Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-12-2024 03:09
Behavioral task
behavioral1
Sample
intager.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
intager.exe
Resource
win11-20241007-en
General
-
Target
intager.exe
-
Size
3.1MB
-
MD5
5d0bfe1b693c6fd64a77d4b5fb028ade
-
SHA1
e080ec222e7e6ef23a1d57493399e9fcc8aff537
-
SHA256
1b9abaa17e10d390aa0402d09635814641f3194ac18b6d5ddad825c45f7245f4
-
SHA512
5010ba377b66360cca843b497f0b5b3cdf98b7d72a435d7a4e150c2bec4e02243db3b9ffb6e8b815009f1fc0bad510ef5dc8e302bc28083031adae044c20c51d
-
SSDEEP
49152:TvtD/2oga6ctePEl3s3jn7HZkgPBgzMgbRwLoGdz7THHB72eh2NT:TvR/2oga6ctePEl3s3L7HZkgPBgzM3
Malware Config
Extracted
quasar
1.4.1
minecraft_updater
https://pastebin.com/raw/vxJGbg64:33006
4d29c496-7884-4de7-a5a8-82e57928b74a
-
encryption_key
C5904FDD788EA00F921C538B9FE80C0B0A0DE728
-
install_name
MinecraftUpdater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
MinecraftUpdater
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2860-1-0x0000000000500000-0x0000000000824000-memory.dmp family_quasar behavioral2/files/0x001b00000002ab53-6.dat family_quasar -
Executes dropped EXE 15 IoCs
pid Process 4980 MinecraftUpdater.exe 4360 MinecraftUpdater.exe 2560 MinecraftUpdater.exe 3444 MinecraftUpdater.exe 3380 MinecraftUpdater.exe 708 MinecraftUpdater.exe 4756 MinecraftUpdater.exe 2092 MinecraftUpdater.exe 1672 MinecraftUpdater.exe 3832 MinecraftUpdater.exe 832 MinecraftUpdater.exe 4364 MinecraftUpdater.exe 1976 MinecraftUpdater.exe 3900 MinecraftUpdater.exe 3716 MinecraftUpdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2368 PING.EXE 840 PING.EXE 4652 PING.EXE 2132 PING.EXE 788 PING.EXE 984 PING.EXE 4208 PING.EXE 224 PING.EXE 1164 PING.EXE 1068 PING.EXE 4720 PING.EXE 1156 PING.EXE 1288 PING.EXE 4924 PING.EXE 4860 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 788 PING.EXE 984 PING.EXE 1164 PING.EXE 1288 PING.EXE 4652 PING.EXE 224 PING.EXE 840 PING.EXE 2132 PING.EXE 1156 PING.EXE 4860 PING.EXE 4924 PING.EXE 1068 PING.EXE 4208 PING.EXE 4720 PING.EXE 2368 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4204 schtasks.exe 2060 schtasks.exe 4572 schtasks.exe 2580 schtasks.exe 3108 schtasks.exe 4224 schtasks.exe 3516 schtasks.exe 2820 schtasks.exe 1536 schtasks.exe 1480 schtasks.exe 3768 schtasks.exe 4512 schtasks.exe 3632 schtasks.exe 3880 schtasks.exe 4828 schtasks.exe 2704 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2860 intager.exe Token: SeDebugPrivilege 4980 MinecraftUpdater.exe Token: SeDebugPrivilege 4360 MinecraftUpdater.exe Token: SeDebugPrivilege 2560 MinecraftUpdater.exe Token: SeDebugPrivilege 3444 MinecraftUpdater.exe Token: SeDebugPrivilege 3380 MinecraftUpdater.exe Token: SeDebugPrivilege 708 MinecraftUpdater.exe Token: SeDebugPrivilege 4756 MinecraftUpdater.exe Token: SeDebugPrivilege 2092 MinecraftUpdater.exe Token: SeDebugPrivilege 1672 MinecraftUpdater.exe Token: SeDebugPrivilege 3832 MinecraftUpdater.exe Token: SeDebugPrivilege 832 MinecraftUpdater.exe Token: SeDebugPrivilege 4364 MinecraftUpdater.exe Token: SeDebugPrivilege 1976 MinecraftUpdater.exe Token: SeDebugPrivilege 3900 MinecraftUpdater.exe Token: SeDebugPrivilege 3716 MinecraftUpdater.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 4204 2860 intager.exe 77 PID 2860 wrote to memory of 4204 2860 intager.exe 77 PID 2860 wrote to memory of 4980 2860 intager.exe 79 PID 2860 wrote to memory of 4980 2860 intager.exe 79 PID 4980 wrote to memory of 3632 4980 MinecraftUpdater.exe 80 PID 4980 wrote to memory of 3632 4980 MinecraftUpdater.exe 80 PID 4980 wrote to memory of 3752 4980 MinecraftUpdater.exe 82 PID 4980 wrote to memory of 3752 4980 MinecraftUpdater.exe 82 PID 3752 wrote to memory of 1284 3752 cmd.exe 84 PID 3752 wrote to memory of 1284 3752 cmd.exe 84 PID 3752 wrote to memory of 788 3752 cmd.exe 85 PID 3752 wrote to memory of 788 3752 cmd.exe 85 PID 3752 wrote to memory of 4360 3752 cmd.exe 86 PID 3752 wrote to memory of 4360 3752 cmd.exe 86 PID 4360 wrote to memory of 3108 4360 MinecraftUpdater.exe 87 PID 4360 wrote to memory of 3108 4360 MinecraftUpdater.exe 87 PID 4360 wrote to memory of 4180 4360 MinecraftUpdater.exe 89 PID 4360 wrote to memory of 4180 4360 MinecraftUpdater.exe 89 PID 4180 wrote to memory of 3832 4180 cmd.exe 91 PID 4180 wrote to memory of 3832 4180 cmd.exe 91 PID 4180 wrote to memory of 4924 4180 cmd.exe 92 PID 4180 wrote to memory of 4924 4180 cmd.exe 92 PID 4180 wrote to memory of 2560 4180 cmd.exe 93 PID 4180 wrote to memory of 2560 4180 cmd.exe 93 PID 2560 wrote to memory of 1536 2560 MinecraftUpdater.exe 94 PID 2560 wrote to memory of 1536 2560 MinecraftUpdater.exe 94 PID 2560 wrote to memory of 1040 2560 MinecraftUpdater.exe 96 PID 2560 wrote to memory of 1040 2560 MinecraftUpdater.exe 96 PID 1040 wrote to memory of 3492 1040 cmd.exe 98 PID 1040 wrote to memory of 3492 1040 cmd.exe 98 PID 1040 wrote to memory of 1068 1040 cmd.exe 99 PID 1040 wrote to memory of 1068 1040 cmd.exe 99 PID 1040 wrote to memory of 3444 1040 cmd.exe 100 PID 1040 wrote to memory of 3444 1040 cmd.exe 100 PID 3444 wrote to memory of 1480 3444 MinecraftUpdater.exe 101 PID 3444 wrote to memory of 1480 3444 MinecraftUpdater.exe 101 PID 3444 wrote to memory of 3468 3444 MinecraftUpdater.exe 103 PID 3444 wrote to memory of 3468 3444 MinecraftUpdater.exe 103 PID 3468 wrote to memory of 4364 3468 cmd.exe 105 PID 3468 wrote to memory of 4364 3468 cmd.exe 105 PID 3468 wrote to memory of 984 3468 cmd.exe 106 PID 3468 wrote to memory of 984 3468 cmd.exe 106 PID 3468 wrote to memory of 3380 3468 cmd.exe 107 PID 3468 wrote to memory of 3380 3468 cmd.exe 107 PID 3380 wrote to memory of 3880 3380 MinecraftUpdater.exe 108 PID 3380 wrote to memory of 3880 3380 MinecraftUpdater.exe 108 PID 3380 wrote to memory of 5040 3380 MinecraftUpdater.exe 110 PID 3380 wrote to memory of 5040 3380 MinecraftUpdater.exe 110 PID 5040 wrote to memory of 412 5040 cmd.exe 112 PID 5040 wrote to memory of 412 5040 cmd.exe 112 PID 5040 wrote to memory of 4208 5040 cmd.exe 113 PID 5040 wrote to memory of 4208 5040 cmd.exe 113 PID 5040 wrote to memory of 708 5040 cmd.exe 114 PID 5040 wrote to memory of 708 5040 cmd.exe 114 PID 708 wrote to memory of 4224 708 MinecraftUpdater.exe 115 PID 708 wrote to memory of 4224 708 MinecraftUpdater.exe 115 PID 708 wrote to memory of 1224 708 MinecraftUpdater.exe 117 PID 708 wrote to memory of 1224 708 MinecraftUpdater.exe 117 PID 1224 wrote to memory of 4388 1224 cmd.exe 119 PID 1224 wrote to memory of 4388 1224 cmd.exe 119 PID 1224 wrote to memory of 4720 1224 cmd.exe 120 PID 1224 wrote to memory of 4720 1224 cmd.exe 120 PID 1224 wrote to memory of 4756 1224 cmd.exe 121 PID 1224 wrote to memory of 4756 1224 cmd.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\intager.exe"C:\Users\Admin\AppData\Local\Temp\intager.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4204
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OK2He0aTidgb.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1284
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:788
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e15EoPNkuY4v.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4924
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NxogcVQ5PsSN.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3492
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1068
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dNPcyhFcy40g.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4364
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:984
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jc6IQt4skuQb.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:412
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4208
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\56AJuYcrnYK0.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4388
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4720
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSoj19MfaK44.bat" "15⤵PID:3480
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1496
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:224
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YDmahTOAtK9V.bat" "17⤵PID:3600
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:336
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2368
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2oHLarYRhCei.bat" "19⤵PID:4984
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:840
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\al64JEoDdS2T.bat" "21⤵PID:2772
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3156
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4652
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEc9ifVcExWT.bat" "23⤵PID:4836
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2132
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hth4cjrVaWd1.bat" "25⤵PID:2692
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1164
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cupNombPBnKs.bat" "27⤵PID:3820
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4860
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KnBZ6tUCVykZ.bat" "29⤵PID:4660
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1156
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSUuT1sePKRI.bat" "31⤵PID:4020
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4776
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD515eab799098760706ed95d314e75449d
SHA1273fb07e40148d5c267ca53f958c5075d24c4444
SHA25645030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA51250c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c
-
Filesize
217B
MD5da7442fc6e5e2f2c51ace6d1aea5d590
SHA17cd228fbbfe209a431fd756db7a9209e7d2346c2
SHA25689e898bbe77e00c6dad643c8ff7706de385da6444c72387c20f14a43da86f6c1
SHA512e5e1aeb6002a077ce71524a53ffc7bb78338d112edaeeddb688d081a5cbe2a62d96631f9620b65da4776360af630c64562f29172ceb324727aa2d70c521b806a
-
Filesize
217B
MD535d5687bbc653b6473bed2d04adf0692
SHA16b7b76ed287af5a6de9ce199239616a199715f84
SHA256e4dcbbd796c2f6f1a2d5e57d9d1b3b3a7d2fc59d61b381c4bbdf638e920b704e
SHA5125ee55b47044e7ca643e9d7319bfa8b82df0c523c53175f34d6f320da79b9aad7e8ad55db1a6085d9c8c74f96cb4e7fb5fddf13ccfba254f0d9ebdcc2bbce6f3d
-
Filesize
217B
MD536ad68fbc94f6e3ec4f19ba8a041eb23
SHA1ea8b718122efd3d61239bcc23d35c1fd464ed59b
SHA256c70a06f41165fa04f4bf629e9cde72de04957c6ea50b28e9c4ed2af5c24f2a9e
SHA5121d1b74211439378c6f7fbe2e41273257a429476fb934c229239244e60c17d586d5f4e720c0e804651f153db2426463ced7bd42608de338919c99faba639d2636
-
Filesize
217B
MD5057e806020f7cf3049f53a700e05c6a2
SHA113f7dffaeba5882adb9d9e7441f5368263dbdc2c
SHA256349e2a981a23bb3a8ec0af2816cc7cf8772cd22bb0af87799d9aa8e031c7417c
SHA512952d31a0712d99dac16a81109284ec8815b863a04728972f9db08b0c3895628348d4247de983e4947fc911f8b917dd9ca3e6c1f3aa44d6158ef39ac1400d0f95
-
Filesize
217B
MD5391f863d50ce31e6ebbe3573d5976e8e
SHA1ace407f4335e3a4a8bedff4104a46147a4ae0c28
SHA256545a333a521d5d7fabe124445dc76a8fcca423e6fc0014bb49a28babe04f2e45
SHA512a088db9605c5cf4c18675f9e3c222a11bd10cc527bb8f7ace165edc325e5bf8b3400c23560555de34320204d964cfda34babcad0e2c1fb1c5d070f8f589ead44
-
Filesize
217B
MD543b0f5f87702db56fbcef4e374e780bd
SHA1e0e7e816de7e2226626b1c1c3f51efb65ba21354
SHA2564b0be39c36f471da2e8b4ab8e07f76c4a6d6460f655974f50408387e902a4c90
SHA512a69d0c985c82b91bb6cc4a097553bdde22c58c10050b238595d5e9c447b864e6214325265d107d7553a198c7439c7f14675d1ba3a02851fabb4783b555f644fe
-
Filesize
217B
MD533ddcdb69aee590c358473b17e581fc9
SHA113e2d12f6531df2552c2fcded039772834561864
SHA256980aea642010a87365f4e589261b107269b9b6c2c1aed7b630158f3a45bec77a
SHA512be4da57a74223f7e76c9e670dad8c38532490bda2932d9e992c1a56073e89ee2abeaf2e1a33769cd5040dcc052713c0e94c0fdcf77639d9e26c98235e335de7d
-
Filesize
217B
MD508eed31ff71491b973c096e85bbb69df
SHA14db8d975e1988a5a5988fd764d980035d169eac4
SHA2561679cc6f55a3be57f21934a794a97212d5740092432e368c62fab9777059bd89
SHA5122c1e371e53c1be061f449fc6457f2d1d93df09530035cb1ce3f6b76f2d56e0ceb9b6f06be873e504721ff167e4d6da0f8541e1adeccc4b4be917fa73841dca5f
-
Filesize
217B
MD54c6f3ea8134337f2c98dbf629f87f75e
SHA14336494a2f3c0fdbcd771b3926229e1d43562bea
SHA25604b298c5ee5d965ebd30ebd46126559d9d7ce5aacbd2ce032d82761818d5a157
SHA5123d04bfe37e6bcb89f958102c359c216a96a876aeebfbbe12f040203f4fd0b18d200a4bd3481af5c201036c7a4b0189e55e49822c09de885eb28d822578fed750
-
Filesize
217B
MD565fd395e92b3ce18e68669ad53a0f094
SHA1397d361d561c1739a288173b42ccf61bfe9d4b3f
SHA256812ebe5fa6a04d2186438c6ba149221d0bba21140dbe921600c3672d7f12dfc9
SHA5125ae56fe390f2e1fe2545a59a55c8398307dc1fd4a2944264daee26c690e085f5c18d04044f3b6e400dab1377fb37fde4a88964b8a7b36480bf010402eeed96a0
-
Filesize
217B
MD5785503aecd119b8fb86ae7b5d6697fc7
SHA1a95273dae36cc3d664448dfab86f8015842d1616
SHA2566732a2437dc75be5eb328f085688d28a2f89cd6d5992a46156fc7c3e517bd9c0
SHA5121fd8cbcd29ddb61224a6840eb6bbcf921a7a6035e351b9826ab6af1284c8db1f19ace3ea39964c1c2616f639e383e3e1bb1af5a02966ada9dfa46f2bc8098e6c
-
Filesize
217B
MD58fd2df1bf68c165d447fb0ebd050e6f0
SHA15e67ac1aa8d25c2fa9ee297f3719f2f7dd461ace
SHA25653bc8a50dba05d4c59e2e56b279cc26b7d8202747a52201cb28f3cd4a5c2702f
SHA51246749ce5efc1f1b97fd3c74b3b0a377bb26b6cb18cbe7ab8c5d5a3a9620bf72cdf71eac210d2b8256576030684bbb2ef9648503fab391d36fb1331138b7ecb2c
-
Filesize
217B
MD50df5e54ab4767dc937163461c48de210
SHA12d5e5d75a5b4c7b4ebdfd8e42af0fd51e23812c6
SHA2567adaeaa179922f7c71403cc27dc52a6b54f1220022fe29afa4c5c569e3dc5645
SHA5125647511fdca006fcd5531fe1ab503f994ade232b8dbb974081490bbfac73a97e432f42b90babf5f4c3fc515d65f8280d1dfaf8e3fb9710972b9ce5e574422ba6
-
Filesize
217B
MD557806bca445edc0419b5a4da5a38c403
SHA163dd5bbd141956232cce200bdfc2b40c0a33e902
SHA256a36e99b04ce1d197d982b3369294e0bd6542cce50149d3d04c1807a6565d5bf8
SHA512dec06ad8def8427fd1c6f4869a6dde42ecd3de1ff5ae11f3715f966065c53f827b9c0cbf7dcf4e407ac441fc60f067027c0d135b602b31f19e0a61024dbcc427
-
Filesize
217B
MD540ca06805fbc457c00804e9ea87456a4
SHA1799858f85294de7236c0814f8b5a37c1cbc020d9
SHA256d0c03f18ada173e751433e418b560c88922d1ba2d8268f61cab6c22a863f34f6
SHA512afd823ac9519150f37ce54f0ac3192bb0c5cbe7b45822f079222c8dbfa3bbc8780b211e0dc8d725a9298da54b70bf6365ec2a132d5d8dcd96a61928c5688c086
-
Filesize
3.1MB
MD55d0bfe1b693c6fd64a77d4b5fb028ade
SHA1e080ec222e7e6ef23a1d57493399e9fcc8aff537
SHA2561b9abaa17e10d390aa0402d09635814641f3194ac18b6d5ddad825c45f7245f4
SHA5125010ba377b66360cca843b497f0b5b3cdf98b7d72a435d7a4e150c2bec4e02243db3b9ffb6e8b815009f1fc0bad510ef5dc8e302bc28083031adae044c20c51d