Windows Analysis Report systemms.exe

AI detected suspicious sample

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674697555.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 3612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: systemms.exe

Joe Sandbox ML: detected

C2 URLs / IPs found in malware configuration

Source: systemms.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: systemms.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Malware configuration extractor

URLs: 192.168.18.54

Yara detected Generic Downloader

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

Source: systemms.exe, 00000000.00000002.1698107509.0000000003571000.00000004.00000800.00020000.00000000.sdmp, systemms.exe, 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Systemms\systemms.exe

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674697555.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 3612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

System Summary

Source: systemms.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: systemms.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: systemms.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB1AAAD	3_2_00007FFD9BB1AAAD
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB19AC4	3_2_00007FFD9BB19AC4
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB16243	3_2_00007FFD9BB16243
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB16187	3_2_00007FFD9BB16187
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB18D41	3_2_00007FFD9BB18D41
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB154B6	3_2_00007FFD9BB154B6
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB111FA	3_2_00007FFD9BB111FA
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB10DD1	3_2_00007FFD9BB10DD1
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB110F2	3_2_00007FFD9BB110F2

Sample file is different than original file name gathered from version info

Source: systemms.exe, 00000000.00000000.1675052364.0000000001210000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystemmso4 vs systemms.exe
Source: systemms.exe	Binary or memory string: OriginalFilenameSystemmso4 vs systemms.exe
Source: systemms.exe.0.dr	Binary or memory string: OriginalFilenameSystemmso4 vs systemms.exe

Source: systemms.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: systemms.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: systemms.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: systemms.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/2@0/1

Source: C:\Users\user\Desktop\systemms.exe

File created: C:\Users\user\AppData\Roaming\Systemms

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\00b3e629-d348-4f5c-a497-f354aac050f8
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03

Source: systemms.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: systemms.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\systemms.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: systemms.exe

ReversingLabs: Detection: 68%

Source: systemms.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\systemms.exe

File read: C:\Users\user\Desktop\systemms.exe

Uses code obfuscation techniques (call, push, ret)

Source: unknown	Process created: C:\Users\user\Desktop\systemms.exe "C:\Users\user\Desktop\systemms.exe"
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe "C:\Users\user\AppData\Roaming\Systemms\systemms.exe"
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe C:\Users\user\AppData\Roaming\Systemms\systemms.exe
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe "C:\Users\user\AppData\Roaming\Systemms\systemms.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\systemms.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: msasn1.dll	Jump to behavior

Source: systemms.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: systemms.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: systemms.exe

Static file information: File size 3333120 > 1048576

Source: systemms.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: systemms.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9B8AD9F2 push eax; iretd	3_2_00007FFD9B8ADA11
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9B8A752B push ebx; iretd	3_2_00007FFD9B8A756A
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB154B6 push ecx; retf	3_2_00007FFD9BB159DC
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB12F90 push eax; ret	3_2_00007FFD9BB12FFC
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB15948 push ecx; retf	3_2_00007FFD9BB159DC

Drops PE files

Source: C:\Users\user\Desktop\systemms.exe

File created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\systemms.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\systemms.exe	File opened: C:\Users\user\Desktop\systemms.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	File opened: C:\Users\user\AppData\Roaming\Systemms\systemms.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	File opened: C:\Users\user\AppData\Roaming\Systemms\systemms.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\systemms.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Memory allocated: 1B570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Memory allocated: EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Memory allocated: 1A8F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Memory allocated: 1AD10000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Window / User API: threadDelayed 2743			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Window / User API: threadDelayed 7092			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\systemms.exe TID: 6456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe TID: 6856	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe TID: 6932	Thread sleep count: 2743 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe TID: 6932	Thread sleep count: 7092 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe TID: 5820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: systemms.exe, 00000003.00000002.4144827859.000000001B450000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\systemms.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\systemms.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe "C:\Users\user\AppData\Roaming\Systemms\systemms.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\systemms.exe	Queries volume information: C:\Users\user\Desktop\systemms.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Queries volume information: C:\Users\user\AppData\Roaming\Systemms\systemms.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Queries volume information: C:\Users\user\AppData\Roaming\Systemms\systemms.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\systemms.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674697555.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 3612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

Remote Access Functionality

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674697555.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 3612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.18.54

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
192.168.18.54	true		unknown

AV Detection

Source: systemms.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: systemms.exe

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: systemms.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674697555.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 3612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: systemms.exe

Joe Sandbox ML: detected

C2 URLs / IPs found in malware configuration

Source: systemms.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: systemms.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Malware configuration extractor

URLs: 192.168.18.54

Yara detected Generic Downloader

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

Source: systemms.exe, 00000000.00000002.1698107509.0000000003571000.00000004.00000800.00020000.00000000.sdmp, systemms.exe, 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: systemms.exe, systemms.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Systemms\systemms.exe

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674697555.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 3612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

System Summary

Source: systemms.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: systemms.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: systemms.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB1AAAD	3_2_00007FFD9BB1AAAD
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB19AC4	3_2_00007FFD9BB19AC4
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB16243	3_2_00007FFD9BB16243
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB16187	3_2_00007FFD9BB16187
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB18D41	3_2_00007FFD9BB18D41
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB154B6	3_2_00007FFD9BB154B6
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB111FA	3_2_00007FFD9BB111FA
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB10DD1	3_2_00007FFD9BB10DD1
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB110F2	3_2_00007FFD9BB110F2

Sample file is different than original file name gathered from version info

Source: systemms.exe, 00000000.00000000.1675052364.0000000001210000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystemmso4 vs systemms.exe
Source: systemms.exe	Binary or memory string: OriginalFilenameSystemmso4 vs systemms.exe
Source: systemms.exe.0.dr	Binary or memory string: OriginalFilenameSystemmso4 vs systemms.exe

Source: systemms.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: systemms.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: systemms.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: systemms.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/2@0/1

Source: C:\Users\user\Desktop\systemms.exe

File created: C:\Users\user\AppData\Roaming\Systemms

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\00b3e629-d348-4f5c-a497-f354aac050f8
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03

Source: systemms.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: systemms.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\systemms.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: systemms.exe

ReversingLabs: Detection: 68%

Source: systemms.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\systemms.exe

File read: C:\Users\user\Desktop\systemms.exe

Uses code obfuscation techniques (call, push, ret)

Source: unknown	Process created: C:\Users\user\Desktop\systemms.exe "C:\Users\user\Desktop\systemms.exe"
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe "C:\Users\user\AppData\Roaming\Systemms\systemms.exe"
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe C:\Users\user\AppData\Roaming\Systemms\systemms.exe
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe "C:\Users\user\AppData\Roaming\Systemms\systemms.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\systemms.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Section loaded: msasn1.dll	Jump to behavior

Source: systemms.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: systemms.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: systemms.exe

Static file information: File size 3333120 > 1048576

Source: systemms.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: systemms.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9B8AD9F2 push eax; iretd	3_2_00007FFD9B8ADA11
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9B8A752B push ebx; iretd	3_2_00007FFD9B8A756A
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB154B6 push ecx; retf	3_2_00007FFD9BB159DC
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB12F90 push eax; ret	3_2_00007FFD9BB12FFC
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Code function: 3_2_00007FFD9BB15948 push ecx; retf	3_2_00007FFD9BB159DC

Drops PE files

Source: C:\Users\user\Desktop\systemms.exe

File created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\systemms.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\systemms.exe	File opened: C:\Users\user\Desktop\systemms.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	File opened: C:\Users\user\AppData\Roaming\Systemms\systemms.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	File opened: C:\Users\user\AppData\Roaming\Systemms\systemms.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\systemms.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Memory allocated: 1B570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Memory allocated: EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Memory allocated: 1A8F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Memory allocated: 1AD10000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Window / User API: threadDelayed 2743			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Window / User API: threadDelayed 7092			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\systemms.exe TID: 6456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe TID: 6856	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe TID: 6932	Thread sleep count: 2743 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe TID: 6932	Thread sleep count: 7092 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe TID: 5820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: systemms.exe, 00000003.00000002.4144827859.000000001B450000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\systemms.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\systemms.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\systemms.exe	Process created: C:\Users\user\AppData\Roaming\Systemms\systemms.exe "C:\Users\user\AppData\Roaming\Systemms\systemms.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\systemms.exe	Queries volume information: C:\Users\user\Desktop\systemms.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Queries volume information: C:\Users\user\AppData\Roaming\Systemms\systemms.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe	Queries volume information: C:\Users\user\AppData\Roaming\Systemms\systemms.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\systemms.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: systemms.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systemms.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4137316139.0000000002929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674697555.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: systemms.exe PID: 3612, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Systemms\systemms.exe, type: DROPPED

Remote Access Functionality