latentbot | c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
Size

3.2MB
MD5

0a717705a7797e35b6f5af62ffe43abb
SHA1

4c823754c6cebe13ae0aec7ba874318f20445145
SHA256

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512

75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead
SSDEEP

98304:zvr62XlaSFNWPjljiFXRoUYITrUCgLEEa1:75ZY2gLEEa1

Score

10^/10

latentbot quasar hugrix discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Hugrix

prxprodquasar.zapto.org:4782

Mutex

ad6032ec-a1ba-49fe-a6c9-21a847436cda

Attributes

encryption_key
7AB142AC063BEB01BE33EE315E2D0BBA3E071A0B
install_name
JavaUpdater.exe
log_directory
JavaInstallLogs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
Java

Extracted

Family

latentbot

prxprodquasar.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4808-1-0x0000000000FF0000-0x000000000132E000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023db3-7.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe

Executes dropped EXE 15 IoCs

pid	Process
2996	JavaUpdater.exe
5116	JavaUpdater.exe
3324	JavaUpdater.exe
3760	JavaUpdater.exe
4956	JavaUpdater.exe
3948	JavaUpdater.exe
2284	JavaUpdater.exe
2516	JavaUpdater.exe
2940	JavaUpdater.exe
3004	JavaUpdater.exe
4696	JavaUpdater.exe
2120	JavaUpdater.exe
3196	JavaUpdater.exe
4728	JavaUpdater.exe
180	JavaUpdater.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File created	C:\Windows\system32\Java\JavaUpdater.exe	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3004	PING.EXE
3472	PING.EXE
2944	PING.EXE
4248	PING.EXE
3940	PING.EXE
4980	PING.EXE
1864	PING.EXE
1492	PING.EXE
3016	PING.EXE
2248	PING.EXE
412	PING.EXE
2532	PING.EXE
4836	PING.EXE
3052	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4980	PING.EXE
3052	PING.EXE
2248	PING.EXE
3004	PING.EXE
3472	PING.EXE
412	PING.EXE
4248	PING.EXE
1864	PING.EXE
1492	PING.EXE
3016	PING.EXE
2944	PING.EXE
2532	PING.EXE
4836	PING.EXE
3940	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
396	schtasks.exe
4960	schtasks.exe
2000	schtasks.exe
3780	schtasks.exe
2812	schtasks.exe
3404	schtasks.exe
4440	schtasks.exe
4724	schtasks.exe
3364	schtasks.exe
4368	schtasks.exe
32	schtasks.exe
2528	schtasks.exe
4316	schtasks.exe
2784	schtasks.exe
3036	schtasks.exe
4344	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
Token: SeDebugPrivilege	2996	JavaUpdater.exe
Token: SeDebugPrivilege	5116	JavaUpdater.exe
Token: SeDebugPrivilege	3324	JavaUpdater.exe
Token: SeDebugPrivilege	3760	JavaUpdater.exe
Token: SeDebugPrivilege	4956	JavaUpdater.exe
Token: SeDebugPrivilege	3948	JavaUpdater.exe
Token: SeDebugPrivilege	2284	JavaUpdater.exe
Token: SeDebugPrivilege	2516	JavaUpdater.exe
Token: SeDebugPrivilege	2940	JavaUpdater.exe
Token: SeDebugPrivilege	3004	JavaUpdater.exe
Token: SeDebugPrivilege	4696	JavaUpdater.exe
Token: SeDebugPrivilege	2120	JavaUpdater.exe
Token: SeDebugPrivilege	3196	JavaUpdater.exe
Token: SeDebugPrivilege	4728	JavaUpdater.exe
Token: SeDebugPrivilege	180	JavaUpdater.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2996	JavaUpdater.exe
2940	JavaUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4724	4808	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	93
PID 4808 wrote to memory of 4724	4808	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	93
PID 4808 wrote to memory of 2996	4808	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	95
PID 4808 wrote to memory of 2996	4808	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	95
PID 2996 wrote to memory of 4960	2996	JavaUpdater.exe	96
PID 2996 wrote to memory of 4960	2996	JavaUpdater.exe	96
PID 2996 wrote to memory of 4612	2996	JavaUpdater.exe	98
PID 2996 wrote to memory of 4612	2996	JavaUpdater.exe	98
PID 4612 wrote to memory of 3064	4612	cmd.exe	100
PID 4612 wrote to memory of 3064	4612	cmd.exe	100
PID 4612 wrote to memory of 3016	4612	cmd.exe	101
PID 4612 wrote to memory of 3016	4612	cmd.exe	101
PID 4612 wrote to memory of 5116	4612	cmd.exe	109
PID 4612 wrote to memory of 5116	4612	cmd.exe	109
PID 5116 wrote to memory of 3364	5116	JavaUpdater.exe	110
PID 5116 wrote to memory of 3364	5116	JavaUpdater.exe	110
PID 5116 wrote to memory of 3280	5116	JavaUpdater.exe	112
PID 5116 wrote to memory of 3280	5116	JavaUpdater.exe	112
PID 3280 wrote to memory of 3636	3280	cmd.exe	114
PID 3280 wrote to memory of 3636	3280	cmd.exe	114
PID 3280 wrote to memory of 2248	3280	cmd.exe	115
PID 3280 wrote to memory of 2248	3280	cmd.exe	115
PID 3280 wrote to memory of 3324	3280	cmd.exe	116
PID 3280 wrote to memory of 3324	3280	cmd.exe	116
PID 3324 wrote to memory of 2000	3324	JavaUpdater.exe	117
PID 3324 wrote to memory of 2000	3324	JavaUpdater.exe	117
PID 3324 wrote to memory of 2784	3324	JavaUpdater.exe	119
PID 3324 wrote to memory of 2784	3324	JavaUpdater.exe	119
PID 2784 wrote to memory of 836	2784	cmd.exe	121
PID 2784 wrote to memory of 836	2784	cmd.exe	121
PID 2784 wrote to memory of 3004	2784	cmd.exe	122
PID 2784 wrote to memory of 3004	2784	cmd.exe	122
PID 2784 wrote to memory of 3760	2784	cmd.exe	130
PID 2784 wrote to memory of 3760	2784	cmd.exe	130
PID 3760 wrote to memory of 4368	3760	JavaUpdater.exe	131
PID 3760 wrote to memory of 4368	3760	JavaUpdater.exe	131
PID 3760 wrote to memory of 4224	3760	JavaUpdater.exe	133
PID 3760 wrote to memory of 4224	3760	JavaUpdater.exe	133
PID 4224 wrote to memory of 932	4224	cmd.exe	136
PID 4224 wrote to memory of 932	4224	cmd.exe	136
PID 4224 wrote to memory of 3472	4224	cmd.exe	137
PID 4224 wrote to memory of 3472	4224	cmd.exe	137
PID 4224 wrote to memory of 4956	4224	cmd.exe	143
PID 4224 wrote to memory of 4956	4224	cmd.exe	143
PID 4956 wrote to memory of 4316	4956	JavaUpdater.exe	144
PID 4956 wrote to memory of 4316	4956	JavaUpdater.exe	144
PID 4956 wrote to memory of 5032	4956	JavaUpdater.exe	146
PID 4956 wrote to memory of 5032	4956	JavaUpdater.exe	146
PID 5032 wrote to memory of 4856	5032	cmd.exe	148
PID 5032 wrote to memory of 4856	5032	cmd.exe	148
PID 5032 wrote to memory of 412	5032	cmd.exe	149
PID 5032 wrote to memory of 412	5032	cmd.exe	149
PID 5032 wrote to memory of 3948	5032	cmd.exe	150
PID 5032 wrote to memory of 3948	5032	cmd.exe	150
PID 3948 wrote to memory of 2784	3948	JavaUpdater.exe	151
PID 3948 wrote to memory of 2784	3948	JavaUpdater.exe	151
PID 3948 wrote to memory of 3540	3948	JavaUpdater.exe	153
PID 3948 wrote to memory of 3540	3948	JavaUpdater.exe	153
PID 3540 wrote to memory of 4916	3540	cmd.exe	155
PID 3540 wrote to memory of 4916	3540	cmd.exe	155
PID 3540 wrote to memory of 2944	3540	cmd.exe	156
PID 3540 wrote to memory of 2944	3540	cmd.exe	156
PID 3540 wrote to memory of 2284	3540	cmd.exe	157
PID 3540 wrote to memory of 2284	3540	cmd.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4724
- C:\Windows\system32\Java\JavaUpdater.exe
  "C:\Windows\system32\Java\JavaUpdater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d1wkSZR4fmj4.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3064
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3016
  - - C:\Windows\system32\Java\JavaUpdater.exe
      "C:\Windows\system32\Java\JavaUpdater.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3364
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e1NXaqSldK7V.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3636
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
      - C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PnOxNyztQxNa.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3004
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lJvMH5DdbHfg.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3472
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WRDmHF1LOYls.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:412
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMUVjkB92MOg.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2944
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3LmQFAVC7eyi.bat" "
        15⤵
        
        PID:3436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2532
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5QP1AzgUmWu4.bat" "
        17⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4836
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\knv9OWyW2IA6.bat" "
        19⤵
        
        PID:3016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4248
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:32
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9TcFB4CGL9JP.bat" "
        21⤵
        
        PID:3760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3940
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZ0vaYJZLGFq.bat" "
        23⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4980
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XP79SJhszHVt.bat" "
        25⤵
        
        PID:3416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1864
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HPcWzIj05pPy.bat" "
        27⤵
        
        PID:4376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1492
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fDGRHixDpAaA.bat" "
        29⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3052
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWwzSBhRT0jA.bat" "
        31⤵
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JavaUpdater.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3LmQFAVC7eyi.bat

Filesize
199B

MD5
5557aac69c3478ff7d1386d07bf78a52

SHA1
26c6f5e8055cbc92e3b981ee58fe461d3388fc75

SHA256
362e14825e03e057f00bd89816740b4c06312ca7ef0ccc5ff7e2533f156be98a

SHA512
45143507481addca77e320286fe67e20a147cc5d7a411c66dd35b445efed217cc678e31738710e65215a6bc8015fb27fd0e8c753176c751cb4a1afb1b64ca861

Download Submit
C:\Users\Admin\AppData\Local\Temp\5QP1AzgUmWu4.bat

Filesize
199B

MD5
b86b6ee40906deb8c92399b8b27038d3

SHA1
504fefa3c9cb0c5a31bef67a30d919f96ee6dff7

SHA256
1678ee6cc679d2f9cd631fcc7b73a20587f1bb2b86507415ec9805b94ad5e076

SHA512
86136a9e8f250683aa04b4bb978da9ca8070c3624923d182fb0129a41c392ccfadf977e75e62f109fc4117503715f6203ce39e91d975fb4124cd48c0e6853e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\9TcFB4CGL9JP.bat

Filesize
199B

MD5
9cb48d83a3c91b883f1b0c8767ed7966

SHA1
9b076ac61dac089b2f39a047a822710d62bfda43

SHA256
23e2251e91a07a7a5230a60e0b7366249937f2d7fbf4e695f479cb98f328d58c

SHA512
8e0b8ccbe3b21f575c71cbdd02a9014a08944474661d09ba0ac8951ab0bbfc60ab5a2fb22f5dd9734cd4b827f78a084a322e6da17d4abd30e61161e783466b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPcWzIj05pPy.bat

Filesize
199B

MD5
1d90067872728e13f9596071d7a50072

SHA1
e149f3b147e0a591c5ab19c1c0aff387992c21fc

SHA256
50f65336d42990a72a2a4d54f9c74042c69b92b2301625be90b48781266a2561

SHA512
e7513b441fa369b6a4feb96d06d3f719c01a2d75522c7e2295a86d0c31d0da54e0e29dacc8b87afa634b59278499fd1d464fd2f17f551082d222673d1069bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\PnOxNyztQxNa.bat

Filesize
199B

MD5
3d2873d82fa4170e5c3bc43fbd0f39c8

SHA1
0f95d8b05160307ce1f8fb611f45a2d6f88108a2

SHA256
6bb8f91fed9f0f5cc0a545fb062c462cd2bae6ff8bf16c159f14c79d44ec2e47

SHA512
d9e44ac0f6f533b9afe4c3a17dee018b7d31fb2039b23b3eac60f140eb32f5e33589e42c91e04b8f1e22ee46b7815b6366c689a6fa38d64677e5ca34d914ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRDmHF1LOYls.bat

Filesize
199B

MD5
1ac5dcd66c41fe7738d87ba639e69ef5

SHA1
b5d73989ae3a9a6300689b8639182c89a9d48f91

SHA256
a816c650d83c93835d5a4b83fe5a87c756a312b41f4db7b60389e914978054bb

SHA512
01eb8b01a832d57583bea8af4eb49370c910d645ff9ea2beecdbd78a88c837f0fcd433c02c99387c25635bd0f0f98238c1475a4c54686f0edca0b3956debdd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\XP79SJhszHVt.bat

Filesize
199B

MD5
72bdac270af73be8ea815dfd0890f96d

SHA1
5ae436a9596752d8106a7e33700fe13001aaba34

SHA256
9b387d62fb82a073dff94a4391fa44a142942e16cf8f1894eb56116e012f037d

SHA512
89619670d108bf1bee69d47286334ec8a6452b0023a32e2e27133ea3656ab18c7bf2c44c40443e6831bfb80a3fd728f6b5bf57bb33057cd358b9f8d4ccf69c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMUVjkB92MOg.bat

Filesize
199B

MD5
24042208ce3f0f8f2d35e7e1121f83af

SHA1
d1246531e401d3472741559ea0aa439d38d5f058

SHA256
ce07f990a6a7c1d612a88c0bd1f7765bcde3a02e026fe43878574d8b02b0d9ce

SHA512
cb50d473354b1c191590b9e1802b180f4c9833a9b38272ba329ca1468dac2e98ba814c5d3b4632e4b8a64ebbea8a63d423d9969e68727b781203425c05e6210e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1wkSZR4fmj4.bat

Filesize
199B

MD5
42b57661f832ab60b6efdeb140610b6d

SHA1
e2a2d06c4e37e47d6f0da26f56c2bf0dcf2efe04

SHA256
82388519eb88428412f84b36303298ba41a1358205ca4645c0b5bbb83f0b4a08

SHA512
b44834d06f9187b692b3c92b09cfd4d13fb1aa25e675b9b4372ab5a6ed169364077629e13966e9d5b192109b40524d611fb4732f92ade9462fb68506fc0e8b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1NXaqSldK7V.bat

Filesize
199B

MD5
3da1a740614ecb65fd47bed317439f3a

SHA1
a23596c89f137cf3a8ecb4af3a3df5fc51d570a3

SHA256
6f7835ca27b74f18a431685688a60e620d8340cb98ce1250fa4e644f7f28b6fb

SHA512
7fe588fb91f0be06731b49d25f7af7d60d9ebec3cf09cbe5fa0dd12697a741fa8a6df9e11d49542e08018f09427ab0a17bae54af219ea97acb733a23ad7f4037

Download Submit
C:\Users\Admin\AppData\Local\Temp\fDGRHixDpAaA.bat

Filesize
199B

MD5
5ba76b5e32bf005f0e9694470d4db5e3

SHA1
05f777735cf0eafdad3d809f10c2ea3f1e1ac413

SHA256
ba494f7b7b81cc8e2fdcebfb6d838309c6bca6c44f2a1dbfb3d027db838cb58d

SHA512
ec9ccf23128bdeafe3a64bba04862cf28dbeb34676bfa7e614eaaa0c6b8147bbea2712163f8fc4b5c0efb0e11d9f2dfcc3eabc638714d2b096834834426b60db

Download Submit
C:\Users\Admin\AppData\Local\Temp\knv9OWyW2IA6.bat

Filesize
199B

MD5
4a4d68d0984a07c048be2488da506b85

SHA1
d566fb7220956a3ee368a159c4d8b1542ff9a7e2

SHA256
fe3b0b6067a5d84e6b5dcaa7989a92be43d5d62e299974f2e2f9739ddb884c20

SHA512
598896a5b93f441748ac00dc52cbbbeaaa40b131198c86bcde574f5873d883347f77a88512ce95d1408ffd84c17219a8c7e70a72c32acc8c275c5544feacf32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lJvMH5DdbHfg.bat

Filesize
199B

MD5
091a937c0c958bf69d8d793ce3fcf3b0

SHA1
e8f19b18853b6f2b170e30464c013a18db9e7e77

SHA256
8c1deda3f10efef9b1779aaecc46f07c3c1c900176c122aeaa795a7358971abb

SHA512
6fe855ba43b8e3276e66e80a6198ef1664282816f78f885a2836685286046164642086d7387fbbde6dde56a811951d60d546aa734f686c3d17eda964e51f01a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZ0vaYJZLGFq.bat

Filesize
199B

MD5
c55a3bb84b12943bb2f639c2028c618c

SHA1
ed6b9529fad9552679fa7b288b5eb1bb4096e7d6

SHA256
a8000a67663266b340177d43c4aab0307a270fdfab63078c666315228d9a5e30

SHA512
9a105218c06df50546b5d110b584ea7b6034649bf0a8a4f7b90314bdbe05bd64325610dc7a66569ae32c6883624e094576498aac7f6d5d8f11618cfa38e925f0

Download Submit
C:\Windows\system32\Java\JavaUpdater.exe

Filesize
3.2MB

MD5
0a717705a7797e35b6f5af62ffe43abb

SHA1
4c823754c6cebe13ae0aec7ba874318f20445145

SHA256
c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

SHA512
75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

Download Submit
memory/2996-10-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

Filesize
10.8MB

Download
memory/2996-12-0x000000001BCF0000-0x000000001BDA2000-memory.dmp

Filesize
712KB

Download
memory/2996-11-0x000000001BBE0000-0x000000001BC30000-memory.dmp

Filesize
320KB

Download
memory/2996-9-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

Filesize
10.8MB

Download
memory/2996-17-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

Filesize
10.8MB

Download
memory/4808-19-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

Filesize
10.8MB

Download
memory/4808-2-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

Filesize
10.8MB

Download
memory/4808-0-0x00007FFE465B3000-0x00007FFE465B5000-memory.dmp

Filesize
8KB

Download
memory/4808-1-0x0000000000FF0000-0x000000000132E000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads