Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:09
Behavioral task
behavioral1
Sample
intager.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
intager.exe
Resource
win11-20241007-en
General
-
Target
intager.exe
-
Size
3.1MB
-
MD5
5d0bfe1b693c6fd64a77d4b5fb028ade
-
SHA1
e080ec222e7e6ef23a1d57493399e9fcc8aff537
-
SHA256
1b9abaa17e10d390aa0402d09635814641f3194ac18b6d5ddad825c45f7245f4
-
SHA512
5010ba377b66360cca843b497f0b5b3cdf98b7d72a435d7a4e150c2bec4e02243db3b9ffb6e8b815009f1fc0bad510ef5dc8e302bc28083031adae044c20c51d
-
SSDEEP
49152:TvtD/2oga6ctePEl3s3jn7HZkgPBgzMgbRwLoGdz7THHB72eh2NT:TvR/2oga6ctePEl3s3L7HZkgPBgzM3
Malware Config
Extracted
quasar
1.4.1
minecraft_updater
https://pastebin.com/raw/vxJGbg64:33006
4d29c496-7884-4de7-a5a8-82e57928b74a
-
encryption_key
C5904FDD788EA00F921C538B9FE80C0B0A0DE728
-
install_name
MinecraftUpdater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
MinecraftUpdater
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/4216-1-0x0000000000460000-0x0000000000784000-memory.dmp family_quasar behavioral1/files/0x0007000000023c88-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MinecraftUpdater.exe -
Executes dropped EXE 15 IoCs
pid Process 1060 MinecraftUpdater.exe 4812 MinecraftUpdater.exe 2816 MinecraftUpdater.exe 3436 MinecraftUpdater.exe 3176 MinecraftUpdater.exe 4016 MinecraftUpdater.exe 412 MinecraftUpdater.exe 1052 MinecraftUpdater.exe 5088 MinecraftUpdater.exe 1708 MinecraftUpdater.exe 4808 MinecraftUpdater.exe 3604 MinecraftUpdater.exe 3092 MinecraftUpdater.exe 4848 MinecraftUpdater.exe 2900 MinecraftUpdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2376 PING.EXE 2600 PING.EXE 3256 PING.EXE 4792 PING.EXE 3276 PING.EXE 2484 PING.EXE 4652 PING.EXE 3204 PING.EXE 4988 PING.EXE 3300 PING.EXE 3060 PING.EXE 1392 PING.EXE 2468 PING.EXE 2736 PING.EXE 1248 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1248 PING.EXE 4792 PING.EXE 1392 PING.EXE 3276 PING.EXE 2484 PING.EXE 3060 PING.EXE 4988 PING.EXE 4652 PING.EXE 2736 PING.EXE 3300 PING.EXE 3256 PING.EXE 3204 PING.EXE 2376 PING.EXE 2468 PING.EXE 2600 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4360 schtasks.exe 3360 schtasks.exe 3116 schtasks.exe 2024 schtasks.exe 5116 schtasks.exe 2756 schtasks.exe 344 schtasks.exe 1200 schtasks.exe 4948 schtasks.exe 4624 schtasks.exe 3368 schtasks.exe 1956 schtasks.exe 2268 schtasks.exe 4824 schtasks.exe 2256 schtasks.exe 3204 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4216 intager.exe Token: SeDebugPrivilege 1060 MinecraftUpdater.exe Token: SeDebugPrivilege 4812 MinecraftUpdater.exe Token: SeDebugPrivilege 2816 MinecraftUpdater.exe Token: SeDebugPrivilege 3436 MinecraftUpdater.exe Token: SeDebugPrivilege 3176 MinecraftUpdater.exe Token: SeDebugPrivilege 4016 MinecraftUpdater.exe Token: SeDebugPrivilege 412 MinecraftUpdater.exe Token: SeDebugPrivilege 1052 MinecraftUpdater.exe Token: SeDebugPrivilege 5088 MinecraftUpdater.exe Token: SeDebugPrivilege 1708 MinecraftUpdater.exe Token: SeDebugPrivilege 4808 MinecraftUpdater.exe Token: SeDebugPrivilege 3604 MinecraftUpdater.exe Token: SeDebugPrivilege 3092 MinecraftUpdater.exe Token: SeDebugPrivilege 4848 MinecraftUpdater.exe Token: SeDebugPrivilege 2900 MinecraftUpdater.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4216 wrote to memory of 2268 4216 intager.exe 82 PID 4216 wrote to memory of 2268 4216 intager.exe 82 PID 4216 wrote to memory of 1060 4216 intager.exe 84 PID 4216 wrote to memory of 1060 4216 intager.exe 84 PID 1060 wrote to memory of 4824 1060 MinecraftUpdater.exe 85 PID 1060 wrote to memory of 4824 1060 MinecraftUpdater.exe 85 PID 1060 wrote to memory of 5028 1060 MinecraftUpdater.exe 87 PID 1060 wrote to memory of 5028 1060 MinecraftUpdater.exe 87 PID 5028 wrote to memory of 4672 5028 cmd.exe 89 PID 5028 wrote to memory of 4672 5028 cmd.exe 89 PID 5028 wrote to memory of 2376 5028 cmd.exe 90 PID 5028 wrote to memory of 2376 5028 cmd.exe 90 PID 5028 wrote to memory of 4812 5028 cmd.exe 99 PID 5028 wrote to memory of 4812 5028 cmd.exe 99 PID 4812 wrote to memory of 2256 4812 MinecraftUpdater.exe 100 PID 4812 wrote to memory of 2256 4812 MinecraftUpdater.exe 100 PID 4812 wrote to memory of 2340 4812 MinecraftUpdater.exe 102 PID 4812 wrote to memory of 2340 4812 MinecraftUpdater.exe 102 PID 2340 wrote to memory of 952 2340 cmd.exe 104 PID 2340 wrote to memory of 952 2340 cmd.exe 104 PID 2340 wrote to memory of 2468 2340 cmd.exe 105 PID 2340 wrote to memory of 2468 2340 cmd.exe 105 PID 2340 wrote to memory of 2816 2340 cmd.exe 106 PID 2340 wrote to memory of 2816 2340 cmd.exe 106 PID 2816 wrote to memory of 4360 2816 MinecraftUpdater.exe 107 PID 2816 wrote to memory of 4360 2816 MinecraftUpdater.exe 107 PID 2816 wrote to memory of 4564 2816 MinecraftUpdater.exe 109 PID 2816 wrote to memory of 4564 2816 MinecraftUpdater.exe 109 PID 4564 wrote to memory of 5036 4564 cmd.exe 111 PID 4564 wrote to memory of 5036 4564 cmd.exe 111 PID 4564 wrote to memory of 3276 4564 cmd.exe 112 PID 4564 wrote to memory of 3276 4564 cmd.exe 112 PID 4564 wrote to memory of 3436 4564 cmd.exe 115 PID 4564 wrote to memory of 3436 4564 cmd.exe 115 PID 3436 wrote to memory of 3360 3436 MinecraftUpdater.exe 116 PID 3436 wrote to memory of 3360 3436 MinecraftUpdater.exe 116 PID 3436 wrote to memory of 3484 3436 MinecraftUpdater.exe 118 PID 3436 wrote to memory of 3484 3436 MinecraftUpdater.exe 118 PID 3484 wrote to memory of 4124 3484 cmd.exe 120 PID 3484 wrote to memory of 4124 3484 cmd.exe 120 PID 3484 wrote to memory of 4988 3484 cmd.exe 121 PID 3484 wrote to memory of 4988 3484 cmd.exe 121 PID 3484 wrote to memory of 3176 3484 cmd.exe 122 PID 3484 wrote to memory of 3176 3484 cmd.exe 122 PID 3176 wrote to memory of 3204 3176 MinecraftUpdater.exe 123 PID 3176 wrote to memory of 3204 3176 MinecraftUpdater.exe 123 PID 3176 wrote to memory of 4908 3176 MinecraftUpdater.exe 125 PID 3176 wrote to memory of 4908 3176 MinecraftUpdater.exe 125 PID 4908 wrote to memory of 2036 4908 cmd.exe 127 PID 4908 wrote to memory of 2036 4908 cmd.exe 127 PID 4908 wrote to memory of 2484 4908 cmd.exe 128 PID 4908 wrote to memory of 2484 4908 cmd.exe 128 PID 4908 wrote to memory of 4016 4908 cmd.exe 129 PID 4908 wrote to memory of 4016 4908 cmd.exe 129 PID 4016 wrote to memory of 4624 4016 MinecraftUpdater.exe 130 PID 4016 wrote to memory of 4624 4016 MinecraftUpdater.exe 130 PID 4016 wrote to memory of 544 4016 MinecraftUpdater.exe 132 PID 4016 wrote to memory of 544 4016 MinecraftUpdater.exe 132 PID 544 wrote to memory of 1184 544 cmd.exe 134 PID 544 wrote to memory of 1184 544 cmd.exe 134 PID 544 wrote to memory of 3300 544 cmd.exe 135 PID 544 wrote to memory of 3300 544 cmd.exe 135 PID 544 wrote to memory of 412 544 cmd.exe 136 PID 544 wrote to memory of 412 544 cmd.exe 136 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\intager.exe"C:\Users\Admin\AppData\Local\Temp\intager.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2268
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vzZUaJ4WLAM.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4672
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2376
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSPBQhf2ZH0A.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:952
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2468
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ciOVCCMrktI.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:5036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3276
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8pMGijJBryng.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4124
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4988
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EFzzHvhWBTyK.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iXOF5TGCASI2.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3300
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWWwAJXOFnMI.bat" "15⤵PID:1928
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1196
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4652
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoesSGuOZJGP.bat" "17⤵PID:4056
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3060
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4tcOFFXxu8hg.bat" "19⤵PID:2228
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4528
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2600
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1KlMGfarHrW7.bat" "21⤵PID:4464
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2736
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5QRhiswDFLrf.bat" "23⤵PID:3184
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2324
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3204
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jM5EjJeDi0YT.bat" "25⤵PID:1800
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1396
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3256
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ghSs72NI4bj9.bat" "27⤵PID:4900
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1124
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1248
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ug09VeCELg8h.bat" "29⤵PID:2256
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:5028
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4792
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vLbgtB1oD6H.bat" "31⤵PID:3128
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4600
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
217B
MD562410e6491203b64973c131a396fb647
SHA11948692c0caba3452b4db2c6c5fbdfeb58e4474b
SHA256f52e017248a37715a78dbf3d11ce5c8d13da0666eff7167b1d044c60227ebdb1
SHA512b34a3a8000b754f9793bbe3585b9659de109e1c170c11b18a995105ab0cc0d676b3c08777e01f761023f1eb1005de7978a3d3f2e5f85c42fdc2771fe00dee6ed
-
Filesize
217B
MD59e42a9d9475121cfef38c7e6c04f9099
SHA1e32a0168afd13b78eb1d811e1ef5c60076a15ae2
SHA256c26d05f5522b0dbb8896ccfa5b7d41cee00cea131375f7a8b579b27f81430b7b
SHA512e19d5d9078987b490ef8008321cd00a8b7c850c0d621f9db874973ba70ff02f2da4f74810104dda52fca0a87b4f9325871319d7e237bf77a0dc48f429cde0988
-
Filesize
217B
MD5fceb16984e5247a707ce231e1fcc2026
SHA1006f23cc571c9af2c532a8f95afc6b4ca41b93e3
SHA256616a43145cc71436ed8ad568acccc69116a9b4ca6bf26b52d2f98fd58f8b9084
SHA512315ad4f14efa9119a98320db77896477b6b737946cf937a57c64085d619b7cb0e65fee2cc1510fad64eea57866e0a1bc58ed650f340bc74b3a83647edf4ee335
-
Filesize
217B
MD5e2ce4a2632eb0411ddb4e3290f35eb61
SHA1fd4610959acf88eeea18f1f6445b08089cc8284e
SHA256e3704d62fb5a5518e703d00131c26f116cac1eb3a1ac3f1b0a3dbd47e1e23725
SHA5125a021ef7685d1efeecef269743b618108d7b6683956b4b2ab658f0ae6b712207b54c996d10364df7ea4572058eda77b2361e594341ed4075571ac2d0843cbde6
-
Filesize
217B
MD590322d7f94f32c5ad6ba4b54a6809644
SHA18712d35c97b7fef2f5d0fe54612ade9dbe0dff6f
SHA256aa14f64926115d5d5b211d415eb40fa265a7f7d222f452823e1b1d049a00af1b
SHA512876a8d131063b9668af9a50fdf7472c1cd9b325663f81e38da366563915a33d21cc0cc88659b5c9294ed0e8da55b0ac8123608c6f456a1bf3bf3fe3d86c0f230
-
Filesize
217B
MD5c167b5f6833add4d11d9b8bb2b13d81f
SHA1469a67a314f6bc013bddc76343c906c339ab1eab
SHA256dd172a603326a1cdf1b34895f0c8fee4e781fb8ee70937cdd4c97133fae01d7a
SHA512dfb9a0234501d69f2af0f86f40cfc5121394feae02704e64da98ee12c3833d0e9cec7ce91261074731dddbe83768b4588f6a0ac5fb98d1e65a3eeb35614a01b8
-
Filesize
217B
MD5643f8256126218abf89bfc386f0e481f
SHA10125c8e06dd1011e7be699d8d8fd461b72b3579a
SHA2568f28d4c768d7c4c7bbfb955fcf4236711755a6ad3a1d3d1d3ec819bb1ab6a8e4
SHA51260a1df894b65dff2901f2c121daf747c28ad2c5e50dbfa7205c16601eef6383a733c2ed613015e2640b446965b451ad9b6fc6a2c10c0b0697caddc303552005b
-
Filesize
217B
MD54b38839a7c883681551b14cf716aee4b
SHA1ebc4505dca42eeecf6b55a4e19316412d4c45c34
SHA256c6f3ca91e9ac3e9b4510a7666a44c1553a34f233489d6dfa4d4424a1d915bbb7
SHA512d142efa7c03eb790572a2ba264309cdc1d9cb9f45ab40a8e67870eca9f8e2318aff349762323498e769f5a9878624ff9e34c7bdc295aa0035b05b6c4610c3688
-
Filesize
217B
MD5e7297381bcca2337f6a07255a5dd9bc1
SHA11ea839c96596b4fa4db19371749b656d25d6a21e
SHA25622e18463a8728d0ef1d2c1c92dd73612b67456fcec1502b49fa5d838e3b45c0d
SHA512b0fff6bc0ea01c08e8dbede82e6a7542c902676f1aab836066802dd15b62e741e9588cdc71fa1d6710e536b211ad8a0b257365e4989a8f0671998d1345aba469
-
Filesize
217B
MD54f97e552ae5347604e410ed7b7d75d86
SHA10229e3074e55103ca034dfe426256bb96a38b4e3
SHA256caba4c63a1a503773bc3ac8d84e4dc2c1af62e5018b1b6e1d929d993cf4e1dcb
SHA5121be4f182e5723174c59b86c4520079f7e722c9fba96a24292359ff7a3c85e19b1f910d7d566f7a81ef6e21fba29ad88b3693424b8e09611e6520ad61cf8342cf
-
Filesize
217B
MD53e460e62d63ddd5564ea894e4e0ecdf7
SHA113630562ca97252788bed3f8ebe80b0d1ca4912f
SHA256e20830652831c7ab95e6e66c500bfc2753ad39d0418cf863bbe3ce957aee1ae2
SHA51264b674204c209231180f8b42e874aa03825305d7ad5c31e0d45840e4a70c94a057120df41dff1137048e34ae07219bc1b4e7f980d525f63b78de9c0af1f2aa66
-
Filesize
217B
MD5bc860ed7faf286dc04112049fcb2266f
SHA19bafc585c3e683964b5223d3c428fb97506751e8
SHA256852643154240a7fd71e6382d1e9bc516b312c7a9c136344837ba9816796eeefa
SHA5128a892115cc6dad1b131c8c833cd6a109dbf200243596f08ad5f8446a87c4818c2e070723a0cdb71291e940d8d0963e4743bac748adcb98da0d4884b757c69b29
-
Filesize
217B
MD51028293e90b203542991d5135c9aa535
SHA1388c4fbc0f60a5406a296befb416c372ea7f67af
SHA25628c437a20b27f8d002f9e21c4074d9369e98a7456f590f385b40af6ea3f5f5aa
SHA512a1ff40704c79f35f097aedd56aa63e9ffe6ff87c63081a8bca90f97eedb302edca1fc6d3adc5aa621d73a46b6a704bf362f40d7963df23dc020baac08da2c27d
-
Filesize
217B
MD5c670e5f4d6f78973523d6701a5cc59eb
SHA1fd83b581379e32b5313b4a54f6f4579ca3213acc
SHA256805f90ffcfef1bbcfb2f2447d308717034650b44df57ffacb1aa34004f2e7bd4
SHA51249a82c01c09942e4d02d43c63bf460bb9c336b4f968ccf7180e3f50699de9ab136f4b62c7ce7eb8f8afd57cae4b9383bda472b402dd31ac8354276973809b561
-
Filesize
217B
MD533c13b15e5d294983530294abe5f373d
SHA1847e4badb37773cb53562aecd03783ff7feea1a5
SHA256e704f8c1f6ffcfda4400d625e654c0c8eef9679b8c209fd7083db03ed17ccd8b
SHA512df6e4c5422badf30f8cea10638a05b7dc28f9e62c15f6d72d705e52a9cfde75e444d9395e39461346e1a31871f6f86a4b8bcc34cd110b19750625a674f0990f6
-
Filesize
3.1MB
MD55d0bfe1b693c6fd64a77d4b5fb028ade
SHA1e080ec222e7e6ef23a1d57493399e9fcc8aff537
SHA2561b9abaa17e10d390aa0402d09635814641f3194ac18b6d5ddad825c45f7245f4
SHA5125010ba377b66360cca843b497f0b5b3cdf98b7d72a435d7a4e150c2bec4e02243db3b9ffb6e8b815009f1fc0bad510ef5dc8e302bc28083031adae044c20c51d