quasar | 4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe
Size

866KB
MD5

5c59b700c7a1b43a2b8abfe9be0114d6
SHA1

38466b8599e1776fd34bc89462dd9d7842165698
SHA256

4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95
SHA512

9284e40b93b9906c956dccd32cb5f00acef958ff889386dad95da53104bce926160aee8511058c9732d7d86728e8d4a23d96fcb0da7b781c25f85df5a7a1eced
SSDEEP

12288:tRZ+IoG/n9IQxW3OBse97Ium28XSeMIbI/+hl08NsZVsbbcd5e4JRRoEYmPxtovb:l2G/nvxW3WdZQ+Tm4W6HuERbum01t

Score

10^/10

quasar emv spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EMV

manoftheyear-58512.portmap.io:58512

Mutex

QSR_MUTEX_OiWYJuvLVGz4wDjmfv

Attributes

encryption_key
0oQZGEIAu1YEgqvO30Bu
install_name
javaupdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
javaupdater
subdirectory
SubDir

Signatures

Quasar RAT 6 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	94	ip-api.com	Process not Found
Key value queried		\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe
	13	ip-api.com	Process not Found
	51	ip-api.com	Process not Found
	63	ip-api.com	Process not Found
	66	ip-api.com	Process not Found

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b0000000234c8-14.dat	family_quasar
behavioral2/memory/2512-22-0x00000000001D0000-0x000000000022E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	emvstudio.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe

Executes dropped EXE 16 IoCs

pid	Process
2452	emvstudio.sfx.exe
2512	emvstudio.exe
3940	javaupdater.exe
2176	javaupdater.exe
2780	javaupdater.exe
4264	javaupdater.exe
3316	javaupdater.exe
3684	javaupdater.exe
4440	javaupdater.exe
4972	javaupdater.exe
4800	javaupdater.exe
4044	javaupdater.exe
1676	javaupdater.exe
1168	javaupdater.exe
3676	javaupdater.exe
4652	javaupdater.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
51	ip-api.com
63	ip-api.com
66	ip-api.com
94	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1808	3940	WerFault.exe	95
3376	2176	WerFault.exe	110
1624	2780	WerFault.exe	120
2972	4264	WerFault.exe	132
1936	3316	WerFault.exe	142
1560	3684	WerFault.exe	151
4460	4440	WerFault.exe	161
3860	4972	WerFault.exe	170
2584	4800	WerFault.exe	179
956	4044	WerFault.exe	191
2104	1676	WerFault.exe	204
3720	1168	WerFault.exe	213
4044	3676	WerFault.exe	222
2764	4652	WerFault.exe	234

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
3584	PING.EXE
4588	PING.EXE
3136	PING.EXE
2252	PING.EXE
4208	PING.EXE
4688	PING.EXE
1612	PING.EXE
1936	PING.EXE
1028	PING.EXE
1092	PING.EXE
3948	PING.EXE
324	PING.EXE
984	PING.EXE
4652	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3560	schtasks.exe
616	schtasks.exe
1860	schtasks.exe
4796	schtasks.exe
4520	schtasks.exe
4552	schtasks.exe
3872	schtasks.exe
2516	schtasks.exe
3228	schtasks.exe
2732	schtasks.exe
2328	schtasks.exe
676	schtasks.exe
3684	schtasks.exe
4472	schtasks.exe
620	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	emvstudio.exe
Token: SeDebugPrivilege	3940	javaupdater.exe
Token: SeDebugPrivilege	2176	javaupdater.exe
Token: SeDebugPrivilege	2780	javaupdater.exe
Token: SeDebugPrivilege	4264	javaupdater.exe
Token: SeDebugPrivilege	3316	javaupdater.exe
Token: SeDebugPrivilege	3684	javaupdater.exe
Token: SeDebugPrivilege	4440	javaupdater.exe
Token: SeDebugPrivilege	4972	javaupdater.exe
Token: SeDebugPrivilege	4800	javaupdater.exe
Token: SeDebugPrivilege	4044	javaupdater.exe
Token: SeDebugPrivilege	1676	javaupdater.exe
Token: SeDebugPrivilege	1168	javaupdater.exe
Token: SeDebugPrivilege	3676	javaupdater.exe
Token: SeDebugPrivilege	4652	javaupdater.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3940	javaupdater.exe
2176	javaupdater.exe
2780	javaupdater.exe
4264	javaupdater.exe
3316	javaupdater.exe
3684	javaupdater.exe
4440	javaupdater.exe
4972	javaupdater.exe
4800	javaupdater.exe
4044	javaupdater.exe
1676	javaupdater.exe
1168	javaupdater.exe
3676	javaupdater.exe
4652	javaupdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 672	2780	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe	87
PID 2780 wrote to memory of 672	2780	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe	87
PID 2780 wrote to memory of 672	2780	5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe	87
PID 672 wrote to memory of 2452	672	cmd.exe	90
PID 672 wrote to memory of 2452	672	cmd.exe	90
PID 672 wrote to memory of 2452	672	cmd.exe	90
PID 2452 wrote to memory of 2512	2452	emvstudio.sfx.exe	91
PID 2452 wrote to memory of 2512	2452	emvstudio.sfx.exe	91
PID 2452 wrote to memory of 2512	2452	emvstudio.sfx.exe	91
PID 2512 wrote to memory of 3684	2512	emvstudio.exe	93
PID 2512 wrote to memory of 3684	2512	emvstudio.exe	93
PID 2512 wrote to memory of 3684	2512	emvstudio.exe	93
PID 2512 wrote to memory of 3940	2512	emvstudio.exe	95
PID 2512 wrote to memory of 3940	2512	emvstudio.exe	95
PID 2512 wrote to memory of 3940	2512	emvstudio.exe	95
PID 3940 wrote to memory of 2516	3940	javaupdater.exe	96
PID 3940 wrote to memory of 2516	3940	javaupdater.exe	96
PID 3940 wrote to memory of 2516	3940	javaupdater.exe	96
PID 3940 wrote to memory of 2120	3940	javaupdater.exe	100
PID 3940 wrote to memory of 2120	3940	javaupdater.exe	100
PID 3940 wrote to memory of 2120	3940	javaupdater.exe	100
PID 2120 wrote to memory of 2388	2120	cmd.exe	103
PID 2120 wrote to memory of 2388	2120	cmd.exe	103
PID 2120 wrote to memory of 2388	2120	cmd.exe	103
PID 2120 wrote to memory of 4208	2120	cmd.exe	105
PID 2120 wrote to memory of 4208	2120	cmd.exe	105
PID 2120 wrote to memory of 4208	2120	cmd.exe	105
PID 2120 wrote to memory of 2176	2120	cmd.exe	110
PID 2120 wrote to memory of 2176	2120	cmd.exe	110
PID 2120 wrote to memory of 2176	2120	cmd.exe	110
PID 2176 wrote to memory of 3560	2176	javaupdater.exe	112
PID 2176 wrote to memory of 3560	2176	javaupdater.exe	112
PID 2176 wrote to memory of 3560	2176	javaupdater.exe	112
PID 2176 wrote to memory of 3016	2176	javaupdater.exe	114
PID 2176 wrote to memory of 3016	2176	javaupdater.exe	114
PID 2176 wrote to memory of 3016	2176	javaupdater.exe	114
PID 3016 wrote to memory of 3924	3016	cmd.exe	118
PID 3016 wrote to memory of 3924	3016	cmd.exe	118
PID 3016 wrote to memory of 3924	3016	cmd.exe	118
PID 3016 wrote to memory of 4688	3016	cmd.exe	119
PID 3016 wrote to memory of 4688	3016	cmd.exe	119
PID 3016 wrote to memory of 4688	3016	cmd.exe	119
PID 3016 wrote to memory of 2780	3016	cmd.exe	120
PID 3016 wrote to memory of 2780	3016	cmd.exe	120
PID 3016 wrote to memory of 2780	3016	cmd.exe	120
PID 2780 wrote to memory of 616	2780	javaupdater.exe	121
PID 2780 wrote to memory of 616	2780	javaupdater.exe	121
PID 2780 wrote to memory of 616	2780	javaupdater.exe	121
PID 2780 wrote to memory of 2584	2780	javaupdater.exe	123
PID 2780 wrote to memory of 2584	2780	javaupdater.exe	123
PID 2780 wrote to memory of 2584	2780	javaupdater.exe	123
PID 2584 wrote to memory of 2764	2584	cmd.exe	126
PID 2584 wrote to memory of 2764	2584	cmd.exe	126
PID 2584 wrote to memory of 2764	2584	cmd.exe	126
PID 2584 wrote to memory of 3584	2584	cmd.exe	128
PID 2584 wrote to memory of 3584	2584	cmd.exe	128
PID 2584 wrote to memory of 3584	2584	cmd.exe	128
PID 2584 wrote to memory of 4264	2584	cmd.exe	132
PID 2584 wrote to memory of 4264	2584	cmd.exe	132
PID 2584 wrote to memory of 4264	2584	cmd.exe	132
PID 4264 wrote to memory of 2328	4264	javaupdater.exe	134
PID 4264 wrote to memory of 2328	4264	javaupdater.exe	134
PID 4264 wrote to memory of 2328	4264	javaupdater.exe	134
PID 4264 wrote to memory of 1760	4264	javaupdater.exe	136

C:\Users\Admin\AppData\Local\Temp\5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\emvstudio.sfx.exe
    emvstudio.sfx.exe -p123 -dc:\
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\emvstudio.exe
      "C:\emvstudio.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\emvstudio.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
    - - C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3940
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Ur19eCTvPnD.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4208
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWpYq7sAhoHb.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmx4KWUGet7H.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:3584
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JDPom6sUHpeM.bat" "
        12⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iDeWZxp47tGC.bat" "
        14⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7dIXFn4xE16N.bat" "
        16⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:3948
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ijCq2iu6uWYQ.bat" "
        18⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h0RPopXKFsgs.bat" "
        20⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMEXHK2z2NNl.bat" "
        22⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyu8PwpqRR6W.bat" "
        24⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W7YI6VO43HQ6.bat" "
        26⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ZomMqwbB1e5.bat" "
        28⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3o7Y2UOOdIor.bat" "
        30⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4652
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "javaupdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\javaupdater.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\56BqbMBxUSdD.bat" "
        32⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 2248
        32⤵
        Program crash
        
        PID:2764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 2256
        30⤵
        Program crash
        
        PID:4044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1952
        28⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 2256
        26⤵
        Program crash
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 2220
        24⤵
        Program crash
        
        PID:956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 2256
        22⤵
        Program crash
        
        PID:2584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 2216
        20⤵
        Program crash
        
        PID:3860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 2168
        18⤵
        Program crash
        
        PID:4460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 2256
        16⤵
        Program crash
        
        PID:1560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 2260
        14⤵
        Program crash
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 2256
        12⤵
        Program crash
        
        PID:2972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 2256
        10⤵
        Program crash
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 2280
        8⤵
        Program crash
        
        PID:3376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 2264
        6⤵
        Program crash
        
        PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3940 -ip 3940
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2176 -ip 2176
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2780 -ip 2780
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4264 -ip 4264
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3316 -ip 3316
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3684 -ip 3684
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4440 -ip 4440
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4972 -ip 4972
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4800 -ip 4800
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4044 -ip 4044
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1676 -ip 1676
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1168 -ip 1168
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3676 -ip 3676
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4652 -ip 4652
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.bat

Filesize
29B

MD5
07eb59abff55bf3dc69e7bac86101bb4

SHA1
62d6ef99f8670ed5b7d5e303ed56cc75e53bf778

SHA256
9b02897fd3ae01ea3308243ba60d7418f5bcb91694e68ed1c445d140ee311f22

SHA512
14e0f42bc147425377df5cc1d9378f2bdae80ddb38b4e47993716033ff7e925d75f2b381ea5e2f09a2b3fb40c6b48f9466660df9d010f8030f496c9b08732ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ZomMqwbB1e5.bat

Filesize
212B

MD5
c9b54e15fb72ddfd544639e8496eab82

SHA1
0d28e6120151902e9f8853de4ea2a33d7ecd653f

SHA256
2e482f51fff0b8f5226e03d9c9292e971c02b10f2586b8ed42f80131e4e2ca07

SHA512
ec93c5b94904b35960101e81641288f6f7b19602d06be6105a6273e60d0e189b78ef683d35a3f9c520c87a8e38ea6d5a07cdb5b587c6ff60d5f81e5118cd1378

Download Submit
C:\Users\Admin\AppData\Local\Temp\3o7Y2UOOdIor.bat

Filesize
212B

MD5
53eef49fbaabceac4ecf427def90a106

SHA1
91c665eb78c2e430247bd040287aa121fb4320a5

SHA256
68e6e6c5bade80092fe2a37d3fe817f2b9d4ea7de0c1445706bee7c2940484ab

SHA512
a60980bce150b4fec3c56fb9f2bb6eb5351b9bff13ee1112ec76d8583801240c49633d3f1d1fc9ae2931eb845ba58f19c9db1947d7316736d903a391bc639d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\56BqbMBxUSdD.bat

Filesize
212B

MD5
9469ff5f6b80317359dd42a42eeb322b

SHA1
2bc41cd73dfcdba64808c055978cba064f1bfe85

SHA256
48fd31b8e52ab5f3563d11894f91c8c8764f2c77916110fa91b61a33f757e375

SHA512
b43b7d71395b7062375aa0d08f7f72dfdecaa0a0209afe0d93481594589d55378a683c0cfc0b4083cf72382c515421028d5c02ab4c37603b32403b4220592813

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dIXFn4xE16N.bat

Filesize
212B

MD5
22b821ee759e93e642dfd749f26263a9

SHA1
7e0ab915ea3f43d023978d5a3dd447568a9214e5

SHA256
f42078248b405a0f96e4128cef5b48c42dd9aec7fa878b5aba5294db4bb6dc5e

SHA512
d1ccf3861d7b04ebe5ada1f22aca913a257fb30a0577be043c9f7c74086a99e7548c87a1b7dcef82caef927b63a751826f08f365554624c7d1f64b06e8d9fb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Ur19eCTvPnD.bat

Filesize
212B

MD5
1842f3fa5e830431ba939e17b4258b73

SHA1
e622f18c8c80297cd60770aec98b0cb0a598f638

SHA256
04e008529c028bc0e99cb4f4154698bbb3b798f73fd4b70bf60040236d4d2618

SHA512
1c609f36207e74e0a7037ff4745f91c835d1d097e5d0d75f2788c160a67cb923debcac4e75615c21f5eacc60008defe044b9aa913e6fa92dead5aa5f0c3a25e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDPom6sUHpeM.bat

Filesize
212B

MD5
32340e1b6087a25a99c829fb07f6ae7e

SHA1
a8864da195b11a4da413f5ead4fa17cf49d0437a

SHA256
37f4609372b7f5faa34766f7405d77e41e499d40d1aa2c919660204c37848dbf

SHA512
8c2ec869d121eb6a2714c7a76456eb727dd98bde4ade16ae02182ae108dd4d54a5b38012150c538df1b2a5a8681b1bb4a6ef6ea0e27d8fbfd72e4ad9101840db

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7YI6VO43HQ6.bat

Filesize
212B

MD5
85ebfb75b24162fa7d0626a404a0015e

SHA1
5daaed0c934e753f402bad36552fd02699efa561

SHA256
9757a053dec6b1c269e85a4a58b75b604bd08f2eca4ab3b174c3259e666f5207

SHA512
969cabc6973576516284af9d043cde0966e85866606989f2b5627af69ca66631053b5e74c8c6b885572a3fea1c09fc4ff7a2db2d143dcd429919ab0222283bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\h0RPopXKFsgs.bat

Filesize
212B

MD5
1006b8de630783d14d16d83feeff2867

SHA1
69bda7f4584db0c4bba51048a47ad6769d94618f

SHA256
2f185a9056fe4e4958406ac430bccfd9ec41e3031d4aeedf6977e84b726bf0d3

SHA512
3ffa18a09e3d0714d281840b91a3ab423572074d787061b0e19c9b5f82016901522b6c7802db40c50fb6dc9e0681ec350f2a2313efde2544b1a710f4ec967724

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyu8PwpqRR6W.bat

Filesize
212B

MD5
6e92b68f1d49ee3d1fdc2136f6b894d9

SHA1
84405ba7d518e71bbb034fecb9d1fb94109e5229

SHA256
6a3fd6bfcdebbdfa3f378745c1129e96cfc7b51081510b3f3e2f5ee7e46e9ca7

SHA512
276f910f6c97d61265695a175ebee8f1039d935fe45da762c585d3c4802e498f14f219381069fc4678229017fccc03ca99074422b25bbd7d91287ac7c32ed188

Download Submit
C:\Users\Admin\AppData\Local\Temp\iDeWZxp47tGC.bat

Filesize
212B

MD5
eacf282be98d5600a4f219a38355d159

SHA1
d757ec507c686d3a5087bfa6b4953124aad32598

SHA256
926299a140c6943e6e5549e7e33228ecc89d0daf79bea38b1a5d47cca35b4094

SHA512
50e0889e65db55a077988909a138661b8801541738c0957037413653f8d0512d131d2d42eab58d7b383b2baa526af19ac58a27b715d50a06e2dd06db1505c06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijCq2iu6uWYQ.bat

Filesize
212B

MD5
3ad3f8150bc6d5de29b2e1cdb2bb5a0c

SHA1
e1db9f730111985e7f88adfc4140731ac3019e5d

SHA256
d1064fab48642cbef6c8fd6eaefcff8857250be0020a83546a861efa7b781fb4

SHA512
03a329cf50498590624cf138139d1f86e4b95bf2c96e5426b8321e0885fafe56c598f2e3471cb0281c3c579662944cd05a830b50ad45cf93b6708611e18dbab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWpYq7sAhoHb.bat

Filesize
212B

MD5
952287ebce763e7fb63b0686f4fa8288

SHA1
97d26a0ef92a0ba7aa1b9a646095a2b57040bbb3

SHA256
c6f11118054a2d854f3ef1a11ab1610d3064596195952948bcef6054956c7c41

SHA512
0e3ad239fc288678e649a2092d4395c541cd08030b3feb967f028e8a5a1c849e48380aa95362ce0e105f3278f4bf0a84e3ac7783672841e3f4f90f573159fcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmx4KWUGet7H.bat

Filesize
212B

MD5
8baf061ee2d529a85f8a8dd868de128b

SHA1
19ec50d55a4bfec944fd023b0673654714c21c9c

SHA256
a22731d07eb11d63263c98c490faadc5ec6becb0fd1fa5552719e6f21e6ea51c

SHA512
d88bc474ead9039acba14a7b02d0f81137cfae67478885e1fd13dd7816ba517b4ad0556afe35ce7558345413ae2501f8e6ea00f56ee7ca4bfc6a2080782dd4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMEXHK2z2NNl.bat

Filesize
212B

MD5
2d2cab0ba12341eb9af4ba4e0fba436d

SHA1
ddae433df83dd326446b0b179c6f33bd0ab2597d

SHA256
7833d16ade5b6ab7b713c01815a8d3ef0eae62134986005a2d35c80ce24cd212

SHA512
ba87f28835e5c8b58501a1fbad35e3b4a36c1a1361362f4a427a3bdc018d359d5b3839192db3c2b619c932cacadc18ee300750d75dea900f4fc1b787ceec75ee

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
25a1583cfeb7e432bbd6883831cf00d0

SHA1
6a2a867c5af5ab2e42010fce2212dcad816914b0

SHA256
1972acabad718aaf2112ad4b6bb80aa0a09252346675ab229a7813b43cc0797b

SHA512
42330b76d0d1eb93e511645b59a1102687eaf56e1360052c244add6066b6e9e3b2303aca9869abacd1910ff066d3fa5204fc8c4e7bce2a641ffb442bf98f1000

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
6b6c1abf6969332257031f4cb6e1548f

SHA1
cd77577beee0cf8e430f80439eb2bec0f8c22ccd

SHA256
cceed463b91d1fe5ac8aef010c3f4a6fe12be0ee4513616a50b4fe401929fe9a

SHA512
233ec997e328eeb29f7f76d2592f6a279b718ca3e902375617315609e7ee18e6055e46cadb2ff1ab5c59ba7504c5df206d33c16ecac9f1b321e2f09362caad51

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
d7c0638d2002085afe15d978f46c993b

SHA1
f505d0436b907d5da024403ada2e005ffaf15696

SHA256
2805c867d7bbf1ad165447a58bb928e6876395f2cb9899600433bc1ae8adf693

SHA512
922deaaf662472b0768d0fc52838532f6c75a4776a02098ab9f690d750430616562f5a58aea5abd31f4c6896813829a1fc0b4bc48b4c21eb3516984915771f66

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
b4a552775331ba7d85dd8b0f1f1a8564

SHA1
f7df326950e5ed968e52ddd8a1e3ca22538b4d48

SHA256
97ab2131b91659218647b13a4af05f385417520fc882d4b3584d9c60369eb4fd

SHA512
81ca09e2bf8d65938926d9d30c8bd6100c73035a16728d96a89246237846833a70a44eac50a6796f2fa5c1fecc2b3247b54222ee2b38ee30427cacb5b1cbb504

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
c22892122577b928fc676cbbb8438f28

SHA1
f1d4ed32a5c85ab0c8d28ed78e51bd69a963bc10

SHA256
a2f423938be24273c1b4df7dbf7594eb83b4c150da838933d1869cfb7b42a96e

SHA512
6e19015c54d39af2428bad63318060842729e4eab04b3bbb43b212ffb5dfc75e7cb1810281ee19ca6aa9c93ee898c4b880fd34a753387f988d75a396ad3325cd

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
ab9121bf270a6b22e7b107f61672eb81

SHA1
dca530c763fd057852b6939027ba53596a5e93bb

SHA256
3f88cf180ec5549cf7f7aa7a79f1ac3dc8618b28300010c38e5dbc0b23cb412e

SHA512
58e4a9b69e716eacd074588d767850e4a4dbca7ba2e7b95403fc383a1f088496d328f76187a79cbd6ebeef888e8582fdf1ef2f241c3b20f9d0e6015f5edcc9f3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
4daee0c4eb0f741353abcd0d3abbb8ee

SHA1
7b27b7aceac46c08eaf235238d52db796e555b90

SHA256
cf41d62418861a75a7ca26c98b4c6e6362992e2b38f904f39ef616843776bf92

SHA512
22879f44a53a55d58ecd6a7f672e783fa2b21d0520ec24d32b7c4285b6e74ce8c3b0e04b971c175d24545c610373ec7f923b1354d455a4d42879bfa884c06841

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
1815314251476eb424c189d50081c0de

SHA1
9c0f05065b126505e1ae89bae63b1a8c5f786b11

SHA256
c815966655d5af9d2c0ec753179f622b4571cc31500133dc5a429eb69d1118e1

SHA512
ef11ae4a56d30f5922b3844755ea8ecc9dbb7cb0dae0110949feb6e0e0f544fdbd46f9529a25de3d14b4aca596ed5e22d789894d1eafb78f2bb066132449a28a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
64fae545d92e4dfe18e13110e916c029

SHA1
0956a9d68a5e3cd3454be3ab5eff162b7ad7c1cd

SHA256
0e01bc6a5736983b9b1fa373c14e0db9f28baac4adf819e71ad73adac4b550d8

SHA512
d3f10450730f5dcd918ee39d37c05eda852b2a3c9bfdfe4b92f6cc8738ffbf9dd10b9337315cbbc0721f73529aab50dd9302c0555b3337d096b0f898271c1b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
f969d756e94aa05ac1001a854166e04b

SHA1
4a067035d67c4afc969e6c71d7654531373a1c87

SHA256
4df6a9acfdbd242b0f78b293ccb1b49b1b3da9022eb7a559fc57ebd770d0a23e

SHA512
8e74a506c904691a8e32c12920f5432e852f9404d69a94306ef7551e7ebfcd681a72fc0f4132e7c0e2d034215020069fdc205bcff57bc4b30e9e4e028bd86897

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
95dde91170291ffa57ad9f68288f776a

SHA1
ab538c15b84631a15cd09db6357f1f05a81d7336

SHA256
d5df53356ca2f2c7ee6fe4478ec534948f2f212d91196d44d4950603791d428f

SHA512
353dfc43e222eb8731c67721ddcbbfa8ef0a679b34644d34e7670ecf84e7cb0576207eda307e28a4dd3bedbf3aec0f87f6dd0f8bcb1f74d731f303d035bbd686

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
293a63368abe0d3435ffd4d7163ac840

SHA1
c1e0d0a1ba1d60b3902851b6acc14337bc8403fb

SHA256
0d431ae7d779b5a31bda5210258b1c63bdad83b264dbae66e1780de40dcad978

SHA512
ec1a4d8c09cebd7a3d36d93abdbba399af593e07648b4ce7890cf0f1b7b79e97b9204fcf1b4885a234f7e243d0a17269f579f613740f774b7ac371aba2660dd3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-19-2024

Filesize
224B

MD5
6996d8057437989177222f65f3247011

SHA1
8914b5d85ea37dd3954b2e5d8ad31b5b19a163ae

SHA256
258aeae0be19983934f2ae84a4e67c736a453062cd962e845e4012fdcdfeb686

SHA512
802b1209962e0c0bd375da1685a31a2e4f853a80f066ee0e215d0c470935c8f61f9a0df52f4023c6bd9177ad453555e7f5e3eeb473fdb3596386f132e2c2333b

Download Submit
C:\emvstudio.exe

Filesize
347KB

MD5
f8c316c51d682b0d3285915c331db8c9

SHA1
78ebd0d34009d0093846f0d1abdc17f63984c99c

SHA256
e10b5ae07ddbf7e905afd77a5cfb4c85f5d3dcda3badba0214e36680c411974c

SHA512
08ada00d0b02805c7f81652a1ce4c2f2fa9d8920953afd74b34e976204e3419249d1be7acc6ca859ab988dc20c6b1df216c0ebd232eedc53e53e4191ed25de8e

Download Submit
C:\emvstudio.sfx.exe

Filesize
476KB

MD5
6ed4536f971c072f89d07b72a420bb0e

SHA1
6d2717fffcb247ef00d4b7870bcb174a754c0907

SHA256
8f9f39eb54739a856e1295c8756bddf88ab35eda48038c3ae6d86fbd3965a41d

SHA512
df8f7e6eb967999199f0c7b4b030dc3e414d8aef9fadaf7a0ef312ae22fd0681ac5cd0184230e24c9166ada3c41e0cf9644bd91d376a0eb4f4c33e7de2b3f748

Download Submit
memory/2512-27-0x0000000005E90000-0x0000000005ECC000-memory.dmp

Filesize
240KB

Download
memory/2512-26-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/2512-25-0x0000000004CB0000-0x0000000004D16000-memory.dmp

Filesize
408KB

Download
memory/2512-24-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/2512-23-0x00000000051C0000-0x0000000005764000-memory.dmp

Filesize
5.6MB

Download
memory/2512-22-0x00000000001D0000-0x000000000022E000-memory.dmp

Filesize
376KB

Download
memory/3940-35-0x00000000069B0000-0x00000000069BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads