quasar | 211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2025, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Size

431KB
MD5

cb593528c628b13296746bfd449ab801
SHA1

a7de38df3678915f2df0f741dea35a55434c4a26
SHA256

211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc
SHA512

8f584d9ddf9cf0aeb3cf668f0b82416ce09f73f1fa41711fcdac2c9ad7e79f0661983f7e92c61b06bbb0fd1330ececa065278b4735853d0b323aba663b3497fa
SSDEEP

6144:BI6bPXhLApfpKcjF36bbGXUM1dz0i205u4S26uI:WmhApnFKKt0i205Yz

Score

10^/10

quasar test discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Test

10.0.2.2:4782:4782

Mutex

QSR_MUTEX_uLG4ZRVYEfBangYb5F

Attributes

encryption_key
mcNXfsvLp0Hjh0KA2uyx
install_name
Javaupdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
JavaUpdater

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
	17	ip-api.com	Process not Found
	45	ip-api.com	Process not Found
	55	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2228-1-0x0000000000C00000-0x0000000000C72000-memory.dmp	family_quasar
behavioral2/files/0x000d00000001dc04-11.dat	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Javaupdater.exe

Executes dropped EXE 13 IoCs

pid	Process
4904	Javaupdater.exe
452	Javaupdater.exe
4076	Javaupdater.exe
2820	Javaupdater.exe
5076	Javaupdater.exe
1504	Javaupdater.exe
2276	Javaupdater.exe
1444	Javaupdater.exe
3620	Javaupdater.exe
4936	Javaupdater.exe
4636	Javaupdater.exe
2584	Javaupdater.exe
6108	Javaupdater.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\Javaupdater.exe\""	Javaupdater.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	ip-api.com
17	ip-api.com
45	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2988	4904	WerFault.exe	91
4376	452	WerFault.exe	101
5200	4076	WerFault.exe	110
1612	2820	WerFault.exe	123
3264	5076	WerFault.exe	132
4884	1504	WerFault.exe	141
2140	2276	WerFault.exe	150
3840	1444	WerFault.exe	159
3996	3620	WerFault.exe	170
3896	4936	WerFault.exe	179
2036	4636	WerFault.exe	188
1996	2584	WerFault.exe	197
4604	6108	WerFault.exe	206

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1680	PING.EXE
2820	PING.EXE
1328	PING.EXE
4384	PING.EXE
996	PING.EXE
5732	PING.EXE
2196	PING.EXE
5772	PING.EXE
2684	PING.EXE
4892	PING.EXE
2584	PING.EXE
2524	PING.EXE
5152	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
2584	PING.EXE
996	PING.EXE
5732	PING.EXE
2196	PING.EXE
2524	PING.EXE
5152	PING.EXE
5772	PING.EXE
4384	PING.EXE
4892	PING.EXE
1680	PING.EXE
2820	PING.EXE
1328	PING.EXE
2684	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1672	schtasks.exe
5424	schtasks.exe
1328	schtasks.exe
1688	schtasks.exe
3772	schtasks.exe
5344	schtasks.exe
5944	schtasks.exe
2348	schtasks.exe
2628	schtasks.exe
2036	schtasks.exe
4056	schtasks.exe
3632	schtasks.exe
3744	schtasks.exe
1056	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
Token: SeDebugPrivilege	4904	Javaupdater.exe
Token: SeDebugPrivilege	452	Javaupdater.exe
Token: SeDebugPrivilege	4076	Javaupdater.exe
Token: SeDebugPrivilege	2820	Javaupdater.exe
Token: SeDebugPrivilege	5076	Javaupdater.exe
Token: SeDebugPrivilege	1504	Javaupdater.exe
Token: SeDebugPrivilege	2276	Javaupdater.exe
Token: SeDebugPrivilege	1444	Javaupdater.exe
Token: SeDebugPrivilege	3620	Javaupdater.exe
Token: SeDebugPrivilege	4936	Javaupdater.exe
Token: SeDebugPrivilege	4636	Javaupdater.exe
Token: SeDebugPrivilege	2584	Javaupdater.exe
Token: SeDebugPrivilege	6108	Javaupdater.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4904	Javaupdater.exe
452	Javaupdater.exe
4076	Javaupdater.exe
2820	Javaupdater.exe
5076	Javaupdater.exe
1504	Javaupdater.exe
2276	Javaupdater.exe
1444	Javaupdater.exe
3620	Javaupdater.exe
4936	Javaupdater.exe
4636	Javaupdater.exe
2584	Javaupdater.exe
6108	Javaupdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2348	2228	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	89
PID 2228 wrote to memory of 2348	2228	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	89
PID 2228 wrote to memory of 2348	2228	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	89
PID 2228 wrote to memory of 4904	2228	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	91
PID 2228 wrote to memory of 4904	2228	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	91
PID 2228 wrote to memory of 4904	2228	211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe	91
PID 4904 wrote to memory of 1672	4904	Javaupdater.exe	92
PID 4904 wrote to memory of 1672	4904	Javaupdater.exe	92
PID 4904 wrote to memory of 1672	4904	Javaupdater.exe	92
PID 4904 wrote to memory of 5544	4904	Javaupdater.exe	94
PID 4904 wrote to memory of 5544	4904	Javaupdater.exe	94
PID 4904 wrote to memory of 5544	4904	Javaupdater.exe	94
PID 5544 wrote to memory of 3532	5544	cmd.exe	97
PID 5544 wrote to memory of 3532	5544	cmd.exe	97
PID 5544 wrote to memory of 3532	5544	cmd.exe	97
PID 5544 wrote to memory of 2684	5544	cmd.exe	99
PID 5544 wrote to memory of 2684	5544	cmd.exe	99
PID 5544 wrote to memory of 2684	5544	cmd.exe	99
PID 5544 wrote to memory of 452	5544	cmd.exe	101
PID 5544 wrote to memory of 452	5544	cmd.exe	101
PID 5544 wrote to memory of 452	5544	cmd.exe	101
PID 452 wrote to memory of 2628	452	Javaupdater.exe	102
PID 452 wrote to memory of 2628	452	Javaupdater.exe	102
PID 452 wrote to memory of 2628	452	Javaupdater.exe	102
PID 452 wrote to memory of 4176	452	Javaupdater.exe	104
PID 452 wrote to memory of 4176	452	Javaupdater.exe	104
PID 452 wrote to memory of 4176	452	Javaupdater.exe	104
PID 4176 wrote to memory of 3856	4176	cmd.exe	108
PID 4176 wrote to memory of 3856	4176	cmd.exe	108
PID 4176 wrote to memory of 3856	4176	cmd.exe	108
PID 4176 wrote to memory of 4384	4176	cmd.exe	109
PID 4176 wrote to memory of 4384	4176	cmd.exe	109
PID 4176 wrote to memory of 4384	4176	cmd.exe	109
PID 4176 wrote to memory of 4076	4176	cmd.exe	110
PID 4176 wrote to memory of 4076	4176	cmd.exe	110
PID 4176 wrote to memory of 4076	4176	cmd.exe	110
PID 4076 wrote to memory of 5424	4076	Javaupdater.exe	111
PID 4076 wrote to memory of 5424	4076	Javaupdater.exe	111
PID 4076 wrote to memory of 5424	4076	Javaupdater.exe	111
PID 4076 wrote to memory of 3904	4076	Javaupdater.exe	113
PID 4076 wrote to memory of 3904	4076	Javaupdater.exe	113
PID 4076 wrote to memory of 3904	4076	Javaupdater.exe	113
PID 3904 wrote to memory of 2116	3904	cmd.exe	116
PID 3904 wrote to memory of 2116	3904	cmd.exe	116
PID 3904 wrote to memory of 2116	3904	cmd.exe	116
PID 3904 wrote to memory of 4892	3904	cmd.exe	118
PID 3904 wrote to memory of 4892	3904	cmd.exe	118
PID 3904 wrote to memory of 4892	3904	cmd.exe	118
PID 3904 wrote to memory of 2820	3904	cmd.exe	123
PID 3904 wrote to memory of 2820	3904	cmd.exe	123
PID 3904 wrote to memory of 2820	3904	cmd.exe	123
PID 2820 wrote to memory of 2036	2820	Javaupdater.exe	124
PID 2820 wrote to memory of 2036	2820	Javaupdater.exe	124
PID 2820 wrote to memory of 2036	2820	Javaupdater.exe	124
PID 2820 wrote to memory of 3908	2820	Javaupdater.exe	126
PID 2820 wrote to memory of 3908	2820	Javaupdater.exe	126
PID 2820 wrote to memory of 3908	2820	Javaupdater.exe	126
PID 3908 wrote to memory of 1116	3908	cmd.exe	129
PID 3908 wrote to memory of 1116	3908	cmd.exe	129
PID 3908 wrote to memory of 1116	3908	cmd.exe	129
PID 3908 wrote to memory of 2584	3908	cmd.exe	131
PID 3908 wrote to memory of 2584	3908	cmd.exe	131
PID 3908 wrote to memory of 2584	3908	cmd.exe	131
PID 3908 wrote to memory of 5076	3908	cmd.exe	132

C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe
"C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2348
- C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
  "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYwniprdrDzO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5544
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3532
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2684
  - - C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
      "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TvrxU2NQ3zx3.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4384
      - C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uPFT34x5a1Sn.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q8ahAmdUoW1l.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KenxWZMSrLDQ.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfxlQIsp7x0t.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5732
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WF0uyQK2UPLq.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YY4CYH7bLZAC.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2bL2lje60SER.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5152
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IbTK8sfrt0gR.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uBWTg075GS1P.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VHQmTwyDwxTR.bat" "
        25⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe
        
        "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6108
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOxiInXyNP4E.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 2204
        27⤵
        Program crash
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1688
        25⤵
        Program crash
        
        PID:1996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2212
        23⤵
        Program crash
        
        PID:2036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 2196
        21⤵
        Program crash
        
        PID:3896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 2196
        19⤵
        Program crash
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1672
        17⤵
        Program crash
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 2228
        15⤵
        Program crash
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 2196
        13⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 2228
        11⤵
        Program crash
        
        PID:3264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 2228
        9⤵
        Program crash
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 2228
        7⤵
        Program crash
        
        PID:5200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 2196
        5⤵
        Program crash
        
        PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 2216
    3⤵
    - Program crash
    PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4904 -ip 4904
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 452 -ip 452
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4076 -ip 4076
1⤵
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2820 -ip 2820
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5076 -ip 5076
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1504 -ip 1504
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2276 -ip 2276
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1444 -ip 1444
1⤵
PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3620 -ip 3620
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4936 -ip 4936
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4636 -ip 4636
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2584 -ip 2584
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6108 -ip 6108
1⤵
PID:5268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2bL2lje60SER.bat

Filesize
217B

MD5
685fdb4fb840d9bd43b38497a2761ece

SHA1
7fcbca62e8d073bf9f3f55abc9ec721d14b34ab3

SHA256
407282363d7e6911856ff56b568c3a4cc7a37a92375e716a3bacaf9e1592e814

SHA512
6f8ee620690112861a4510cc98d020185b13150f1e58d8cf64d67beda2d1c26fafd2a9a7e3c2d734f7db93977f65181457f233286ea507747657276cc66a70ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IbTK8sfrt0gR.bat

Filesize
217B

MD5
2f37ff992f6bf500f89129c5927d76b7

SHA1
06ea92b7401ddc4f850b513451b999ff28de7921

SHA256
68e313d9d98c7319c8eb47cf537ca65ccd6cf02c6f32cef5ac6402f25364faed

SHA512
c0d3d5b4fa6aa2f5de018ab63c6c0ec9789edc3766fcef9b139a1bf37921a44466524899bed9327393695e8c376fc87f5501c5a5cf8e26df47c59cfa9ef7936b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYwniprdrDzO.bat

Filesize
217B

MD5
1701d45b714cd15a417c58762e6638dd

SHA1
32f0d051a8eeeed92a819242927d8829e0ac5e92

SHA256
84ea584dc0d3e74fc2f438941cd84371f6bd696dd541b04f5ddbac0cc7927bf0

SHA512
043b89e5fdc647b1c159516a0d14e4d6226e0e72303ef0437edd49572f25058639a7ff95c91105419ba8efc64e75a5c953346c6ae3466db5a09b6c45caff3678

Download Submit
C:\Users\Admin\AppData\Local\Temp\KenxWZMSrLDQ.bat

Filesize
217B

MD5
fe15e4ea716c8b72b56bc6f4f750c5f0

SHA1
bc91aea75e49f7ee118dc976b9e275b05f8061f7

SHA256
3433c093cd8a4b53e112cd138f791b5bd1e3bf16ef73e6d9a484461840f32cff

SHA512
9b57fc4b6873e73178dfb6cde4dcfe46e2c1e591f94f555f6725201158864c28b54ee40d4fade0ef6aec7d562b370ff8e084b883caa702dae385ff1812857021

Download Submit
C:\Users\Admin\AppData\Local\Temp\TvrxU2NQ3zx3.bat

Filesize
217B

MD5
2f130187117a3b5f246520154325fa29

SHA1
36c9e79f276a33b64b2d476ca6fef9ada73d09fd

SHA256
dd206a0c7566464365adbcc4ca545f8917e11d5b8552b769e53b02227004d254

SHA512
c3f5a815e81cabf3152d018568e955bd2b5303e41bfb53562a5d9a324582d1cd20f4c273155c2c812b9830db94443466a927efbfe4f23d7a0c9cfa3ee92f0ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VHQmTwyDwxTR.bat

Filesize
217B

MD5
76bd9a19bacc3324ed49c178b5076a0a

SHA1
54ccc6792b71a366bda009fdaf786540cd71363b

SHA256
e2ad9ef94df9d547c9ccf72ae0bd6ddd882fadf3eacdc21bf7cdfc030b1fd611

SHA512
3bbef372ecafbaaee382b7fc9c59333eb652f193e6ab9cd8d8c42dd0cb5abb62d8dffefea720f0e4a6a97283db30c43b6ebae5d8e1b2c47c3a087fbbef747ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF0uyQK2UPLq.bat

Filesize
217B

MD5
cd974b9789d7ee38d7eac2e5d2250176

SHA1
59484372b87c35d98f45a73159a858a2d2dcc5c5

SHA256
58b7404458e3d46205028c9b1b39e8d52b4c719ca8463fac9823b23cf25c2ba3

SHA512
9c4fb76c09b227978191d4359f2820589aac517509f13bfb13e028c84fe2535453836945b8a377cdd4cc643cb8aa3dc76a71819de9525d0d827ff64bfba435df

Download Submit
C:\Users\Admin\AppData\Local\Temp\YY4CYH7bLZAC.bat

Filesize
217B

MD5
d24daa618b9c0e6a8798efd999aa241f

SHA1
08275d28b181c611fb238ad465ed27d4a4c0a886

SHA256
cdcdbbf25ce0656480c242c64d468ab90131da79a6bffb8fb234f08325d90fd2

SHA512
044d0a7bccd084aeb27da5d1e082bcbac679d83bf032c271c8e8bc3b12cdb489c5176fb045c6d144fc90989df4f5221a4d382b1c1f3b9b39a07736118715955d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oOxiInXyNP4E.bat

Filesize
217B

MD5
5d8ceda1e21299e532a473b477e4581b

SHA1
d6d75531870ad0bba3ddb6adc2c732585df5511c

SHA256
23d8bfa23986823084fb2938206f2fa00b9a35b03e38bb8c57302816565a3603

SHA512
21a76d3638b12a51b09e36a4bffbeac1202abb0c30ff6f1c26b1f78c8c99b4af1947ed397c7db39fc8e5a0592db2e5bdf9d67279feb6e44c66f73ca2492777eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\q8ahAmdUoW1l.bat

Filesize
217B

MD5
eb47c62e59311113ee5bb2865a064778

SHA1
b967ef6ffbe58fd67dae53ac7d9dea7a350e95a4

SHA256
57adbd30bdbc5abea79d21480bbcbacfdbad8bf739fdf4c6fd5864a9ecee3348

SHA512
8c4ce5db3787bb254bf1961baf0ba12a849ca7993b0021548a5aea41cf3c9de3fc6fe39c116a8971fa4c2ced7b6c1a259802928df5d607685daaf0b691de89d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfxlQIsp7x0t.bat

Filesize
217B

MD5
0f56969f475de2a567e1239fdc8686c4

SHA1
4de69a25fa16b83f1dafb20d5264207cd1a342a5

SHA256
44ed1ad19544dd4860919299be839e91ea228bd6c616029edd0cfd8355c48b4c

SHA512
800b2c25c2715a2ab0236283f5b47ee27544c8fc6576142ef52185fd73693e440fd6d03605a65a677e887cc0cd1c4c4b5bb212e2e2d56517d9bcc5a0668558e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBWTg075GS1P.bat

Filesize
217B

MD5
a4e958156c9da038da677348c5d41f61

SHA1
90c1c55f958e4e063ed47b85eb718354120c6753

SHA256
f6b7aa84ec42c089a80207ab9203e9b943d0b1f21e254e5f082e304fd2d9fd53

SHA512
4197a077216ce6e3578b0038791ab2152af007c216b9c493cb380e9269fcfa25ee77d159bcf2264e4d631a835f12019dd10af32a99fa64b086ae0902d3b9c44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uPFT34x5a1Sn.bat

Filesize
217B

MD5
40964a204b8f1beb7f097a268794218e

SHA1
df2dbf0b1d3018521fb3a3717fbe959e8fcde338

SHA256
b90cf9ab23a64e6f60498622804793f975886d402c503c5a6b4e3fc886265ed5

SHA512
096e675d3dfd9616cbbb387eb28d3ff96ab24ac02243f26885826d5512389f6bac2741ea92bf120e092ba4a4a5a260c85d9b07fd55eb234e269ba43c9260fc55

Download Submit
C:\Users\Admin\AppData\Roaming\JavaUpdater\Javaupdater.exe

Filesize
431KB

MD5
cb593528c628b13296746bfd449ab801

SHA1
a7de38df3678915f2df0f741dea35a55434c4a26

SHA256
211cd98e00387b71c9a8c75649ce6c3ec1c595964abede78960d5d9f233b06bc

SHA512
8f584d9ddf9cf0aeb3cf668f0b82416ce09f73f1fa41711fcdac2c9ad7e79f0661983f7e92c61b06bbb0fd1330ececa065278b4735853d0b323aba663b3497fa

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
6ae769025b0a7ffdd35da868ed54815c

SHA1
512f3cc180b99c60dbfcddcf93c37483ec50a7d0

SHA256
c045fbb79788c8c9ea2f2f5992425dc0965237968018618eddaa7318910a8cb7

SHA512
75394a0b91f46a6a58e20d7ff2f629c49b642ed9fd980ffd406b615300febc890802533adc47e5b3c42d93c8fe5bf8f0a3c53b913b7df8b427f74e45f403f5df

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
4b516c0ebbd2960d78213a7ed3010605

SHA1
dfea6f32efa7f6f4bfc1a6d8451a551a7b20541c

SHA256
bef146ad30bd2e9856ec248c01cd673ba16fa87a47604b330bcee2eca2072f51

SHA512
b06ec84ffed7c1de4284624c04ab3f120137722bb0802b2b4143c6bf1cac7425ae6dc51df81121aa95198517e91c51a4e302846a3021d7e067464d625ad35109

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
84f2beab40f16aa81630ad3116dd5497

SHA1
740091f8c1b7ae3645dc2bfc03ecf72b5d55b270

SHA256
d5925a96e09cb32adf56b35a13838c37928e3d19fa8398f06b6a44d87fd4d05f

SHA512
9547141e6ac2892d1fc579ad583c7df3aa8028bcbc789c8f37cd63ac913f6cfdb88f908c8334b48851c52bf286de851af31507bcc172d386052e22e3f7f0555a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
aabfe6547eaf86b922e1c2f873277a77

SHA1
d6bf57ebb9360d5eb01a0b6ffc60a3b7dccc6e15

SHA256
dfde77455bdfa4e661c66deeb718e736e0d31b89631abff7bc86d103e3205018

SHA512
2f52811b30dc4e67755fa7652b9551188ed813b3ffab1db99ce1642486e19d9ebd6961964a2876c39f3fba43e8f02bc41ebbd5eb421f68b599a9e2c35e9f6565

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
8e2f07ad34b3042e301618e2ac15333a

SHA1
3f5a486c30596b2732d31675bbb5e617d2b017c1

SHA256
273caf0ca6e94fd335ffacaf02f358794aaa88a9e1882c8984858979ef14f913

SHA512
1e90677e850234175c21568991288a541b32046c9a22668eff78458b2b1cec251d98e3b30732d9028b0a5b44c6bef74a4817598a633d9af365d83c968d1bd660

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
f8414e5f5c47fbf0d64a064a44eab024

SHA1
ad542a5cd5cc03a34cd5d88359f5f4943001cb0b

SHA256
8cd09eb795ee91a65ed2e9b68e1b985b6433d2543560aaa084a4ad8c4b103a9a

SHA512
b0c656f663bddd5a85eb61a2ed9251c2a493732d6c34aae3253a70e801aeeea9a979f5f5b6172ede8892b7e5e8fec175fef8af12e214debbdf5afe3fbb0120da

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
fa83e4b8a86058b8e0d72ae4976acbef

SHA1
1b6e371dd7f53873885316a197e2ff87a2d83f36

SHA256
1220122255d518f0819a083317dacc4476219d836fa022271935578f0f82b895

SHA512
713e6b5550758afbbdfc4766cc0f95a57090eb0c4182c74801abd7191eeb769f3f09156b7b686dd65923950ede743671beefc72d6ce1d5da4af75900365269ec

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
793514b2ab8b3e99a9528bc4df00347f

SHA1
e3d18861e5848651be2ee7016f21188c431221be

SHA256
bddab927c770e10c01fab51dba9b9aa9e8651d22cc374f078081dbe8dbad4f18

SHA512
22de13e2ddae28dcabaa46a81fa736b9d182641c67471cd5153c284170bf989047b5a9ede46c4705235b240c0dac0321f7eb8cb59e62b5224613cc2ae663a791

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
9d3574becd7490c89890bcf01de9f2d2

SHA1
2a5eaedf3d91cc0fdf6f5c78532dc30f3f5b872a

SHA256
95033c13deb8db6fea02b980b7fe705ec31513be7ad8c26fcb6bb9c4d9ccbd3a

SHA512
304dd55785f7507705966ac080c63a3adbfb3ea4db23705528f4a1af2057c3f2aa0dfcd5cf3ba94b46cfd713016be578ef8c6bcc65ce1439ec3cb2afe619ae13

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
824a343b7d40223375e75821c223751d

SHA1
dc71d427eb4b643d3931902916a0999c7598c9e9

SHA256
c99468490ecf47bcef0f072a89c9001c1e59bea0f48a6857f77f5c464bccd42f

SHA512
1eaab3b90e007844e1e203ca387e4e0e60dcb9f8e0f4220a74f0bc77a290c308c1aa9722eb0374200edc78460ab6c4876223c15378adaf7010ae354f696714ad

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
113fd6b246f6487ef7df9045d1fce53f

SHA1
d329d6289faa9975ed2631f7a501a6f45f7ae437

SHA256
2b1ee82859e57903c401db85ff50c46bdcbafce0a55be989fcb226bd35a6aa2d

SHA512
d49ccfc2fb8eef5f785befcad57aa6c61bd1870673b84fe29e4522034a6b5ca48f4af56b6769d9034c7a392ff1c55eb807207fa9169f9d10c2caa884c8e34f69

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\02-22-2025

Filesize
224B

MD5
5fcfb2a4ff50f091d8c2e8a657875c41

SHA1
109c5080a6da3174d9ea7dccd879e8a7474ba9be

SHA256
825b089c54a1d967da9232c0a427cc4227dfba54da2f2a1f1e36e2b59efbb99a

SHA512
ee05521cf7531cd456985d0987cc5f3f4694f18b902788177d203d547475ae7279de4201304ff2180d3765d9c00add6399ab4e431fca8024fa34a74f49904267

Download Submit
memory/2228-4-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/2228-0-0x000000007534E000-0x000000007534F000-memory.dmp

Filesize
4KB

Download
memory/2228-7-0x0000000006790000-0x00000000067CC000-memory.dmp

Filesize
240KB

Download
memory/2228-6-0x0000000005A90000-0x0000000005AA2000-memory.dmp

Filesize
72KB

Download
memory/2228-14-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/2228-5-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/2228-3-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/2228-2-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/2228-1-0x0000000000C00000-0x0000000000C72000-memory.dmp

Filesize
456KB

Download
memory/4904-15-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4904-16-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4904-23-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4904-18-0x00000000060D0000-0x00000000060DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads