quasar | 211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Size

431KB
MD5

cb593528c628b13296746bfd449ab801
SHA1

a7de38df3678915f2df0f741dea35a55434c4a26
SHA256

211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc
SHA512

8f584d9ddf9cf0aeb3cf668f0b82416ce09f73f1fa41711fcdac2c9ad7e79f0661983f7e92c61b06bbb0fd1330ececa065278b4735853d0b323aba663b3497fa
SSDEEP

6144:BI6bPXhLApfpKcjF36bbGXUM1dz0i205u4S26uI:WmhApnFKKt0i205Yz

Score

10^/10

quasar test discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Test

10.0.2.2:4782:4782

Mutex

QSR_MUTEX_uLG4ZRVYEfBangYb5F

Attributes

encryption_key
mcNXfsvLp0Hjh0KA2uyx
install_name
Javaupdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
JavaUpdater

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
	15	ip-api.com	Process not Found
	47	ip-api.com	Process not Found
	59	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2156-1-0x0000000000A70000-0x0000000000AE2000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023d0c-11.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Javaupdater.exe

Executes dropped EXE 14 IoCs

pid	Process
1888	Javaupdater.exe
2712	Javaupdater.exe
3100	Javaupdater.exe
1952	Javaupdater.exe
3576	Javaupdater.exe
4528	Javaupdater.exe
3992	Javaupdater.exe
4408	Javaupdater.exe
2444	Javaupdater.exe
1736	Javaupdater.exe
1884	Javaupdater.exe
2604	Javaupdater.exe
1520	Javaupdater.exe
4804	Javaupdater.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\Javaupdater.exe\""	Javaupdater.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
47	ip-api.com
59	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
408	1888	WerFault.exe	91
1652	2712	WerFault.exe	101
4868	3100	WerFault.exe	110
3800	1952	WerFault.exe	122
4908	3576	WerFault.exe	131
1764	4528	WerFault.exe	140
3332	3992	WerFault.exe	150
4028	4408	WerFault.exe	159
4312	2444	WerFault.exe	168
4892	1736	WerFault.exe	177
1808	1884	WerFault.exe	186
3156	2604	WerFault.exe	195
4860	1520	WerFault.exe	204
4376	4804	WerFault.exe	213

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3276	PING.EXE
32	PING.EXE
4392	PING.EXE
5112	PING.EXE
4644	PING.EXE
3180	PING.EXE
1872	PING.EXE
2648	PING.EXE
4232	PING.EXE
4664	PING.EXE
1012	PING.EXE
3292	PING.EXE
4628	PING.EXE
4740	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4392	PING.EXE
5112	PING.EXE
4644	PING.EXE
3180	PING.EXE
1872	PING.EXE
4740	PING.EXE
32	PING.EXE
1012	PING.EXE
3292	PING.EXE
4628	PING.EXE
2648	PING.EXE
4232	PING.EXE
3276	PING.EXE
4664	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3204	schtasks.exe
3972	schtasks.exe
4804	schtasks.exe
4080	schtasks.exe
4804	schtasks.exe
4832	schtasks.exe
1968	schtasks.exe
3608	schtasks.exe
384	schtasks.exe
3956	schtasks.exe
3372	schtasks.exe
4500	schtasks.exe
228	schtasks.exe
4640	schtasks.exe
116	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Token: SeDebugPrivilege	1888	Javaupdater.exe
Token: SeDebugPrivilege	2712	Javaupdater.exe
Token: SeDebugPrivilege	3100	Javaupdater.exe
Token: SeDebugPrivilege	1952	Javaupdater.exe
Token: SeDebugPrivilege	3576	Javaupdater.exe
Token: SeDebugPrivilege	4528	Javaupdater.exe
Token: SeDebugPrivilege	3992	Javaupdater.exe
Token: SeDebugPrivilege	4408	Javaupdater.exe
Token: SeDebugPrivilege	2444	Javaupdater.exe
Token: SeDebugPrivilege	1736	Javaupdater.exe
Token: SeDebugPrivilege	1884	Javaupdater.exe
Token: SeDebugPrivilege	2604	Javaupdater.exe
Token: SeDebugPrivilege	1520	Javaupdater.exe
Token: SeDebugPrivilege	4804	Javaupdater.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1888	Javaupdater.exe
2712	Javaupdater.exe
3100	Javaupdater.exe
1952	Javaupdater.exe
3576	Javaupdater.exe
4528	Javaupdater.exe
3992	Javaupdater.exe
4408	Javaupdater.exe
2444	Javaupdater.exe
1736	Javaupdater.exe
1884	Javaupdater.exe
2604	Javaupdater.exe
1520	Javaupdater.exe
4804	Javaupdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4804	2156	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	89
PID 2156 wrote to memory of 4804	2156	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	89
PID 2156 wrote to memory of 4804	2156	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	89
PID 2156 wrote to memory of 1888	2156	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	91
PID 2156 wrote to memory of 1888	2156	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	91
PID 2156 wrote to memory of 1888	2156	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	91
PID 1888 wrote to memory of 3204	1888	Javaupdater.exe	92
PID 1888 wrote to memory of 3204	1888	Javaupdater.exe	92
PID 1888 wrote to memory of 3204	1888	Javaupdater.exe	92
PID 1888 wrote to memory of 384	1888	Javaupdater.exe	94
PID 1888 wrote to memory of 384	1888	Javaupdater.exe	94
PID 1888 wrote to memory of 384	1888	Javaupdater.exe	94
PID 384 wrote to memory of 4060	384	cmd.exe	97
PID 384 wrote to memory of 4060	384	cmd.exe	97
PID 384 wrote to memory of 4060	384	cmd.exe	97
PID 384 wrote to memory of 5112	384	cmd.exe	99
PID 384 wrote to memory of 5112	384	cmd.exe	99
PID 384 wrote to memory of 5112	384	cmd.exe	99
PID 384 wrote to memory of 2712	384	cmd.exe	101
PID 384 wrote to memory of 2712	384	cmd.exe	101
PID 384 wrote to memory of 2712	384	cmd.exe	101
PID 2712 wrote to memory of 4832	2712	Javaupdater.exe	102
PID 2712 wrote to memory of 4832	2712	Javaupdater.exe	102
PID 2712 wrote to memory of 4832	2712	Javaupdater.exe	102
PID 2712 wrote to memory of 4808	2712	Javaupdater.exe	104
PID 2712 wrote to memory of 4808	2712	Javaupdater.exe	104
PID 2712 wrote to memory of 4808	2712	Javaupdater.exe	104
PID 4808 wrote to memory of 1356	4808	cmd.exe	107
PID 4808 wrote to memory of 1356	4808	cmd.exe	107
PID 4808 wrote to memory of 1356	4808	cmd.exe	107
PID 4808 wrote to memory of 4644	4808	cmd.exe	109
PID 4808 wrote to memory of 4644	4808	cmd.exe	109
PID 4808 wrote to memory of 4644	4808	cmd.exe	109
PID 4808 wrote to memory of 3100	4808	cmd.exe	110
PID 4808 wrote to memory of 3100	4808	cmd.exe	110
PID 4808 wrote to memory of 3100	4808	cmd.exe	110
PID 3100 wrote to memory of 3956	3100	Javaupdater.exe	111
PID 3100 wrote to memory of 3956	3100	Javaupdater.exe	111
PID 3100 wrote to memory of 3956	3100	Javaupdater.exe	111
PID 3100 wrote to memory of 4456	3100	Javaupdater.exe	113
PID 3100 wrote to memory of 4456	3100	Javaupdater.exe	113
PID 3100 wrote to memory of 4456	3100	Javaupdater.exe	113
PID 4456 wrote to memory of 4872	4456	cmd.exe	116
PID 4456 wrote to memory of 4872	4456	cmd.exe	116
PID 4456 wrote to memory of 4872	4456	cmd.exe	116
PID 4456 wrote to memory of 3292	4456	cmd.exe	118
PID 4456 wrote to memory of 3292	4456	cmd.exe	118
PID 4456 wrote to memory of 3292	4456	cmd.exe	118
PID 4456 wrote to memory of 1952	4456	cmd.exe	122
PID 4456 wrote to memory of 1952	4456	cmd.exe	122
PID 4456 wrote to memory of 1952	4456	cmd.exe	122
PID 1952 wrote to memory of 228	1952	Javaupdater.exe	123
PID 1952 wrote to memory of 228	1952	Javaupdater.exe	123
PID 1952 wrote to memory of 228	1952	Javaupdater.exe	123
PID 1952 wrote to memory of 1708	1952	Javaupdater.exe	125
PID 1952 wrote to memory of 1708	1952	Javaupdater.exe	125
PID 1952 wrote to memory of 1708	1952	Javaupdater.exe	125
PID 1708 wrote to memory of 2444	1708	cmd.exe	128
PID 1708 wrote to memory of 2444	1708	cmd.exe	128
PID 1708 wrote to memory of 2444	1708	cmd.exe	128
PID 1708 wrote to memory of 3180	1708	cmd.exe	130
PID 1708 wrote to memory of 3180	1708	cmd.exe	130
PID 1708 wrote to memory of 3180	1708	cmd.exe	130
PID 1708 wrote to memory of 3576	1708	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
"C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4804
- C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
  "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qrp1JWAByUq2.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4060
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5112
  - - C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
      "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sJIlm6YObQN7.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4644
      - C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYPHFVAVYVEn.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pirAios3f9FH.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CdMMdSVs5JBY.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HRZTxVuVdRto.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9a1MRoc4l5uH.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYwuA87pS0iC.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4232
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hi5JZU0Ev4hl.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y3sR2zVtiZOe.bat" "
        21⤵
        
        PID:864
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3276
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O0BMjMI1dY2p.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:32
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwgYe0uq3iz6.bat" "
        25⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:816
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4664
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b4JiKZS5fYIf.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeNqthvI20dd.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2212
        29⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1672
        27⤵
        Program crash
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 2212
        25⤵
        Program crash
        
        PID:3156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 2212
        23⤵
        Program crash
        
        PID:1808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 2200
        21⤵
        Program crash
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2212
        19⤵
        Program crash
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1944
        17⤵
        Program crash
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 2224
        15⤵
        Program crash
        
        PID:3332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 2224
        13⤵
        Program crash
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2200
        11⤵
        Program crash
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 2212
        9⤵
        Program crash
        
        PID:3800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 2196
        7⤵
        Program crash
        
        PID:4868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 2212
        5⤵
        Program crash
        
        PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 2180
    3⤵
    - Program crash
    PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1888 -ip 1888
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2712 -ip 2712
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3100 -ip 3100
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1952 -ip 1952
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3576 -ip 3576
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4528 -ip 4528
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3992 -ip 3992
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4408 -ip 4408
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2444 -ip 2444
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1736 -ip 1736
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1884 -ip 1884
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2604 -ip 2604
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1520 -ip 1520
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4804 -ip 4804
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9a1MRoc4l5uH.bat

Filesize
217B

MD5
e71405cee8ef62d8dbcb5889887a7c77

SHA1
250e1753838da14e21d84d44c90e61522f75c040

SHA256
87dbc48acb00156690345fc1b849ec3f9ff8561dde98520ff8f53915b5d9c4c2

SHA512
e73ab0ed503463ed1b70d19b62c0c1f8b6b6b9007ce3d722249ae8f421905b8355ff700566f847c9eb555ac54767bd00eb7a635182f3b7cf20e96cb5e74e6a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\CdMMdSVs5JBY.bat

Filesize
217B

MD5
ea21360796855c3295c7028bc6688ccc

SHA1
45b77070e0a377253e2002da4e0d8ed2cc3b87f7

SHA256
3807c1aa66142bfabfc19cc149ba6596566101b68eb01386b198afe4011db8ab

SHA512
2bb0ed30448f330b829bd4f998e67d692e6c80ef2af68307b98c7eb91f0e4732848da6506b8d6c6595e9e908973738b261420ba5dabcb179a011fa0ba9f6a919

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeNqthvI20dd.bat

Filesize
217B

MD5
4fda35ba1bc3e7771b2e2290ca4000a9

SHA1
ae144aa1fc3b1703c13fb605fda29ddc9b0dcdeb

SHA256
6c98ad0c8513d00560f5b577cebf6d2a07c65db652e06dbdc7a22936214892a9

SHA512
0901cc630f862f2026c7f97ff05cedc28440097eb1b8e92dab580c3d0e6601cfa88be50f372ca6ff6cec171230876d75c93bbf02e4fd738c36dd2acd3401a8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRZTxVuVdRto.bat

Filesize
217B

MD5
cd1df02a92648d1ded1640994a28e05a

SHA1
1d6759c608a2a8684cefeeeae6211bd2de167e84

SHA256
e9e0583b2a251fff2b4571cae2c39b171b0d7557fbc6d5d03536e6f6a0153618

SHA512
28b60c873387b8df230a4db40eb5ffa4b6ca5e3daef95cf5327a275034dfdb24e0d394d7177365c268ec44eabe09b08da6aabfc3dbd88c0c8ab4956c5d35b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYwuA87pS0iC.bat

Filesize
217B

MD5
443cdbeaf44958211df77dfc0556cc1c

SHA1
e33cc3d940755eb5ed1dd65681c41c949dc4c75f

SHA256
3cc805eebe75bdb3a66651b0eb4e5ad7c308176d2f85c13c398543790b9cee35

SHA512
f7d77cd471014c7020edcaca8fd0db009d7938dfc1fe2abb802069291753ea014d810a657b10d1edf219e650407404baeb415444c5d65fedb98b1c688b0e5882

Download Submit
C:\Users\Admin\AppData\Local\Temp\O0BMjMI1dY2p.bat

Filesize
217B

MD5
fb360deed90ac01c062bcf6366b1485c

SHA1
0d1a64e19f71cd2befd07da2463e9ab0e7e461a2

SHA256
718d560c61faa2c5d7a42d01083d176b6602dc13328664245067f7d91e8d9b43

SHA512
54bdbf1900380955007b2af7ff51f2bb4357388f98331dea3d2699caf1a2f26be3d0ea5ce59657fffa3b42ca91777299dab6e8bda73cf836a17bf39998fbb098

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qrp1JWAByUq2.bat

Filesize
217B

MD5
de8ddccc20a86002b761e63f8bda8a8a

SHA1
d12c955e374928e2dd897709ea4c31bdad4864d3

SHA256
5836dbad0d55d7ec85cb7c50aea3a0b06285d142826e4b7b175ebda3974d5c3f

SHA512
8ddbe10a2fdc093fa978012a594abe7cc756297980c01e216624bad68dd18465464d2fcd2cb8349f19992c3e5daaab7e1768cc2ad0b289396bc2e9578efd4ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4JiKZS5fYIf.bat

Filesize
217B

MD5
64422cf909cca05cf084b80de22a5455

SHA1
07ee28d8b9a047eefec220101ddefab3b67871a4

SHA256
db9005a08d7263682659b621e6f038b9016da2d833bdfda79ae418613066fbb6

SHA512
e122ac940911609a954eb217529e91d681ac133f42199edd6582cfcc531a6c82240a1b2f6c483d606c5850ccbfb58f65ab264a0d976f5947b8abffa132dc5e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\hi5JZU0Ev4hl.bat

Filesize
217B

MD5
077d2bfd8434309493fb59673ec2a35c

SHA1
3a28de93cc1374664f0183decf36a36817bc1410

SHA256
8ec39d1db0ddff209e961ef4d07fb5eb7570a9259c11cc1a0ba493ef616d1bbb

SHA512
a9c41d973a670947cff67eefd58d79524979cdda9cd57d702cb0ee301f37c600fe2682bf3b5423c7f885b066655439b27cf75f8b91ffdf014b2ff2a5655d891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwgYe0uq3iz6.bat

Filesize
217B

MD5
1fc98d466812da6d0821539b8bcf6844

SHA1
c2023eaeff42be5fe32f674b87752c0be9e6ff47

SHA256
2b5ca90bde11c71ae5d2f7164005715e19845fe0ee549753169c0402e7864f56

SHA512
8c034df7ea1da3683e567dc39c22a6fdbb82c677cd09b16b3800c14e2d1aee439eef5787f247f4b4f965eed6bd2d747186a0745402f2acf0056c5f10bd2c0329

Download Submit
C:\Users\Admin\AppData\Local\Temp\pirAios3f9FH.bat

Filesize
217B

MD5
b8a437947a555f02734b3ee13ab501f9

SHA1
8eccbe1e39aff66c3d6ca6bdf38ee0e886bf5051

SHA256
8783a03cf3d7c559882e914d495b9387f786888361356cd40c3632c314182ed7

SHA512
beabea52ef333ddfdd30e47846bfcce868d7ede6e7a52b3b6957028372fabb1d855e4f1ff7e63600a37d336eabfff3f83658984a850e2791b6c9e134d5a30b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJIlm6YObQN7.bat

Filesize
217B

MD5
c5d2a34a6dff26ff321d3af986cecf93

SHA1
a3358bb3b2febba804f1d7db843a69e1a58dc52d

SHA256
ab9d63e68cfb308e01a7141cfdf8c3c79dfb6ca153f2b8a1946b2319e630d5a3

SHA512
f1771cd5809eb1767d896e489920d79d5ac787f9259a97380ecc1722eabbb2333acbe61ccaa40c1f6de7cde7c8a1b5ac6e926b8e4dd0e4dd52895c5486e39f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYPHFVAVYVEn.bat

Filesize
217B

MD5
9253595b9c2647ebc728df37bc796a2a

SHA1
b8dbaff1934543b5732903a2d912c164b9da006d

SHA256
9095d363f2b674459670b2b0d9043fb5dcda7fe1f7968b3f3d3210612a571bd0

SHA512
4e04ae06052fc66a658729ea784fadb9933b3fc1d22a4dbd9933acb91a7e53101431cd3e076403ec7d5061734f31868aa3b3a89ea39394d486b90e632d135758

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3sR2zVtiZOe.bat

Filesize
217B

MD5
6f3c779a6507e9fed0a98ee990bbb1d7

SHA1
42c681aaceb0ce958ba899667a8c064cb5fe007e

SHA256
92c568f40d58cb8e160bc3137626fc8384a62d004ec9c177915c25c7a79963cb

SHA512
4ac7d1d04afec820621173a1545cb0b287dc0272a4ec3ef2e633084a8b41b48850bbab20a90203bd462f15428fdd84bc5d3fe969d25c578afb1858a909976c01

Download Submit
C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe

Filesize
431KB

MD5
cb593528c628b13296746bfd449ab801

SHA1
a7de38df3678915f2df0f741dea35a55434c4a26

SHA256
211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc

SHA512
8f584d9ddf9cf0aeb3cf668f0b82416ce09f73f1fa41711fcdac2c9ad7e79f0661983f7e92c61b06bbb0fd1330ececa065278b4735853d0b323aba663b3497fa

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
94b534ccc90d042e636ace8276677fdc

SHA1
7336cb37a4bc742d08cdd67888d2e3a4db7dfb31

SHA256
1e94c471f39eec29b307361cd0258226da452510af17e339c90f21b041174c6a

SHA512
393ab887e2ab67f0aae70d50bcd21bdd8f5945ebe2d46e244704329679870645e00911737d6aaee44c9fe99ac9ac16857c57c9f3e038f9c13cc243a93ff8b951

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
3420bfdc007795b87b4cb320ae75c0dc

SHA1
e5c31b70476d9c0c696ccee6493cb1660e4f405c

SHA256
8d4f59b69b1bb23ff6617e1ff12ece1f36b30dc4156100f02be856088045e093

SHA512
564a61160c7677da44d4473915ee997df17ea6eb3445fa5a077d26ff4eb0790a7193dc086b993b9a0c1b64011317e4551b2165752fcf26e8f278851ec44435ed

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
659afcde4f5c72b31954f7540a0d7fe4

SHA1
f3dc5dae15112877dc5a0cb8bb1560051e0d65d9

SHA256
8793b9a9965a8c80528bc022ff93ee5a6c0247400c01db72b3c66b15cb0e89ae

SHA512
5e66fa53fb6285f7d9fc00968b58dce3bb3a506518af5669252a8030fcea611c153c518d77395584e3ce54a6dae89f7fd8f7ce45961f9bcfddebed25325dcd25

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
743073a9ecb8a172529185e2d5712d7d

SHA1
20c70666376665bf149a9047f683d6f890e81788

SHA256
edc45e84932e7037e7f222689e679e47195fadb84106f78123922af406d31fa8

SHA512
fac43f4f42afef489a920f87e7fad46d2e51986661f6fdaf3fa67c0c7457f2e3f8922074195186aa3eefbc63cccc40c5fbddf6cbb2f1471bb4f04118eec72fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
0e6f9ddd628dabb5540e0672d4cd5916

SHA1
3e825469f0d402c50d6dbaf3e54dbc784b2a7012

SHA256
a8373fe6596449a8ae88a59a2425e29130d8c44d745ae2a70247d0fd84d534b0

SHA512
508ff59efe81853dd027235b00958c0791b9f7be915f44670798cc2752b01a21ace2ed6b6f7c453c2d4cbbf45766610f19f63e0b4db3cdb229a1eacf94a6a83c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
b059a4990f54620f58b040455686bfb6

SHA1
ec2c51c185cdad84ef934afdfbc59d3e8c386c68

SHA256
7fe51a6255e614567b2eb1d69c8631b9c55cd0b9c7f741063c6652045006e8ee

SHA512
13454759d0d370a2206a86f2f00a366f671f15fc388d74ab0e224aa309ed477d9db1d219dcc78b862f70beedd74bceb51c4964ce2f33488b7112d26c7793ae5d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
cea679edf2060f157f7327e0a1fd33d2

SHA1
6aaae2d5ce1438388bcdb4b9ce757a6ddf7b8cf4

SHA256
4edb6dede172b655d934c6288704116c63f6238f002b879b979ed732b7c46b65

SHA512
87dc040341c9779d114a77842de0dc12bd17728e08cfb4f75f01318566929d34be1b4aa40b776d52ff964cd91680d74ece2a2abb49f63d2f539b3ae068265e0b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
6b90e1a8ade4d6c4aaa8247acdfa1fa7

SHA1
7b11efa1366079e9a836004f497517d285d07b9e

SHA256
c996ad376c7f3f593ec8fc6af0ac4d38f899a8b634eb575ce22769ae37e70737

SHA512
78e8c5ef10b8c6243b7d15aec7e6d1dd8a90211457795fe7e3283c87847cd4382120cf73bf07a586a6466ad4d91b81a0bb8379dac30c520af12e7fc2185ad853

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
c1d9079be6111f43dd6c834dbf9cb90f

SHA1
02aad2ff4c4d6df18b4e24520c1584a4ad90be52

SHA256
7ecc9c887065e47ad351de8347042f94a165e05a8bf74cc680556a215ad7f156

SHA512
a6daf387eef9bb3658e668230f803fe63162769228633ab7235780e53bdf2e71f4d396e8f184fb834f1591e5968ee4006393bbebf14e113dec395180ad2dfdd1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
79ef76d4a3e68cbe54a812a9796fa744

SHA1
9ce3d37d83cc51ee07ba36b029a3618560e74d09

SHA256
2f4140218270c0dee4e34b912d789f58d17dfa380a4009d4ff624a521119f02d

SHA512
5d8fed3522e9a7ae532da13661d9034cd84f3431a9cde37a750188ccee82eb1aaffa01a18010e5e486a64f6503dcfb535afa3849f835e3cdb4855dfa92e7591a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
de1e94b4d7546e1d102596a2feb38301

SHA1
a1dec7b6e467b15d080c04d73a9791171b8cdbae

SHA256
f0584fa568075ede2be42124d6fb4c714c520669af64f6584de5b2961a73f0c1

SHA512
fd97458c0cdef26dce34f4956fd5bc7a95f5ab04accee9dc1e37c7c9ca05b3540d94fd6679b81b452c2de346e066085919bf6c56323020edd89c34590c0d155e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
1310dcc137fe6297aca167ff9ece2db0

SHA1
5a7d50b3b8c550e574f4d1716d89f6e5bb86cd37

SHA256
5e358269b5663eaeccb77c89056f75d19afab8ad8e00be46c11302427e33488a

SHA512
4075b4f26fd2190ed5845fea4a959ead429729d75ba598e1e6c231838d3f6a919481ebd0f2f007774394619b94721ab7132559d5384086cb746733ad509433c1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
56c10bdc404e9fbc6931792c1f35a4b4

SHA1
2a24c6b42ae76a6e71af1b968fa1403e5ca67c36

SHA256
336b5c21f26239507e4b6f84ad917a640aa7288424f366c12155ad287fd9414e

SHA512
c9634e7d91a68d77cd9e2050b7cf44af1e46502d82cdae78ea1f16daee61c11879c4ad551990fefb9b5763653a77ae2cdb140bb69ae1a54757bbc859a8da2d86

Download Submit
memory/1888-18-0x0000000005F40000-0x0000000005F4A000-memory.dmp

Filesize
40KB

Download
memory/1888-23-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1888-14-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1888-16-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2156-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/2156-5-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/2156-4-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2156-6-0x0000000006340000-0x0000000006352000-memory.dmp

Filesize
72KB

Download
memory/2156-7-0x0000000006880000-0x00000000068BC000-memory.dmp

Filesize
240KB

Download
memory/2156-3-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/2156-2-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-15-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2156-1-0x0000000000A70000-0x0000000000AE2000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads