787922

SHA256
5d98c747f0853d6b34e20f76f5649eca0da1024e27dd3e7104a27e24f040a843

SHA512
023bc135fee7b043bddd0422032dba39dc2e1df66df53de110678a41894ea1756120d4131054d54bb629531f8053618e6136f7cba422072e8e4d2209a2b6fe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\wFhQUhCkIxIy.bat

Filesize
211B

MD5
af1282f23f9183d84ecb268c7b522384

SHA1
c308c2433da68e61e5baf53e7d3b7198cd352eee

SHA256
61dbd3d8f2691ae2fc8ec521f31f560cc5fd2680cc64c4f6f41eaf366e1681e4

SHA512
d27c07547e090e2e1df0f71f2e4e303577f501386733b08af083bc3ab55fd9bb0915fe45e4dddac68b6c73d3c8a4e870b6f7a119140c317ed4e5535e26a369ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeGR3FfKYeSp.bat

Filesize
211B

MD5
a3997f740813c7f7eefc49030e688458

SHA1
0b590c6e8aa3c3927a4895c10cd7f0aec0fcd21a

SHA256
03dd5ef09bc7a29a89e528eefd6aea9b0daf52c221263ab4a4dc638b554f8a0d

SHA512
ba0839903fe1504f7d163f43fd4775a1fe26415e8d93582579054c60a8fa280744baf23a84a56388271151df3e4ce8682890f9a7103cff6db3e15fc11b9026d6

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
2164aebd4ed748884a086db91ab668c4

SHA1
870ba84e99f5c00f1d9d98dbebf32e1cc00b9b75

SHA256
5a26993dcc95e669628aae803ddb5887c229316c1f38447ed49cdab8dd0ce1eb

SHA512
0b438cc13d78fa7ee4e4cb468bcec98aae179c9ec8620347d888db07e67325fdecc126c190c39bf382a59aa4d2f75a81582442fe8262c929504c2c34e2ddc78c

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
f6c73294bdc8421ace9a39965aa7cc88

SHA1
0fbd0fdc89516f336a6e2ffbaed97a10b4eda361

SHA256
f48f6224cd53089819d0c0b45b7d0ab0c11bd0978bc0c546b01b84ad3ab157b9

SHA512
bee0f548ca19cdaed023a2b7de00fe78689aedc7fc9d0ed074ab23818bcba8cae4764fc71604d2a8333c43cbf0b5cd682f816ad88eb98afdcbcd17ab45d04ba9

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
ee69e1110dc7134a04bcabe92931127a

SHA1
172e24a48d9233a52642ddd7674a68953c7bc6f7

SHA256
7b0ff448d67c41d4a1b45b0bd00c7a3b44f6471361f2e3db3cd5ace97eb5658e

SHA512
ed94fe1a592af3e6f658b8bf66ea49aa73080a36f85868a54dd3a1957e875ce8cb83e8de7119768cb4421ff40dc796784a72f7506b32099ab65b2a065f64f5f3

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
9e341717bc41459ed2c493429a7e8ee7

SHA1
d02ff6e9e1dd7d51c453a53acdb98af04542eea4

SHA256
852a63f081ecfb8a44b3c2495c080f30f958d97ec2bbb0110ee15b9b7a294309

SHA512
806c0d26741d30b44023845381b857a71405ae70b1a5fc659ff885b629546d92cea87a9fa05fe59ec93a3423b0b39d1d1999729cf0136731cdfacb71273be0dd

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
f508e23863b7a2d6d0f48fc849ffccb1

SHA1
5011f63c0bbbe5b4289cd09c21421f5608e3d72c

SHA256
08b0bc35c9412fa9e9ab709f7fdfc738f425f47b7de9d0db8dd680c08d902320

SHA512
d6e772e67752b45b980cad00b3c73648a5a9d8675e759ee6a9ef9c54ef62e3c1a4252e77eb167a91956a7b829eb32584086f496c0ca4f46d99bd9a517d641fcc

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
f3263c871a5143e12363e34e57b65819

SHA1
bd2f69f173f9173c82c4850f9d13ce2c1ab95735

SHA256
cefe3833ebe2cc101c1ce3d2bbbaa4639eca3519e8be4750db52cf18e89ae8bc

SHA512
b51b8fa6556eba63e0c2e349fec4dc595baada06240a143149d38a5f416d0bae45fc2e090ec109f912ade49a3d541a3709269e29efd6bc5bc9ab00b9af882b38

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
c3fc0ed58150bf8a9e9b9239a748d671

SHA1
95160a441edb5ad8d7b764c533c9609adca23500

SHA256
4ea44516ff27f8cd7286a5da7426672178dc1a0daceb6968a042134ed5c57041

SHA512
23394ba60360997de58f753233048919a920d36c1fe5e40e98823a2fb4a116d38efc2118d5cd97f51e7227191d66b7871e294e09904a8e3f47084d23de6361e1

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
6611884856c636f846163f14434170ac

SHA1
ff801361e018bacb66ab4e724e267d5dfdf6dff4

SHA256
290e53726b7ba0f7fdc0a170eca83a4aeed53263ddb232b62a1afc9ae7e94224

SHA512
b4b77c0d4bf9ed39e9643189289265e5035916dd45cdd84efa6381244e5f9ea61de0d2e7085872e7805eabd9fca777de14bff27f2ee3ab38f6427eb3242fc1f7

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
f1f849934274122b818c2aa12cec6e46

SHA1
019596ca6e683d8297ea0e09a0987d696568a35a

SHA256
7fceb3280552f351ce1e06ca5198d4d687e7a037e55e205e795dab46255c729e

SHA512
ad4559c22d48e2205bb622bf21494cb8a4ae403f51d40374f0655f5eca09623d01dba3d6fb65902a4d7fd591da939b755399d4d0aea86e3bcc290047dc313f86

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
c70fc8f39aff910858fcbb15cef7441b

SHA1
81030dcd63f8f0d43209e2394476cdf242879b03

SHA256
453c95cd98939d21475f1c9161d7c8a4f20368c6a3ba8f397885105152a35c9b

SHA512
d2de62f20595a69bad5b060ce91c76071f5c2a1516abaf6fa1f005d21d5fc5c60762b84de9cebd4b925cb651288b1c9153148364169fd00f76b7ccd9105b9ca2

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
926be0a63ed864b7746353f5d47fd3a9

SHA1
b3311b004a71d605d6fe59d42112960e41a5c449

SHA256
2f5df9b0cbab6a6f69a379d75fd9e415bcac5f2b5965ea5bc547a64f4f1c18f5

SHA512
d77c996513198f2614e3c6b99269204530db37a182b9605fecc0d95ba165ebeb01804ffbcf06823ce1613a43f5de040d5ea77bacdd9cc2570c72c230616d58b6

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-03-2025

Filesize
224B

MD5
8af668086b1ae47d371b5a3898c1b92b

SHA1
a3a956551b9f5fecead2ff0a90295ec77132949c

SHA256
5bc3743ca28491a826c3f2e2fb81aee5f8ed4b7d324b49166adc591d64687029

SHA512
17afef14e8e50991b1e0f569ddffe24f84eb801a8dd4cfa5d5e6e2cce5ad45cd5063cda66bb4449aed7cf12eb1c16a08c5a877aadefa30a0e12e271ae380aaef

Download Submit
C:\Users\Admin\AppData\Roaming\system\systemware.exe

Filesize
348KB

MD5
d219d94cabaa00e5abffc599bdeef75d

SHA1
123e511de20beab7bfa2bea5c2206422bc5e8241

SHA256
3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

SHA512
82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734

Download Submit
memory/344-15-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/344-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/344-7-0x0000000005DB0000-0x0000000005DEC000-memory.dmp

Filesize
240KB

Download
memory/344-6-0x0000000005870000-0x0000000005882000-memory.dmp

Filesize
72KB

Download
memory/344-5-0x0000000004C00000-0x0000000004C66000-memory.dmp

Filesize
408KB

Download
memory/344-4-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/344-3-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/344-2-0x0000000005020000-0x00000000055C4000-memory.dmp

Filesize
5.6MB

Download
memory/344-1-0x00000000000F0000-0x000000000014E000-memory.dmp

Filesize
376KB

Download
memory/4672-23-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4672-14-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4672-16-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4672-18-0x0000000006790000-0x000000000679A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads