quasar | 211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/02/2025, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Size

431KB
MD5

cb593528c628b13296746bfd449ab801
SHA1

a7de38df3678915f2df0f741dea35a55434c4a26
SHA256

211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc
SHA512

8f584d9ddf9cf0aeb3cf668f0b82416ce09f73f1fa41711fcdac2c9ad7e79f0661983f7e92c61b06bbb0fd1330ececa065278b4735853d0b323aba663b3497fa
SSDEEP

6144:BI6bPXhLApfpKcjF36bbGXUM1dz0i205u4S26uI:WmhApnFKKt0i205Yz

Score

10^/10

quasar test discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Test

10.0.2.2:4782:4782

Mutex

QSR_MUTEX_uLG4ZRVYEfBangYb5F

Attributes

encryption_key
mcNXfsvLp0Hjh0KA2uyx
install_name
Javaupdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
JavaUpdater

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
	2	ip-api.com	Process not Found
	10	ip-api.com	Process not Found
	15	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2004-1-0x0000000001230000-0x00000000012A2000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015f96-5.dat	family_quasar
behavioral1/memory/2448-12-0x0000000000BD0000-0x0000000000C42000-memory.dmp	family_quasar
behavioral1/memory/2484-32-0x0000000000D40000-0x0000000000DB2000-memory.dmp	family_quasar
behavioral1/memory/1304-51-0x0000000001040000-0x00000000010B2000-memory.dmp	family_quasar
behavioral1/memory/924-70-0x0000000001040000-0x00000000010B2000-memory.dmp	family_quasar
behavioral1/memory/1748-89-0x0000000001290000-0x0000000001302000-memory.dmp	family_quasar
behavioral1/memory/2624-108-0x00000000001D0000-0x0000000000242000-memory.dmp	family_quasar
behavioral1/memory/2240-127-0x00000000002D0000-0x0000000000342000-memory.dmp	family_quasar
behavioral1/memory/568-145-0x0000000000F20000-0x0000000000F92000-memory.dmp	family_quasar
behavioral1/memory/1532-155-0x0000000000F20000-0x0000000000F92000-memory.dmp	family_quasar
behavioral1/memory/2756-165-0x0000000001220000-0x0000000001292000-memory.dmp	family_quasar
behavioral1/memory/2728-175-0x0000000001220000-0x0000000001292000-memory.dmp	family_quasar

Executes dropped EXE 11 IoCs

pid	Process
2448	Javaupdater.exe
2484	Javaupdater.exe
1304	Javaupdater.exe
924	Javaupdater.exe
1748	Javaupdater.exe
2624	Javaupdater.exe
2240	Javaupdater.exe
568	Javaupdater.exe
1532	Javaupdater.exe
2756	Javaupdater.exe
2728	Javaupdater.exe

Loads dropped DLL 64 IoCs

pid	Process
2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2868	cmd.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1840	cmd.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
1392	cmd.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
1040	cmd.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2920	cmd.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2616	cmd.exe
1252	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
1736	cmd.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1292	cmd.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
1040	cmd.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1992	cmd.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
2620	2448	WerFault.exe	31
1656	2484	WerFault.exe	39
2084	1304	WerFault.exe	49
2356	924	WerFault.exe	57
2032	1748	WerFault.exe	65
2684	2624	WerFault.exe	73
1252	2240	WerFault.exe	81
1764	568	WerFault.exe	89
2056	1532	WerFault.exe	97
1036	2756	WerFault.exe	105
1948	2728	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1736	PING.EXE
1528	PING.EXE
2724	PING.EXE
1440	PING.EXE
3048	PING.EXE
2748	PING.EXE
2104	PING.EXE
1904	PING.EXE
764	PING.EXE
2332	PING.EXE
2740	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
2104	PING.EXE
1528	PING.EXE
764	PING.EXE
2332	PING.EXE
3048	PING.EXE
2740	PING.EXE
2748	PING.EXE
1736	PING.EXE
1904	PING.EXE
2724	PING.EXE
1440	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
2824	schtasks.exe
2508	schtasks.exe
2408	schtasks.exe
1284	schtasks.exe
2576	schtasks.exe
1508	schtasks.exe
1492	schtasks.exe
2172	schtasks.exe
2576	schtasks.exe
2428	schtasks.exe
3012	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Token: SeDebugPrivilege	2448	Javaupdater.exe
Token: SeDebugPrivilege	2484	Javaupdater.exe
Token: SeDebugPrivilege	1304	Javaupdater.exe
Token: SeDebugPrivilege	924	Javaupdater.exe
Token: SeDebugPrivilege	1748	Javaupdater.exe
Token: SeDebugPrivilege	2624	Javaupdater.exe
Token: SeDebugPrivilege	2240	Javaupdater.exe
Token: SeDebugPrivilege	568	Javaupdater.exe
Token: SeDebugPrivilege	1532	Javaupdater.exe
Token: SeDebugPrivilege	2756	Javaupdater.exe
Token: SeDebugPrivilege	2728	Javaupdater.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2448	Javaupdater.exe
2484	Javaupdater.exe
1304	Javaupdater.exe
924	Javaupdater.exe
1748	Javaupdater.exe
2624	Javaupdater.exe
2240	Javaupdater.exe
568	Javaupdater.exe
1532	Javaupdater.exe
2756	Javaupdater.exe
2728	Javaupdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2408	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	29
PID 2004 wrote to memory of 2408	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	29
PID 2004 wrote to memory of 2408	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	29
PID 2004 wrote to memory of 2408	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	29
PID 2004 wrote to memory of 2448	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2004 wrote to memory of 2448	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2004 wrote to memory of 2448	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2004 wrote to memory of 2448	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2004 wrote to memory of 2448	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2004 wrote to memory of 2448	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2004 wrote to memory of 2448	2004	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	31
PID 2448 wrote to memory of 2576	2448	Javaupdater.exe	32
PID 2448 wrote to memory of 2576	2448	Javaupdater.exe	32
PID 2448 wrote to memory of 2576	2448	Javaupdater.exe	32
PID 2448 wrote to memory of 2576	2448	Javaupdater.exe	32
PID 2448 wrote to memory of 2868	2448	Javaupdater.exe	34
PID 2448 wrote to memory of 2868	2448	Javaupdater.exe	34
PID 2448 wrote to memory of 2868	2448	Javaupdater.exe	34
PID 2448 wrote to memory of 2868	2448	Javaupdater.exe	34
PID 2448 wrote to memory of 2620	2448	Javaupdater.exe	36
PID 2448 wrote to memory of 2620	2448	Javaupdater.exe	36
PID 2448 wrote to memory of 2620	2448	Javaupdater.exe	36
PID 2448 wrote to memory of 2620	2448	Javaupdater.exe	36
PID 2868 wrote to memory of 2516	2868	cmd.exe	37
PID 2868 wrote to memory of 2516	2868	cmd.exe	37
PID 2868 wrote to memory of 2516	2868	cmd.exe	37
PID 2868 wrote to memory of 2516	2868	cmd.exe	37
PID 2868 wrote to memory of 2104	2868	cmd.exe	38
PID 2868 wrote to memory of 2104	2868	cmd.exe	38
PID 2868 wrote to memory of 2104	2868	cmd.exe	38
PID 2868 wrote to memory of 2104	2868	cmd.exe	38
PID 2868 wrote to memory of 2484	2868	cmd.exe	39
PID 2868 wrote to memory of 2484	2868	cmd.exe	39
PID 2868 wrote to memory of 2484	2868	cmd.exe	39
PID 2868 wrote to memory of 2484	2868	cmd.exe	39
PID 2868 wrote to memory of 2484	2868	cmd.exe	39
PID 2868 wrote to memory of 2484	2868	cmd.exe	39
PID 2868 wrote to memory of 2484	2868	cmd.exe	39
PID 2484 wrote to memory of 2428	2484	Javaupdater.exe	40
PID 2484 wrote to memory of 2428	2484	Javaupdater.exe	40
PID 2484 wrote to memory of 2428	2484	Javaupdater.exe	40
PID 2484 wrote to memory of 2428	2484	Javaupdater.exe	40
PID 2484 wrote to memory of 1840	2484	Javaupdater.exe	44
PID 2484 wrote to memory of 1840	2484	Javaupdater.exe	44
PID 2484 wrote to memory of 1840	2484	Javaupdater.exe	44
PID 2484 wrote to memory of 1840	2484	Javaupdater.exe	44
PID 2484 wrote to memory of 1656	2484	Javaupdater.exe	46
PID 2484 wrote to memory of 1656	2484	Javaupdater.exe	46
PID 2484 wrote to memory of 1656	2484	Javaupdater.exe	46
PID 2484 wrote to memory of 1656	2484	Javaupdater.exe	46
PID 1840 wrote to memory of 1864	1840	cmd.exe	47
PID 1840 wrote to memory of 1864	1840	cmd.exe	47
PID 1840 wrote to memory of 1864	1840	cmd.exe	47
PID 1840 wrote to memory of 1864	1840	cmd.exe	47
PID 1840 wrote to memory of 1736	1840	cmd.exe	48
PID 1840 wrote to memory of 1736	1840	cmd.exe	48
PID 1840 wrote to memory of 1736	1840	cmd.exe	48
PID 1840 wrote to memory of 1736	1840	cmd.exe	48
PID 1840 wrote to memory of 1304	1840	cmd.exe	49
PID 1840 wrote to memory of 1304	1840	cmd.exe	49
PID 1840 wrote to memory of 1304	1840	cmd.exe	49
PID 1840 wrote to memory of 1304	1840	cmd.exe	49
PID 1840 wrote to memory of 1304	1840	cmd.exe	49
PID 1840 wrote to memory of 1304	1840	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
"C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2408
- C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
  "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\hB90VoVoFsGd.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2516
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2104
  - - C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
      "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lFLalSjQGQEJ.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1736
      - C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCtX214VSXLn.bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaXAeASjWnun.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lHs0jCHTiQCZ.bat" "
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z7R2ThrABdtz.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ackH5w8x5JIB.bat" "
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\V20NHaqoBBFz.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\g1u8kFjweQvB.bat" "
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rYeZijTg6WQ5.bat" "
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\r3xoLykS0DoH.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1332
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1452
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1440
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 1424
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1436
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:1252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1440
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1436
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1440
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1432
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1428
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1456
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QaXAeASjWnun.bat

Filesize
217B

MD5
a78a46318cdc6e470fa2f963d7b090cd

SHA1
e2e3ee8f8ea056e670ede521cd3067549eb3be0b

SHA256
483353c9e4942113fb6f230b2d009fa95df764a7bfaf9eb5f23776c95a2fd347

SHA512
40892ab79e2ee703667e156f9a13e5a811cebdd2d315698d1235d8c085be76772b221d976d90923d01f5f803ca2be4f09ff3b2368249e8745927a84ec723c4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\V20NHaqoBBFz.bat

Filesize
217B

MD5
4dddfe61bb01d97790d112f900e66b37

SHA1
ad347719afda52efa99e7d5ffd84a20554c28d01

SHA256
46178f839baea0f25069377d44471319c3e21c8bc04729af4c3ffea406a18dbb

SHA512
28461c824ec618255951bcc20526695a18f49160a7926e58e60f04dee7129db5a818738f565e0646e69c3e19b7b863598764b406d5a9178c4df9d85a7b510a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7R2ThrABdtz.bat

Filesize
217B

MD5
c61831378c6f959f8f7f399af837bbee

SHA1
d7109fa31029b39503d3e66b0b9e7075a6785d31

SHA256
53a6cc75903d148f2049c07ba0e5d55fa7c3b76eb4625545b3778e11d855ff03

SHA512
ce7053fabb39044b576a091c85a102f1c249b55bcf5ad7743f2cfd90555d6f0f2150330cd6d0db32ebed227d578bb1417098edc8979e824335998a89bd87f296

Download Submit
C:\Users\Admin\AppData\Local\Temp\ackH5w8x5JIB.bat

Filesize
217B

MD5
ca63e737373355505cb72c66433f1eb3

SHA1
4b2b6609e9756c4e3e97e966df6b7f6020f0b971

SHA256
7618e81d04be0d27cb667a129c4795991ccc03a73b1530a7d3fb157636c9cbfb

SHA512
53ebafa377b3c6bd91696135c4b60758e5685a3cc9dbb752f6cda239cd2a4a26f8c41b8ce1cb30be48e79eff4bf101245b8d70331ff8be5e3e5b4bcf5df03e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\cCtX214VSXLn.bat

Filesize
217B

MD5
c0bf153213fae390936b9ef8690b1ca6

SHA1
4d8edb8121ce1ca2c117644299db9849963ea1a5

SHA256
03e9e2bd000251cf4ece56b76f799f57167d7700ad5a318be69ebd2f4c133c43

SHA512
7e9dff83a16d99106a8ca29f6dc206ab1e112c1e0314cfff7e485027b5472a8724da8c7d16f843b8fb7eb2b687cf77a6e2fbbd9d9b2332b6cb6b7ac6c35fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1u8kFjweQvB.bat

Filesize
217B

MD5
88045acbec70ae231237a791bdc6fbf2

SHA1
dc91f607e7cf81228d52aa7503b4b77abf9fe740

SHA256
5c64b0a05070f6b1d1ff3a2b953934b9c3c89589c8aae3645b8880e0194055d0

SHA512
9d496bd4aefcfefd5c59d60b1260f03f120911941de4e119aa4e7d58a4bf29d353cb06d3f1073fbea48ced828502471dff895d52b0b4fe1938919089172265d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hB90VoVoFsGd.bat

Filesize
217B

MD5
b9605b4f080eb2af0267f5d20ee15a3e

SHA1
3185bce50a9f2268434ffbbd35588bc953d62923

SHA256
3fcabe4da35556d91891c00863f20f6b423d397a4c7630c24bce9f219db2ccfb

SHA512
a0ce8251c01f65c4e7375bd6eeb92692312bc2b88135f30654245503834d24123d30953a4387c0046bd3fee59d689f20f6a6bc3d73f287431e406ec105ea7cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lFLalSjQGQEJ.bat

Filesize
217B

MD5
6b70aefaaa3aa5f979f3f801b319c5a9

SHA1
645b1ab91d4de276adebcc03dead3f53cd021077

SHA256
8a85131572c43883b504743030718ac986fc1ac4eb1cb0a17eb2db44bbf5f8a1

SHA512
4cddc7a9d91559ebf82846b44e47d404a9aff505158eaa6f97626a32e676d7be95be411160672cc3b332a57bcb73952827ab41953864127422a391c6ea4b9fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHs0jCHTiQCZ.bat

Filesize
217B

MD5
50aeefc6989e5013dc1d3f9b9626d10b

SHA1
a818b26dbcbad7bc588bc1701cd9ab38fee26814

SHA256
fd1458ed1f9bd6970a0b021167ac6022239ca48db32cbca9a3b314d37a627a2d

SHA512
5a7021444b96e5427767099ba4a60235b7714a0d68d1494ec7c13c1e4d520d23aa7bd944fa703fe1c5f2755482eb4399d15b2ebb8b092fb71370eb15e5c2c5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3xoLykS0DoH.bat

Filesize
217B

MD5
9f965e49feca2b023f71897444b5f2ed

SHA1
a4378f303c7712f2553d079c2ff4ef4ff1fe4b7e

SHA256
9c292ce5fa89e80f12439cd956e31463025af3e454d319fc0dbe2e63676028dc

SHA512
f5e6a1ec95d5e33354d361c90db7735ad357339bbce56951687baec2fefd3455e0cf853172d3c1f06ff5ebbec9660b0051c3a557eed1ed1669636e83ef24fa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYeZijTg6WQ5.bat

Filesize
217B

MD5
306ca6e8b01ac9a00ec4986ee3aa7ca5

SHA1
8561befcd7209b03695839ddf70fbee077a49dcf

SHA256
be8585dccc9e79fac0367e5a1df51516edcecb471d75bd1263270ce3986c58be

SHA512
9db4dfc6a66dc562babe048e8f862e410d0c2bdf97495ed071c63b1a1f5c37c17cbd94873648d4a3ee0e39a571d311ee19bdbeb859590a82205677600d13e0bb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
2a2cd5602ffd7c418d652af523787520

SHA1
3a1dba69b78295b8a49a0c02b7523167eb34fccc

SHA256
2d3ce2d05e4370d583a93d1871bffcdc9e9da48854972a5fb521f0d4f110ffa4

SHA512
31c30f4adebf31a9adb99e3ebd19010bd943cd83195d4286260c722621a3ecdbd65d8a3aea046e4958fb1071a31ccce5e33aae0033cf1d3dba0ed465da063ab5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
56bf329b79a0c8ce0b29c20b12a99b33

SHA1
3c8c6ca6b975a8a8f1bafba4832d5376ea106d2b

SHA256
de0b31bbcc08d159f283ac614aaa19beaaae39d7f6872212b881d65377c0b095

SHA512
bfa48be7f4b69fe808fef60fbf7e7672291833d33bcdeb8d4f2d7e5de9007cb6cf98e0f635549294b4656cfd31e3cd950841f5d8210aa8590170c11ba70f5806

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
77a1a7cbed607331c593b101efb776cd

SHA1
46cc558aa0d505c50f6385a7b3a02b9447d716f7

SHA256
8830afc581ff46000f824e9878cfc8476c99c161e14f96eaee33547b41adffc5

SHA512
210e4ecf6a8c9624ec64dcfdbf4701776baf9fed3a8f695db73cc2681bb7b601f5431f8365963d73aa913465c3d298f6826b1543282cb7f7ca1bb8cabe37bd34

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
b65a66a9600d24ffa563ead35731f801

SHA1
c78eba5abe8022cb858b692a13a3473615030502

SHA256
6da22cd36b7ea7d62d71a586eb8d6cb39e457660ac9c3a59e07c39a6fd320a0e

SHA512
457604307e1920740091f6c2f5f720c9aebe3cc5c7b25466efd37a9a4205cdd637b55938486a3ab1ca5305f51e49a4d549baca416ede15d71a307e48f254c943

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
f99ef656f20ca6474b2d1bef13b82034

SHA1
1f5dc41070c18b4fd611bb9a485b4cb3bb996798

SHA256
f066e65558f4cd487c0d834183246b9037306fbcdc8a222edc52ab383081f3fd

SHA512
78031657c4b5e3d12011dc09ccd8997a8a3d9c4409fb3deadef50eaf51231c32bfcf3529f4e97ece952ceb4ca8fca78ca5d7116b714a9c88676ea80493bd95d1

Download Submit
\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe

Filesize
431KB

MD5
cb593528c628b13296746bfd449ab801

SHA1
a7de38df3678915f2df0f741dea35a55434c4a26

SHA256
211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc

SHA512
8f584d9ddf9cf0aeb3cf668f0b82416ce09f73f1fa41711fcdac2c9ad7e79f0661983f7e92c61b06bbb0fd1330ececa065278b4735853d0b323aba663b3497fa

Download Submit
memory/568-145-0x0000000000F20000-0x0000000000F92000-memory.dmp

Filesize
456KB

Download
memory/924-70-0x0000000001040000-0x00000000010B2000-memory.dmp

Filesize
456KB

Download
memory/1304-51-0x0000000001040000-0x00000000010B2000-memory.dmp

Filesize
456KB

Download
memory/1532-155-0x0000000000F20000-0x0000000000F92000-memory.dmp

Filesize
456KB

Download
memory/1748-89-0x0000000001290000-0x0000000001302000-memory.dmp

Filesize
456KB

Download
memory/2004-2-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2004-0-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2004-1-0x0000000001230000-0x00000000012A2000-memory.dmp

Filesize
456KB

Download
memory/2004-11-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-127-0x00000000002D0000-0x0000000000342000-memory.dmp

Filesize
456KB

Download
memory/2448-29-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-13-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-12-0x0000000000BD0000-0x0000000000C42000-memory.dmp

Filesize
456KB

Download
memory/2448-10-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-32-0x0000000000D40000-0x0000000000DB2000-memory.dmp

Filesize
456KB

Download
memory/2624-108-0x00000000001D0000-0x0000000000242000-memory.dmp

Filesize
456KB

Download
memory/2728-175-0x0000000001220000-0x0000000001292000-memory.dmp

Filesize
456KB

Download
memory/2756-165-0x0000000001220000-0x0000000001292000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads