quasar | 211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/02/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Size

431KB
MD5

cb593528c628b13296746bfd449ab801
SHA1

a7de38df3678915f2df0f741dea35a55434c4a26
SHA256

211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc
SHA512

8f584d9ddf9cf0aeb3cf668f0b82416ce09f73f1fa41711fcdac2c9ad7e79f0661983f7e92c61b06bbb0fd1330ececa065278b4735853d0b323aba663b3497fa
SSDEEP

6144:BI6bPXhLApfpKcjF36bbGXUM1dz0i205u4S26uI:WmhApnFKKt0i205Yz

Score

10^/10

quasar test discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Test

10.0.2.2:4782:4782

Mutex

QSR_MUTEX_uLG4ZRVYEfBangYb5F

Attributes

encryption_key
mcNXfsvLp0Hjh0KA2uyx
install_name
Javaupdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
JavaUpdater

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	10	ip-api.com	Process not Found
	16	ip-api.com	Process not Found
	2	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe

Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral1/memory/2124-1-0x00000000000F0000-0x0000000000162000-memory.dmp	family_quasar
behavioral1/files/0x0034000000016d64-5.dat	family_quasar
behavioral1/memory/2828-10-0x0000000000840000-0x00000000008B2000-memory.dmp	family_quasar
behavioral1/memory/2060-32-0x0000000000180000-0x00000000001F2000-memory.dmp	family_quasar
behavioral1/memory/2460-51-0x0000000000C90000-0x0000000000D02000-memory.dmp	family_quasar
behavioral1/memory/1824-70-0x0000000000C90000-0x0000000000D02000-memory.dmp	family_quasar
behavioral1/memory/1752-89-0x0000000000E90000-0x0000000000F02000-memory.dmp	family_quasar
behavioral1/memory/2276-108-0x0000000000190000-0x0000000000202000-memory.dmp	family_quasar
behavioral1/memory/380-127-0x0000000000940000-0x00000000009B2000-memory.dmp	family_quasar
behavioral1/memory/2344-145-0x0000000000EE0000-0x0000000000F52000-memory.dmp	family_quasar
behavioral1/memory/1536-155-0x0000000001340000-0x00000000013B2000-memory.dmp	family_quasar
behavioral1/memory/2616-165-0x0000000001340000-0x00000000013B2000-memory.dmp	family_quasar
behavioral1/memory/2580-175-0x0000000000050000-0x00000000000C2000-memory.dmp	family_quasar
behavioral1/memory/2840-185-0x0000000001320000-0x0000000001392000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2828	Javaupdater.exe
2060	Javaupdater.exe
2460	Javaupdater.exe
1824	Javaupdater.exe
1752	Javaupdater.exe
2276	Javaupdater.exe
380	Javaupdater.exe
2344	Javaupdater.exe
1536	Javaupdater.exe
2616	Javaupdater.exe
2580	Javaupdater.exe
2840	Javaupdater.exe

Loads dropped DLL 64 IoCs

pid	Process
2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2988	cmd.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
2848	cmd.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
956	cmd.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
280	cmd.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2596	cmd.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
1580	cmd.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
1600	cmd.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2956	cmd.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
2692	cmd.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
2340	cmd.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
2276	2828	WerFault.exe	33
380	2060	WerFault.exe	41
1372	2460	WerFault.exe	49
2408	1824	WerFault.exe	57
2544	1752	WerFault.exe	65
2860	2276	WerFault.exe	73
2320	380	WerFault.exe	81
2164	2344	WerFault.exe	89
932	1536	WerFault.exe	98
352	2616	WerFault.exe	106
2588	2580	WerFault.exe	114
2100	2840	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1976	PING.EXE
2900	PING.EXE
1604	PING.EXE
1092	PING.EXE
1936	PING.EXE
760	PING.EXE
2768	PING.EXE
2252	PING.EXE
2552	PING.EXE
2204	PING.EXE
1112	PING.EXE
2128	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1112	PING.EXE
2128	PING.EXE
1936	PING.EXE
760	PING.EXE
1976	PING.EXE
2900	PING.EXE
1604	PING.EXE
2204	PING.EXE
1092	PING.EXE
2768	PING.EXE
2252	PING.EXE
2552	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
408	schtasks.exe
804	schtasks.exe
1972	schtasks.exe
2980	schtasks.exe
2136	schtasks.exe
1240	schtasks.exe
2040	schtasks.exe
2744	schtasks.exe
2180	schtasks.exe
1596	schtasks.exe
2872	schtasks.exe
1304	schtasks.exe
3000	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Token: SeDebugPrivilege	2828	Javaupdater.exe
Token: SeDebugPrivilege	2060	Javaupdater.exe
Token: SeDebugPrivilege	2460	Javaupdater.exe
Token: SeDebugPrivilege	1824	Javaupdater.exe
Token: SeDebugPrivilege	1752	Javaupdater.exe
Token: SeDebugPrivilege	2276	Javaupdater.exe
Token: SeDebugPrivilege	380	Javaupdater.exe
Token: SeDebugPrivilege	2344	Javaupdater.exe
Token: SeDebugPrivilege	1536	Javaupdater.exe
Token: SeDebugPrivilege	2616	Javaupdater.exe
Token: SeDebugPrivilege	2580	Javaupdater.exe
Token: SeDebugPrivilege	2840	Javaupdater.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2828	Javaupdater.exe
2060	Javaupdater.exe
2460	Javaupdater.exe
1824	Javaupdater.exe
1752	Javaupdater.exe
2276	Javaupdater.exe
380	Javaupdater.exe
2344	Javaupdater.exe
1536	Javaupdater.exe
2616	Javaupdater.exe
2580	Javaupdater.exe
2840	Javaupdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2136	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2124 wrote to memory of 2136	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2124 wrote to memory of 2136	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2124 wrote to memory of 2136	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2124 wrote to memory of 2828	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	33
PID 2124 wrote to memory of 2828	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	33
PID 2124 wrote to memory of 2828	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	33
PID 2124 wrote to memory of 2828	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	33
PID 2124 wrote to memory of 2828	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	33
PID 2124 wrote to memory of 2828	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	33
PID 2124 wrote to memory of 2828	2124	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	33
PID 2828 wrote to memory of 3000	2828	Javaupdater.exe	34
PID 2828 wrote to memory of 3000	2828	Javaupdater.exe	34
PID 2828 wrote to memory of 3000	2828	Javaupdater.exe	34
PID 2828 wrote to memory of 3000	2828	Javaupdater.exe	34
PID 2828 wrote to memory of 2988	2828	Javaupdater.exe	36
PID 2828 wrote to memory of 2988	2828	Javaupdater.exe	36
PID 2828 wrote to memory of 2988	2828	Javaupdater.exe	36
PID 2828 wrote to memory of 2988	2828	Javaupdater.exe	36
PID 2828 wrote to memory of 2276	2828	Javaupdater.exe	38
PID 2828 wrote to memory of 2276	2828	Javaupdater.exe	38
PID 2828 wrote to memory of 2276	2828	Javaupdater.exe	38
PID 2828 wrote to memory of 2276	2828	Javaupdater.exe	38
PID 2988 wrote to memory of 2648	2988	cmd.exe	39
PID 2988 wrote to memory of 2648	2988	cmd.exe	39
PID 2988 wrote to memory of 2648	2988	cmd.exe	39
PID 2988 wrote to memory of 2648	2988	cmd.exe	39
PID 2988 wrote to memory of 2128	2988	cmd.exe	40
PID 2988 wrote to memory of 2128	2988	cmd.exe	40
PID 2988 wrote to memory of 2128	2988	cmd.exe	40
PID 2988 wrote to memory of 2128	2988	cmd.exe	40
PID 2988 wrote to memory of 2060	2988	cmd.exe	41
PID 2988 wrote to memory of 2060	2988	cmd.exe	41
PID 2988 wrote to memory of 2060	2988	cmd.exe	41
PID 2988 wrote to memory of 2060	2988	cmd.exe	41
PID 2988 wrote to memory of 2060	2988	cmd.exe	41
PID 2988 wrote to memory of 2060	2988	cmd.exe	41
PID 2988 wrote to memory of 2060	2988	cmd.exe	41
PID 2060 wrote to memory of 1240	2060	Javaupdater.exe	42
PID 2060 wrote to memory of 1240	2060	Javaupdater.exe	42
PID 2060 wrote to memory of 1240	2060	Javaupdater.exe	42
PID 2060 wrote to memory of 1240	2060	Javaupdater.exe	42
PID 2060 wrote to memory of 2848	2060	Javaupdater.exe	44
PID 2060 wrote to memory of 2848	2060	Javaupdater.exe	44
PID 2060 wrote to memory of 2848	2060	Javaupdater.exe	44
PID 2060 wrote to memory of 2848	2060	Javaupdater.exe	44
PID 2060 wrote to memory of 380	2060	Javaupdater.exe	45
PID 2060 wrote to memory of 380	2060	Javaupdater.exe	45
PID 2060 wrote to memory of 380	2060	Javaupdater.exe	45
PID 2060 wrote to memory of 380	2060	Javaupdater.exe	45
PID 2848 wrote to memory of 1028	2848	cmd.exe	47
PID 2848 wrote to memory of 1028	2848	cmd.exe	47
PID 2848 wrote to memory of 1028	2848	cmd.exe	47
PID 2848 wrote to memory of 1028	2848	cmd.exe	47
PID 2848 wrote to memory of 1936	2848	cmd.exe	48
PID 2848 wrote to memory of 1936	2848	cmd.exe	48
PID 2848 wrote to memory of 1936	2848	cmd.exe	48
PID 2848 wrote to memory of 1936	2848	cmd.exe	48
PID 2848 wrote to memory of 2460	2848	cmd.exe	49
PID 2848 wrote to memory of 2460	2848	cmd.exe	49
PID 2848 wrote to memory of 2460	2848	cmd.exe	49
PID 2848 wrote to memory of 2460	2848	cmd.exe	49
PID 2848 wrote to memory of 2460	2848	cmd.exe	49
PID 2848 wrote to memory of 2460	2848	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
"C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2136
- C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
  "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tFwyNVQQi2J3.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2128
  - - C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
      "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PxDvZQnwJCmS.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1936
      - C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sjPeqnMupSDX.bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NRga1ijQRcgw.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3lSLQWNQBF6d.bat" "
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQ0Rio2qr4iV.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2hrP1AWNhc9X.bat" "
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rb9xfrRrbiWW.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y85frb2GX1JW.bat" "
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ikg02QWEIkwj.bat" "
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\u3f0fU0uXZfW.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BB7W47socLPp.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1424
        25⤵
        Program crash
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1424
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1428
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1428
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1388
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1452
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:2320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1444
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1452
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1420
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1428
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1428
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 1472
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2hrP1AWNhc9X.bat

Filesize
217B

MD5
43ef1f273f881576abb97a4b172b687f

SHA1
738ad49d52ba5573ab8603490b9f4503b115eda2

SHA256
88e73e9ef77cbb0e74dfc43128c24a11075dce9e2907f5d727b04685b6871cdc

SHA512
0a04a3adcbaf49da74acc3aeb8beaa3f6138b9b1924bfefa6391f0d251d135227d19d65e8e8a31eb6a1d06ba2008a4f1186619d76119276b4e865807d27d26de

Download Submit
C:\Users\Admin\AppData\Local\Temp\3lSLQWNQBF6d.bat

Filesize
217B

MD5
87665c8ca3f7aaaf91f4eb248aff3f34

SHA1
835b5414161279f529220efed6c92feefdc5fa01

SHA256
1cc1a23e40768f0be80dea4f7ee86b8fc4da809ec7a30fd7f958b3baab0ca8e8

SHA512
a6bc3a9b6a74eac2e736128909d987a4d0f7708d294dcdb56695994857274bd43f7eb2fea332fcd47a10879bfa8624e50fbf16fa6fc9467a5c9062da8112b1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB7W47socLPp.bat

Filesize
217B

MD5
2828c585c0ace24dd843b728fb73845e

SHA1
c143eba2859a348c5120dce973280e93169aaac4

SHA256
d9c02c504569f2cd530b22d37264e4e3c3221d200a2f7731c2cc45be3007e9cc

SHA512
3bd6850254219a64ef8a09dc374ea4ef0d7bc423735d1271bdc3543f1bbfe09c6f7d130ab613cd48059559e1f94d1efea0e3118349c20dec0462c33dee0750f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikg02QWEIkwj.bat

Filesize
217B

MD5
5f323c235d134bfceb2ae68336daeb39

SHA1
6190a64f020e7b2632af7a0dc78b8df82757ad52

SHA256
762aa25a59828dee356d58615e2c213e58775528d7748cbbf9d63bb69992655c

SHA512
199808622bdb0e5b7c1cdaeff92a1e458c40f22434ed32dbda7c74eb3bbcc1a8014246a752253fa0629ab1b1b83ff16350180a9a6fce3e30e9780d15855848a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQ0Rio2qr4iV.bat

Filesize
217B

MD5
efbcc1265f5e17bd22dfbd4f69d2d37c

SHA1
e419675452b6cef6405f84129153c1055a1479d5

SHA256
1fe4887fdab12248f0da12766913449ae83f3a11a80e1d55ab9b5010cbe3f02a

SHA512
77827c2c8f8c539b6a7bfa05608f7c5a8eb511b313842b71037d1126022a0e428f5c705ff91676131f9e59f5ae6e8bce646f79afbb164d25184fceed8e9d1199

Download Submit
C:\Users\Admin\AppData\Local\Temp\NRga1ijQRcgw.bat

Filesize
217B

MD5
a173f6207b6db431d8cfa4d020ced939

SHA1
75b7b019d75bb58156477dcf0e9351e7ec9ae419

SHA256
64c6a26163ebc34848f2822aac962cad6acbf022513429479e224abdf5a651a2

SHA512
394565ecc1c06f1e2e7fd7e5e4be2383f316a5a6a5d211d79ce6390f1586f3f37a28ec0b9914cc74bf4e825d392d3fe75d60731d28c776fb664fa0f3b1a9f06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PxDvZQnwJCmS.bat

Filesize
217B

MD5
3674471dce8243425a704ea4327fc7df

SHA1
2b243d8239886b81ec7c10ba0ab2e3767d6ea7c4

SHA256
5e9eb8f90cee28d64ecffb9c0e5d7e78a847e69f0ed99bac0b8a8d28a693fe64

SHA512
76a18424377683a3ed3e10b5e9066fc334efcc56d0862de0e890d72a79b2d1fdce7527310c4c403b41070ebee91849258ef08c1471226a8b613ce78ca6a399df

Download Submit
C:\Users\Admin\AppData\Local\Temp\rb9xfrRrbiWW.bat

Filesize
217B

MD5
9fe7f7ba5ff79ab494b470e4632207d6

SHA1
ab144403791f4917e9cda234a76b8de82e6114ad

SHA256
1973fd18fcf41d9ab09298d7544a1696c52aaacd88623aee19b91a13989cac41

SHA512
22c8c8457e467da0a477029497460b3d9994f0024c3cfbc33bcbf450c03b408327ca35980ddc135ed3e6eec4f12ba04d7b76db114f1ff96a17abac610adc341e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjPeqnMupSDX.bat

Filesize
217B

MD5
7726afb3d54b7aa863a31f203f813713

SHA1
95f10522b8880ade2673fcb9ce92032edaa0cdce

SHA256
07c8310e5d5682e703ce84716788a50e57f993d5dc37707922ba8441238760ff

SHA512
31f87e9b18f182322e4933960b446fafb815c4f7dd02905d19fe331451da33ea6eb97d7febfb0a294f22f86603b3034e4cef228ee61d64f30b5c14e042c60da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tFwyNVQQi2J3.bat

Filesize
217B

MD5
93144a7de4aa04de99359da10a2d22ae

SHA1
b2a46ee2eff541abbfce76eac79c7b912762bdef

SHA256
7737bdecbf19acd23bc15806ce0bdb4481ef74a77269dd44a812c4fc8131332f

SHA512
6cccf7cb720c9e7c3f5fbe785316a5b0d0d96776e5db1e40190db00fef76d7d6d2ea13d925eb2e3285713ad21638fe34b2dfb43635bec404a782fba366ef31bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3f0fU0uXZfW.bat

Filesize
217B

MD5
f9d9a76bd5378da9a3e30c4aa929cff4

SHA1
8ade0a7b1157cbefd4e852e22cc6488d74b5ea3c

SHA256
48931c9106aab1e6901d39fe84d2e0ad4064d8016224024274bc0e7d1203e89c

SHA512
5d85cd841a6789baa10c8a7496a6c68341cfde088df8f4e72e5a21a716d43a6fe39f251f6a8cdad7ba8e5ebcbb39314bfa4b7edf10bc8cb0176fe8bc9e0118fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\y85frb2GX1JW.bat

Filesize
217B

MD5
a0220e759d6c763957625859d7b2dbb0

SHA1
014422e165d5d7fc26d9617737d31b072be404d2

SHA256
dab691b0aa8b0bf9a01e5517498291376a4b36f72fcdb3c3fb94bf33e06d1799

SHA512
206a66eb4dccea82fd54abe72deb9abca8125721f298cf99de549c0584ff05888d6a8894c42fb8b42b6431a8fdc48f4bb16df1f16c91b6b01af7e47dea8ab094

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
e5a634dd93c166bffd849d5940ba0cc3

SHA1
dc12292eb487beb918ffd876aa3329549b260e07

SHA256
f50352d3bd075a03dc6c2cd144c82bd8648902d3e59eb5dcaaa75b2e3052732a

SHA512
f9642749faddbef062b0286da5e4ee4f3f110d0705cafdecffcdec0a8a5a24aecd98d7dd5b2abfeff3edb89b8e73a552dd3fd6cf31ff7bbeab24cf897d35c840

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
1eb0fe04489dee5c9794ce91f982ceaa

SHA1
419fff50415f3e23161d126ca67974ca8abb6638

SHA256
ec7e12b92dba8f9fd035b5d90c24652a724fd87c19bf3f30abf26e7c1f6d6972

SHA512
7dedab09d507a75da828475c160a02889754bdbdd5ee5c707829b9e9df8842700b1f90d78cd40da40af6060a27723bc0fca1f55875332bb2a2cdd9e3fd7a4fee

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
b43330b35b487a3a802f7a6c62c30e2d

SHA1
4b0ef13840c73cdbe008494deb51ccfe4b73c69f

SHA256
ec494f558df92af17704757818007d1e0ee1e55d607362d296f38b5c7a42b320

SHA512
fa2b46ed2c5128a401d9ab87703e92c000a89eea95ba19c5157a51a0324543da1e02ece83cd194320787e93407701c5be9c6703b09d86456c1dc3a1e208bff0a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
73ab9c9b7ca6f1aa044e90b7765dd583

SHA1
8de692074d818fa76619e662dcf4e51016dbe903

SHA256
8559fddd93809282244c2d2e4283a9432eb73ce71537281bc4bd40d50ca68866

SHA512
31c56f40fe0e7858c3b792ca7c2ac7206d8ed234b7b2ca5ea651bf666f2ba416e0fd3391ecdf1e6fe3bce561ffaead2ac24c76ecc51b2a87902f61598442293d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
9e59192796212378c36ddb3625bceb47

SHA1
ffecc15a36e269e0d293667c67f0b45315140599

SHA256
2721233e4886c15d765265376a399fc9a476243402073c62955610ec2d003064

SHA512
af8f8267e3013f515b69ccddeb443464dc139b945a51246adb37a8d91c53d1c4d6619ed96eab1919124b610e915caecdec9df6017642ebcffa59ae95c77af86b

Download Submit
\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe

Filesize
431KB

MD5
cb593528c628b13296746bfd449ab801

SHA1
a7de38df3678915f2df0f741dea35a55434c4a26

SHA256
211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc

SHA512
8f584d9ddf9cf0aeb3cf668f0b82416ce09f73f1fa41711fcdac2c9ad7e79f0661983f7e92c61b06bbb0fd1330ececa065278b4735853d0b323aba663b3497fa

Download Submit
memory/380-127-0x0000000000940000-0x00000000009B2000-memory.dmp

Filesize
456KB

Download
memory/1536-155-0x0000000001340000-0x00000000013B2000-memory.dmp

Filesize
456KB

Download
memory/1752-89-0x0000000000E90000-0x0000000000F02000-memory.dmp

Filesize
456KB

Download
memory/1824-70-0x0000000000C90000-0x0000000000D02000-memory.dmp

Filesize
456KB

Download
memory/2060-32-0x0000000000180000-0x00000000001F2000-memory.dmp

Filesize
456KB

Download
memory/2124-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/2124-2-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-1-0x00000000000F0000-0x0000000000162000-memory.dmp

Filesize
456KB

Download
memory/2124-12-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-108-0x0000000000190000-0x0000000000202000-memory.dmp

Filesize
456KB

Download
memory/2344-145-0x0000000000EE0000-0x0000000000F52000-memory.dmp

Filesize
456KB

Download
memory/2460-51-0x0000000000C90000-0x0000000000D02000-memory.dmp

Filesize
456KB

Download
memory/2580-175-0x0000000000050000-0x00000000000C2000-memory.dmp

Filesize
456KB

Download
memory/2616-165-0x0000000001340000-0x00000000013B2000-memory.dmp

Filesize
456KB

Download
memory/2828-29-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-11-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-13-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-10-0x0000000000840000-0x00000000008B2000-memory.dmp

Filesize
456KB

Download
memory/2840-185-0x0000000001320000-0x0000000001392000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads