latentbot | c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
Size

3.2MB
MD5

0a717705a7797e35b6f5af62ffe43abb
SHA1

4c823754c6cebe13ae0aec7ba874318f20445145
SHA256

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512

75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead
SSDEEP

98304:zvr62XlaSFNWPjljiFXRoUYITrUCgLEEa1:75ZY2gLEEa1

Score

10^/10

latentbot quasar hugrix discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Hugrix

prxprodquasar.zapto.org:4782

Mutex

ad6032ec-a1ba-49fe-a6c9-21a847436cda

Attributes

encryption_key
7AB142AC063BEB01BE33EE315E2D0BBA3E071A0B
install_name
JavaUpdater.exe
log_directory
JavaInstallLogs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
Java

Extracted

Family

latentbot

prxprodquasar.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/memory/2260-1-0x0000000000EB0000-0x00000000011EE000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015f81-6.dat	family_quasar
behavioral1/memory/2640-8-0x0000000000BB0000-0x0000000000EEE000-memory.dmp	family_quasar
behavioral1/memory/648-23-0x0000000001010000-0x000000000134E000-memory.dmp	family_quasar
behavioral1/memory/2928-96-0x00000000013B0000-0x00000000016EE000-memory.dmp	family_quasar
behavioral1/memory/3040-159-0x00000000001E0000-0x000000000051E000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2640	JavaUpdater.exe
648	JavaUpdater.exe
1900	JavaUpdater.exe
448	JavaUpdater.exe
1384	JavaUpdater.exe
1716	JavaUpdater.exe
1792	JavaUpdater.exe
2824	JavaUpdater.exe
2928	JavaUpdater.exe
2212	JavaUpdater.exe
2344	JavaUpdater.exe
1508	JavaUpdater.exe
2428	JavaUpdater.exe
1644	JavaUpdater.exe
3040	JavaUpdater.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File created	C:\Windows\system32\Java\JavaUpdater.exe	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2232	PING.EXE
1264	PING.EXE
2600	PING.EXE
2004	PING.EXE
2140	PING.EXE
1640	PING.EXE
2680	PING.EXE
1616	PING.EXE
2368	PING.EXE
2544	PING.EXE
2236	PING.EXE
696	PING.EXE
2640	PING.EXE
2164	PING.EXE
2684	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1616	PING.EXE
2164	PING.EXE
2368	PING.EXE
1264	PING.EXE
1640	PING.EXE
2680	PING.EXE
2232	PING.EXE
2640	PING.EXE
2600	PING.EXE
2004	PING.EXE
2236	PING.EXE
696	PING.EXE
2684	PING.EXE
2544	PING.EXE
2140	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
540	schtasks.exe
1628	schtasks.exe
2960	schtasks.exe
1620	schtasks.exe
2792	schtasks.exe
2428	schtasks.exe
2592	schtasks.exe
3068	schtasks.exe
2328	schtasks.exe
2788	schtasks.exe
2852	schtasks.exe
2680	schtasks.exe
2812	schtasks.exe
1780	schtasks.exe
1148	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
Token: SeDebugPrivilege	2640	JavaUpdater.exe
Token: SeDebugPrivilege	648	JavaUpdater.exe
Token: SeDebugPrivilege	1900	JavaUpdater.exe
Token: SeDebugPrivilege	448	JavaUpdater.exe
Token: SeDebugPrivilege	1384	JavaUpdater.exe
Token: SeDebugPrivilege	1716	JavaUpdater.exe
Token: SeDebugPrivilege	1792	JavaUpdater.exe
Token: SeDebugPrivilege	2824	JavaUpdater.exe
Token: SeDebugPrivilege	2928	JavaUpdater.exe
Token: SeDebugPrivilege	2212	JavaUpdater.exe
Token: SeDebugPrivilege	2344	JavaUpdater.exe
Token: SeDebugPrivilege	1508	JavaUpdater.exe
Token: SeDebugPrivilege	2428	JavaUpdater.exe
Token: SeDebugPrivilege	1644	JavaUpdater.exe
Token: SeDebugPrivilege	3040	JavaUpdater.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2640	JavaUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2792	2260	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	30
PID 2260 wrote to memory of 2792	2260	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	30
PID 2260 wrote to memory of 2792	2260	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	30
PID 2260 wrote to memory of 2640	2260	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	32
PID 2260 wrote to memory of 2640	2260	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	32
PID 2260 wrote to memory of 2640	2260	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	32
PID 2640 wrote to memory of 2812	2640	JavaUpdater.exe	33
PID 2640 wrote to memory of 2812	2640	JavaUpdater.exe	33
PID 2640 wrote to memory of 2812	2640	JavaUpdater.exe	33
PID 2640 wrote to memory of 1584	2640	JavaUpdater.exe	35
PID 2640 wrote to memory of 1584	2640	JavaUpdater.exe	35
PID 2640 wrote to memory of 1584	2640	JavaUpdater.exe	35
PID 1584 wrote to memory of 2596	1584	cmd.exe	37
PID 1584 wrote to memory of 2596	1584	cmd.exe	37
PID 1584 wrote to memory of 2596	1584	cmd.exe	37
PID 1584 wrote to memory of 2140	1584	cmd.exe	38
PID 1584 wrote to memory of 2140	1584	cmd.exe	38
PID 1584 wrote to memory of 2140	1584	cmd.exe	38
PID 1584 wrote to memory of 648	1584	cmd.exe	39
PID 1584 wrote to memory of 648	1584	cmd.exe	39
PID 1584 wrote to memory of 648	1584	cmd.exe	39
PID 648 wrote to memory of 2928	648	JavaUpdater.exe	40
PID 648 wrote to memory of 2928	648	JavaUpdater.exe	40
PID 648 wrote to memory of 2928	648	JavaUpdater.exe	40
PID 648 wrote to memory of 1988	648	JavaUpdater.exe	42
PID 648 wrote to memory of 1988	648	JavaUpdater.exe	42
PID 648 wrote to memory of 1988	648	JavaUpdater.exe	42
PID 1988 wrote to memory of 576	1988	cmd.exe	44
PID 1988 wrote to memory of 576	1988	cmd.exe	44
PID 1988 wrote to memory of 576	1988	cmd.exe	44
PID 1988 wrote to memory of 2232	1988	cmd.exe	45
PID 1988 wrote to memory of 2232	1988	cmd.exe	45
PID 1988 wrote to memory of 2232	1988	cmd.exe	45
PID 1988 wrote to memory of 1900	1988	cmd.exe	46
PID 1988 wrote to memory of 1900	1988	cmd.exe	46
PID 1988 wrote to memory of 1900	1988	cmd.exe	46
PID 1900 wrote to memory of 540	1900	JavaUpdater.exe	47
PID 1900 wrote to memory of 540	1900	JavaUpdater.exe	47
PID 1900 wrote to memory of 540	1900	JavaUpdater.exe	47
PID 1900 wrote to memory of 2520	1900	JavaUpdater.exe	49
PID 1900 wrote to memory of 2520	1900	JavaUpdater.exe	49
PID 1900 wrote to memory of 2520	1900	JavaUpdater.exe	49
PID 2520 wrote to memory of 1624	2520	cmd.exe	51
PID 2520 wrote to memory of 1624	2520	cmd.exe	51
PID 2520 wrote to memory of 1624	2520	cmd.exe	51
PID 2520 wrote to memory of 2236	2520	cmd.exe	52
PID 2520 wrote to memory of 2236	2520	cmd.exe	52
PID 2520 wrote to memory of 2236	2520	cmd.exe	52
PID 2520 wrote to memory of 448	2520	cmd.exe	53
PID 2520 wrote to memory of 448	2520	cmd.exe	53
PID 2520 wrote to memory of 448	2520	cmd.exe	53
PID 448 wrote to memory of 2328	448	JavaUpdater.exe	54
PID 448 wrote to memory of 2328	448	JavaUpdater.exe	54
PID 448 wrote to memory of 2328	448	JavaUpdater.exe	54
PID 448 wrote to memory of 2060	448	JavaUpdater.exe	56
PID 448 wrote to memory of 2060	448	JavaUpdater.exe	56
PID 448 wrote to memory of 2060	448	JavaUpdater.exe	56
PID 2060 wrote to memory of 1092	2060	cmd.exe	58
PID 2060 wrote to memory of 1092	2060	cmd.exe	58
PID 2060 wrote to memory of 1092	2060	cmd.exe	58
PID 2060 wrote to memory of 1264	2060	cmd.exe	59
PID 2060 wrote to memory of 1264	2060	cmd.exe	59
PID 2060 wrote to memory of 1264	2060	cmd.exe	59
PID 2060 wrote to memory of 1384	2060	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2792
- C:\Windows\system32\Java\JavaUpdater.exe
  "C:\Windows\system32\Java\JavaUpdater.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2812
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\do9rQ9l0Cbg1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2596
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2140
  - - C:\Windows\system32\Java\JavaUpdater.exe
      "C:\Windows\system32\Java\JavaUpdater.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEaWrhSiaMn3.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:576
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2232
      - C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:540
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Qx1Ruko14yPo.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HNACr3kRV6P9.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1264
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cp2tyv8OYe8x.bat" "
        11⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PlCvQ0oMV97Q.bat" "
        13⤵
        
        PID:1632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:696
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\roZw2iZc2X5d.bat" "
        15⤵
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pxkQIPN0ijlF.bat" "
        17⤵
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ydn4zkCsRhxU.bat" "
        19⤵
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1616
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0j3OJbWGSEkK.bat" "
        21⤵
        
        PID:812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2600
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\68W9NF5kTJvG.bat" "
        23⤵
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2164
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CXSR3jUgn0zP.bat" "
        25⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2368
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y0Tzz1wy2zAk.bat" "
        27⤵
        
        PID:1152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1148
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1qVTedZSfqPH.bat" "
        29⤵
        
        PID:1956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oVAxfZ6F9U7B.bat" "
        31⤵
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0j3OJbWGSEkK.bat

Filesize
199B

MD5
88d275d5273fb21d217e3b264e5c1a4f

SHA1
a81d0d7de0c944aa9a41ecd80e6305eaf101cba4

SHA256
6f77cba3d6aeb8d859bc7c5cf15fe3a49ecf14fed20f291fdf0a8febbafbdbd0

SHA512
e448088af66a81475af001ef9b9e30a684956ee536168e247e43c0f56c4bde6e9e536edddd7d4af77b7ba859f344dbec09a9e69023df03741c87f9d924727252

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qVTedZSfqPH.bat

Filesize
199B

MD5
f675d679b3749deda969dd1eb8a136b8

SHA1
632b2cbf7fb742f44a88b544b58023f4d8d8902c

SHA256
f0e79de4c8f7d47f5cadc809927962c513ca31c0a30340a299208e0789d61b0a

SHA512
204d466570b128a9713e5013e2e572aff34bce80aaf41508c29b3bc4e930128225009856ed4349e8f31756f9539380348a4a000b66adcce64c2623f805f79a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\68W9NF5kTJvG.bat

Filesize
199B

MD5
ab30d1e922fb4a490a4f422f3918edbd

SHA1
9cbe215db7b951ae4955c46ded3a16ceefcf5811

SHA256
082f7ce69fa5fa2026985cd024b70bd81b83db549f0f8d0a7e5e6b06fc984fa5

SHA512
9f764663997a96cdc425263469e5f0c45685cccb940734e17ef7e072e73bcd32901ebbf534148003fff0184ba270b743dccaf09a06e4242e5621d30cb58a4e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\CXSR3jUgn0zP.bat

Filesize
199B

MD5
36c98362e3712ddd6eb9af25e8cda217

SHA1
6c919c99d95f2fa9255edfce02cfb9e3a375147a

SHA256
c77c14352675b5c54a1cd14e755e6dac15ea00c9b4e38fa9882ba35aa802a681

SHA512
a8ec761d85afc6785cce73c4c831e21e458d89eec66ca8b4c624ff3a11c2c4b7ef216a93a08e9b1e6a244ff4d8224024d5468663689965740944a8abdfb88e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\HNACr3kRV6P9.bat

Filesize
199B

MD5
8019bfb59b0f8591951f6d8829d1928a

SHA1
dab205c6bf1675297d08578af303a7edab654652

SHA256
8381a2f3955b6ab4d327dc44d52e5ca76d727296802070629d92fd7bbfb714d9

SHA512
c05ee4b978097f179823c9fe7d71e122e57715dcfcb567051e55e70822d8cf22d9c46832c9a963e50ce38b5d263de200f08855497c4f1f27845f6a680e1a847b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlCvQ0oMV97Q.bat

Filesize
199B

MD5
2a5ce009958f48556165cded9af9ca76

SHA1
60f57878011bb0c16a720323e4d87788a9a9180f

SHA256
67b4997718aba2343efa9a08466e5969e0ba882b51027ca890003758d4854980

SHA512
78831beab1e0c50976185098765b468e6b9887bdb0382a7d0239ee4e7483b2808ac281ccd1a5f0f3b634bde298f44c00ea890d876218737c72fef41d97cc63ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qx1Ruko14yPo.bat

Filesize
199B

MD5
6ec9a55018b269c34aad2b4db65d5c64

SHA1
6ee30316ece927360b703dfa459d44fd87843121

SHA256
11466ab61b842eb4ca13934b32a1adce4b0be21ec81b95f9bfdfd115cfd3d4e3

SHA512
21051b8c6b3d7f3e748c14dfbb0d781f4a5bab2328a53b4df848cb774c2b3f1cdc6da02e588ef49dbc079cffe1b2a88043dd4560d37c2b06fc0351543d779668

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y0Tzz1wy2zAk.bat

Filesize
199B

MD5
abc6d2a3c8114ace34773a29dd652d63

SHA1
c72f8d451880e3247d8240aba4c7307593969c1f

SHA256
cfd10659b50b1a144cd0811698650238df465d41ee290961860f6c721a95bb27

SHA512
4dd1972bd35830184e3504e7606c556e60e262164307760f11a11144e626cd7337fc08b135e9b4ce2022cd904b2a94ff322ecd383c73196e9a3ca934dc587612

Download Submit
C:\Users\Admin\AppData\Local\Temp\cp2tyv8OYe8x.bat

Filesize
199B

MD5
d5ac59c22ca62011aba98d75acc5bdf9

SHA1
b12fb38249e9bd60b6379fd281cd9b0719d0cb10

SHA256
1598bc1ab651665acf74ab4a7266c4add40513b020afd4c59baea41c9b510505

SHA512
9310aadc82f717046f84d57f0f31d21af70a6d5362f619e0bfd1a098c274fa99b152c27d12419d42196f9d1aa43b4e4aa6d79d868fe16a812c1abb9da9730955

Download Submit
C:\Users\Admin\AppData\Local\Temp\do9rQ9l0Cbg1.bat

Filesize
199B

MD5
b3ebaab1226e7d8925597cac1283c223

SHA1
8446e9ad6654dc99f488fd03d23766c262faaf90

SHA256
07340e5af0eb2f008f12b52c5ff304014eb37a1afd7fbb3ab58c8445779a3bbc

SHA512
8234af6e63b1d395cb582b3d60ad7534f3d34e97d77c03745289604dc8eb76193a59729259144e72963645133af2f7769fdb42b1941cb0297e5c36b812e56e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEaWrhSiaMn3.bat

Filesize
199B

MD5
b7f15a470dab90b97726aeddbaf0ecf8

SHA1
6080536382546a55d5c9c55d6507a2b57a834cdc

SHA256
1eb835cd4000012b6ac29d39e2c513dd7dd5f476c79c4777e5ef072299fa0e74

SHA512
ff14aa11dda95700f1016d55df2c43581386057610a305241f809a6c0c09223b9223cd4e9c986424d90d0b8bb42479b071aee168fc0778886aa8f669ecf07cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVAxfZ6F9U7B.bat

Filesize
199B

MD5
a61897cda9835b2ed3d8cf2d56521287

SHA1
2cdb3691b6ff98fb5d911832a547da3d97a63d8f

SHA256
8ea1c598894d503ab58cff629c4c6a6fb06df9221009578d28e25a785b139dfc

SHA512
48f48beec14d650971bf8a36aa42179ea4e8b6ea71cedb0af42f272879e1a68501188c362c2d5bcc18792e9b4b2081e6c0e46111f469c9c826b62d7acbb00c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxkQIPN0ijlF.bat

Filesize
199B

MD5
5e5c3e800df4429d6e07c8d332b096c2

SHA1
b02ce5a1cc69eb2817117b01a0337f773073d94a

SHA256
ae9c88062bc230011c931c7be4c36cb87db6ee69340c88f8342def381e94c275

SHA512
ad4998d3bd83b4524ca30aa52fe64e7f8832748601b11bce2dbd9ba94a452cd013929e30d393a3ade5cb2006607212e3ec2ad938b49e77b8800af604b8709073

Download Submit
C:\Users\Admin\AppData\Local\Temp\roZw2iZc2X5d.bat

Filesize
199B

MD5
820bd1ac18e0f7e31929a6acd1755209

SHA1
92e983649b0e45ce47a12e1aa9c8a6fb903277b2

SHA256
fdd607f17075600bc4751ee83b8fc9861f23272fe0e2ea7446985d7fba0cc929

SHA512
108cbe59932e020ce3ec53b92ed324cb5c435e6d78ab35402ef1c05d5dddd60c3286b2d328cda03bd3a78afe7097af84ebc512ee6ce297c60a97af594d59f42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydn4zkCsRhxU.bat

Filesize
199B

MD5
d4d28481fdef33bc4bd7ac7ce6c93cc6

SHA1
0c2d878bf4fcbecc2240e94b58731c4bb228c513

SHA256
917f23952a9b71e5d340cefdef6faed2b0c8189a65ff4e4a3448c75777298120

SHA512
f81db5fc1e96ed810efd96dd91c83a46fae225c91143a72408107ad4dfab8e32a603c438c75146aefec9d131e220c181228fbab18574ceede0c5c940315e2a63

Download Submit
C:\Windows\System32\Java\JavaUpdater.exe

Filesize
3.2MB

MD5
0a717705a7797e35b6f5af62ffe43abb

SHA1
4c823754c6cebe13ae0aec7ba874318f20445145

SHA256
c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

SHA512
75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

Download Submit
memory/648-23-0x0000000001010000-0x000000000134E000-memory.dmp

Filesize
3.2MB

Download
memory/2260-21-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2260-1-0x0000000000EB0000-0x00000000011EE000-memory.dmp

Filesize
3.2MB

Download
memory/2260-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2260-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

Filesize
4KB

Download
memory/2640-8-0x0000000000BB0000-0x0000000000EEE000-memory.dmp

Filesize
3.2MB

Download
memory/2640-9-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-20-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-10-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2928-96-0x00000000013B0000-0x00000000016EE000-memory.dmp

Filesize
3.2MB

Download
memory/3040-159-0x00000000001E0000-0x000000000051E000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads