Malware Analysis Report

2025-04-03 10:25

Sample ID 250311-fja6tssk18
Target c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
SHA256 c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
Tags
hugrix quasar latentbot discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

Threat Level: Known bad

The file c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe was found to be: Known bad.

Malicious Activity Summary

hugrix quasar latentbot discovery spyware trojan

Quasar family

Latentbot family

Quasar payload

LatentBot

Quasar RAT

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-11 04:53

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-11 04:53

Reported

2025-03-11 04:56

Platform

win7-20240903-en

Max time kernel

142s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File created C:\Windows\system32\Java\JavaUpdater.exe C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\Java\JavaUpdater.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2260 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2260 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2640 wrote to memory of 2812 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2812 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2812 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 1584 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 1584 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 1584 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1584 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1584 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1584 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1584 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1584 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1584 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 1584 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 1584 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 648 wrote to memory of 2928 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 648 wrote to memory of 2928 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 648 wrote to memory of 2928 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 648 wrote to memory of 1988 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 1988 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 1988 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1988 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1988 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1988 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1988 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1988 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1988 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 1988 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 1988 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 1900 wrote to memory of 540 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 1900 wrote to memory of 540 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 1900 wrote to memory of 540 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 1900 wrote to memory of 2520 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 1900 wrote to memory of 2520 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 1900 wrote to memory of 2520 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2520 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2520 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2520 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2520 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2520 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2520 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2520 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2520 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 448 wrote to memory of 2328 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 448 wrote to memory of 2328 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 448 wrote to memory of 2328 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 448 wrote to memory of 2060 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 2060 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 2060 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2060 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2060 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2060 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe

"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\do9rQ9l0Cbg1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEaWrhSiaMn3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Qx1Ruko14yPo.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HNACr3kRV6P9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cp2tyv8OYe8x.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PlCvQ0oMV97Q.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\roZw2iZc2X5d.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pxkQIPN0ijlF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ydn4zkCsRhxU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0j3OJbWGSEkK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\68W9NF5kTJvG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CXSR3jUgn0zP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y0Tzz1wy2zAk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1qVTedZSfqPH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oVAxfZ6F9U7B.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 prxprodquasar.zapto.org udp

Files

memory/2260-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

memory/2260-1-0x0000000000EB0000-0x00000000011EE000-memory.dmp

memory/2260-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

C:\Windows\System32\Java\JavaUpdater.exe

MD5 0a717705a7797e35b6f5af62ffe43abb
SHA1 4c823754c6cebe13ae0aec7ba874318f20445145
SHA256 c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512 75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

memory/2640-8-0x0000000000BB0000-0x0000000000EEE000-memory.dmp

memory/2640-9-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

memory/2640-10-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\do9rQ9l0Cbg1.bat

MD5 b3ebaab1226e7d8925597cac1283c223
SHA1 8446e9ad6654dc99f488fd03d23766c262faaf90
SHA256 07340e5af0eb2f008f12b52c5ff304014eb37a1afd7fbb3ab58c8445779a3bbc
SHA512 8234af6e63b1d395cb582b3d60ad7534f3d34e97d77c03745289604dc8eb76193a59729259144e72963645133af2f7769fdb42b1941cb0297e5c36b812e56e03

memory/2640-20-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

memory/2260-21-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

memory/648-23-0x0000000001010000-0x000000000134E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lEaWrhSiaMn3.bat

MD5 b7f15a470dab90b97726aeddbaf0ecf8
SHA1 6080536382546a55d5c9c55d6507a2b57a834cdc
SHA256 1eb835cd4000012b6ac29d39e2c513dd7dd5f476c79c4777e5ef072299fa0e74
SHA512 ff14aa11dda95700f1016d55df2c43581386057610a305241f809a6c0c09223b9223cd4e9c986424d90d0b8bb42479b071aee168fc0778886aa8f669ecf07cc9

C:\Users\Admin\AppData\Local\Temp\Qx1Ruko14yPo.bat

MD5 6ec9a55018b269c34aad2b4db65d5c64
SHA1 6ee30316ece927360b703dfa459d44fd87843121
SHA256 11466ab61b842eb4ca13934b32a1adce4b0be21ec81b95f9bfdfd115cfd3d4e3
SHA512 21051b8c6b3d7f3e748c14dfbb0d781f4a5bab2328a53b4df848cb774c2b3f1cdc6da02e588ef49dbc079cffe1b2a88043dd4560d37c2b06fc0351543d779668

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\HNACr3kRV6P9.bat

MD5 8019bfb59b0f8591951f6d8829d1928a
SHA1 dab205c6bf1675297d08578af303a7edab654652
SHA256 8381a2f3955b6ab4d327dc44d52e5ca76d727296802070629d92fd7bbfb714d9
SHA512 c05ee4b978097f179823c9fe7d71e122e57715dcfcb567051e55e70822d8cf22d9c46832c9a963e50ce38b5d263de200f08855497c4f1f27845f6a680e1a847b

C:\Users\Admin\AppData\Local\Temp\cp2tyv8OYe8x.bat

MD5 d5ac59c22ca62011aba98d75acc5bdf9
SHA1 b12fb38249e9bd60b6379fd281cd9b0719d0cb10
SHA256 1598bc1ab651665acf74ab4a7266c4add40513b020afd4c59baea41c9b510505
SHA512 9310aadc82f717046f84d57f0f31d21af70a6d5362f619e0bfd1a098c274fa99b152c27d12419d42196f9d1aa43b4e4aa6d79d868fe16a812c1abb9da9730955

C:\Users\Admin\AppData\Local\Temp\PlCvQ0oMV97Q.bat

MD5 2a5ce009958f48556165cded9af9ca76
SHA1 60f57878011bb0c16a720323e4d87788a9a9180f
SHA256 67b4997718aba2343efa9a08466e5969e0ba882b51027ca890003758d4854980
SHA512 78831beab1e0c50976185098765b468e6b9887bdb0382a7d0239ee4e7483b2808ac281ccd1a5f0f3b634bde298f44c00ea890d876218737c72fef41d97cc63ce

C:\Users\Admin\AppData\Local\Temp\roZw2iZc2X5d.bat

MD5 820bd1ac18e0f7e31929a6acd1755209
SHA1 92e983649b0e45ce47a12e1aa9c8a6fb903277b2
SHA256 fdd607f17075600bc4751ee83b8fc9861f23272fe0e2ea7446985d7fba0cc929
SHA512 108cbe59932e020ce3ec53b92ed324cb5c435e6d78ab35402ef1c05d5dddd60c3286b2d328cda03bd3a78afe7097af84ebc512ee6ce297c60a97af594d59f42a

C:\Users\Admin\AppData\Local\Temp\pxkQIPN0ijlF.bat

MD5 5e5c3e800df4429d6e07c8d332b096c2
SHA1 b02ce5a1cc69eb2817117b01a0337f773073d94a
SHA256 ae9c88062bc230011c931c7be4c36cb87db6ee69340c88f8342def381e94c275
SHA512 ad4998d3bd83b4524ca30aa52fe64e7f8832748601b11bce2dbd9ba94a452cd013929e30d393a3ade5cb2006607212e3ec2ad938b49e77b8800af604b8709073

memory/2928-96-0x00000000013B0000-0x00000000016EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ydn4zkCsRhxU.bat

MD5 d4d28481fdef33bc4bd7ac7ce6c93cc6
SHA1 0c2d878bf4fcbecc2240e94b58731c4bb228c513
SHA256 917f23952a9b71e5d340cefdef6faed2b0c8189a65ff4e4a3448c75777298120
SHA512 f81db5fc1e96ed810efd96dd91c83a46fae225c91143a72408107ad4dfab8e32a603c438c75146aefec9d131e220c181228fbab18574ceede0c5c940315e2a63

C:\Users\Admin\AppData\Local\Temp\0j3OJbWGSEkK.bat

MD5 88d275d5273fb21d217e3b264e5c1a4f
SHA1 a81d0d7de0c944aa9a41ecd80e6305eaf101cba4
SHA256 6f77cba3d6aeb8d859bc7c5cf15fe3a49ecf14fed20f291fdf0a8febbafbdbd0
SHA512 e448088af66a81475af001ef9b9e30a684956ee536168e247e43c0f56c4bde6e9e536edddd7d4af77b7ba859f344dbec09a9e69023df03741c87f9d924727252

C:\Users\Admin\AppData\Local\Temp\68W9NF5kTJvG.bat

MD5 ab30d1e922fb4a490a4f422f3918edbd
SHA1 9cbe215db7b951ae4955c46ded3a16ceefcf5811
SHA256 082f7ce69fa5fa2026985cd024b70bd81b83db549f0f8d0a7e5e6b06fc984fa5
SHA512 9f764663997a96cdc425263469e5f0c45685cccb940734e17ef7e072e73bcd32901ebbf534148003fff0184ba270b743dccaf09a06e4242e5621d30cb58a4e52

C:\Users\Admin\AppData\Local\Temp\CXSR3jUgn0zP.bat

MD5 36c98362e3712ddd6eb9af25e8cda217
SHA1 6c919c99d95f2fa9255edfce02cfb9e3a375147a
SHA256 c77c14352675b5c54a1cd14e755e6dac15ea00c9b4e38fa9882ba35aa802a681
SHA512 a8ec761d85afc6785cce73c4c831e21e458d89eec66ca8b4c624ff3a11c2c4b7ef216a93a08e9b1e6a244ff4d8224024d5468663689965740944a8abdfb88e38

C:\Users\Admin\AppData\Local\Temp\Y0Tzz1wy2zAk.bat

MD5 abc6d2a3c8114ace34773a29dd652d63
SHA1 c72f8d451880e3247d8240aba4c7307593969c1f
SHA256 cfd10659b50b1a144cd0811698650238df465d41ee290961860f6c721a95bb27
SHA512 4dd1972bd35830184e3504e7606c556e60e262164307760f11a11144e626cd7337fc08b135e9b4ce2022cd904b2a94ff322ecd383c73196e9a3ca934dc587612

C:\Users\Admin\AppData\Local\Temp\1qVTedZSfqPH.bat

MD5 f675d679b3749deda969dd1eb8a136b8
SHA1 632b2cbf7fb742f44a88b544b58023f4d8d8902c
SHA256 f0e79de4c8f7d47f5cadc809927962c513ca31c0a30340a299208e0789d61b0a
SHA512 204d466570b128a9713e5013e2e572aff34bce80aaf41508c29b3bc4e930128225009856ed4349e8f31756f9539380348a4a000b66adcce64c2623f805f79a62

memory/3040-159-0x00000000001E0000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oVAxfZ6F9U7B.bat

MD5 a61897cda9835b2ed3d8cf2d56521287
SHA1 2cdb3691b6ff98fb5d911832a547da3d97a63d8f
SHA256 8ea1c598894d503ab58cff629c4c6a6fb06df9221009578d28e25a785b139dfc
SHA512 48f48beec14d650971bf8a36aa42179ea4e8b6ea71cedb0af42f272879e1a68501188c362c2d5bcc18792e9b4b2081e6c0e46111f469c9c826b62d7acbb00c8e

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-11 04:53

Reported

2025-03-11 04:56

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File created C:\Windows\system32\Java\JavaUpdater.exe C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
N/A N/A C:\Windows\system32\Java\JavaUpdater.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4808 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4808 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 4808 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2996 wrote to memory of 4960 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2996 wrote to memory of 4960 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2996 wrote to memory of 4612 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 4612 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 4612 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4612 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4612 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4612 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4612 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 4612 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 5116 wrote to memory of 3364 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5116 wrote to memory of 3364 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5116 wrote to memory of 3280 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 5116 wrote to memory of 3280 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3280 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3280 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3280 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3280 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3280 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3324 wrote to memory of 2000 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3324 wrote to memory of 2000 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3324 wrote to memory of 2784 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 2784 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2784 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2784 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2784 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2784 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2784 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3760 wrote to memory of 4368 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3760 wrote to memory of 4368 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3760 wrote to memory of 4224 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3760 wrote to memory of 4224 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 4224 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4224 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4224 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4224 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4224 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 4224 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 4956 wrote to memory of 4316 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4956 wrote to memory of 4316 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4956 wrote to memory of 5032 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 4956 wrote to memory of 5032 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 5032 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5032 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5032 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5032 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5032 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 5032 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3948 wrote to memory of 2784 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3948 wrote to memory of 2784 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3948 wrote to memory of 3540 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3948 wrote to memory of 3540 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3540 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3540 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3540 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3540 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3540 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3540 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe

"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d1wkSZR4fmj4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e1NXaqSldK7V.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PnOxNyztQxNa.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lJvMH5DdbHfg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WRDmHF1LOYls.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMUVjkB92MOg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3LmQFAVC7eyi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5QP1AzgUmWu4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\knv9OWyW2IA6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9TcFB4CGL9JP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZ0vaYJZLGFq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XP79SJhszHVt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HPcWzIj05pPy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fDGRHixDpAaA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWwzSBhRT0jA.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 prxprodquasar.zapto.org udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 udp

Files

memory/4808-1-0x0000000000FF0000-0x000000000132E000-memory.dmp

memory/4808-0-0x00007FFE465B3000-0x00007FFE465B5000-memory.dmp

memory/4808-2-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

memory/2996-9-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

C:\Windows\system32\Java\JavaUpdater.exe

MD5 0a717705a7797e35b6f5af62ffe43abb
SHA1 4c823754c6cebe13ae0aec7ba874318f20445145
SHA256 c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512 75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

memory/2996-10-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

memory/2996-12-0x000000001BCF0000-0x000000001BDA2000-memory.dmp

memory/2996-11-0x000000001BBE0000-0x000000001BC30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d1wkSZR4fmj4.bat

MD5 42b57661f832ab60b6efdeb140610b6d
SHA1 e2a2d06c4e37e47d6f0da26f56c2bf0dcf2efe04
SHA256 82388519eb88428412f84b36303298ba41a1358205ca4645c0b5bbb83f0b4a08
SHA512 b44834d06f9187b692b3c92b09cfd4d13fb1aa25e675b9b4372ab5a6ed169364077629e13966e9d5b192109b40524d611fb4732f92ade9462fb68506fc0e8b28

memory/2996-17-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

memory/4808-19-0x00007FFE465B0000-0x00007FFE47071000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JavaUpdater.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\e1NXaqSldK7V.bat

MD5 3da1a740614ecb65fd47bed317439f3a
SHA1 a23596c89f137cf3a8ecb4af3a3df5fc51d570a3
SHA256 6f7835ca27b74f18a431685688a60e620d8340cb98ce1250fa4e644f7f28b6fb
SHA512 7fe588fb91f0be06731b49d25f7af7d60d9ebec3cf09cbe5fa0dd12697a741fa8a6df9e11d49542e08018f09427ab0a17bae54af219ea97acb733a23ad7f4037

C:\Users\Admin\AppData\Local\Temp\PnOxNyztQxNa.bat

MD5 3d2873d82fa4170e5c3bc43fbd0f39c8
SHA1 0f95d8b05160307ce1f8fb611f45a2d6f88108a2
SHA256 6bb8f91fed9f0f5cc0a545fb062c462cd2bae6ff8bf16c159f14c79d44ec2e47
SHA512 d9e44ac0f6f533b9afe4c3a17dee018b7d31fb2039b23b3eac60f140eb32f5e33589e42c91e04b8f1e22ee46b7815b6366c689a6fa38d64677e5ca34d914ae88

C:\Users\Admin\AppData\Local\Temp\lJvMH5DdbHfg.bat

MD5 091a937c0c958bf69d8d793ce3fcf3b0
SHA1 e8f19b18853b6f2b170e30464c013a18db9e7e77
SHA256 8c1deda3f10efef9b1779aaecc46f07c3c1c900176c122aeaa795a7358971abb
SHA512 6fe855ba43b8e3276e66e80a6198ef1664282816f78f885a2836685286046164642086d7387fbbde6dde56a811951d60d546aa734f686c3d17eda964e51f01a2

C:\Users\Admin\AppData\Local\Temp\WRDmHF1LOYls.bat

MD5 1ac5dcd66c41fe7738d87ba639e69ef5
SHA1 b5d73989ae3a9a6300689b8639182c89a9d48f91
SHA256 a816c650d83c93835d5a4b83fe5a87c756a312b41f4db7b60389e914978054bb
SHA512 01eb8b01a832d57583bea8af4eb49370c910d645ff9ea2beecdbd78a88c837f0fcd433c02c99387c25635bd0f0f98238c1475a4c54686f0edca0b3956debdd55

C:\Users\Admin\AppData\Local\Temp\ZMUVjkB92MOg.bat

MD5 24042208ce3f0f8f2d35e7e1121f83af
SHA1 d1246531e401d3472741559ea0aa439d38d5f058
SHA256 ce07f990a6a7c1d612a88c0bd1f7765bcde3a02e026fe43878574d8b02b0d9ce
SHA512 cb50d473354b1c191590b9e1802b180f4c9833a9b38272ba329ca1468dac2e98ba814c5d3b4632e4b8a64ebbea8a63d423d9969e68727b781203425c05e6210e

C:\Users\Admin\AppData\Local\Temp\3LmQFAVC7eyi.bat

MD5 5557aac69c3478ff7d1386d07bf78a52
SHA1 26c6f5e8055cbc92e3b981ee58fe461d3388fc75
SHA256 362e14825e03e057f00bd89816740b4c06312ca7ef0ccc5ff7e2533f156be98a
SHA512 45143507481addca77e320286fe67e20a147cc5d7a411c66dd35b445efed217cc678e31738710e65215a6bc8015fb27fd0e8c753176c751cb4a1afb1b64ca861

C:\Users\Admin\AppData\Local\Temp\5QP1AzgUmWu4.bat

MD5 b86b6ee40906deb8c92399b8b27038d3
SHA1 504fefa3c9cb0c5a31bef67a30d919f96ee6dff7
SHA256 1678ee6cc679d2f9cd631fcc7b73a20587f1bb2b86507415ec9805b94ad5e076
SHA512 86136a9e8f250683aa04b4bb978da9ca8070c3624923d182fb0129a41c392ccfadf977e75e62f109fc4117503715f6203ce39e91d975fb4124cd48c0e6853e72

C:\Users\Admin\AppData\Local\Temp\knv9OWyW2IA6.bat

MD5 4a4d68d0984a07c048be2488da506b85
SHA1 d566fb7220956a3ee368a159c4d8b1542ff9a7e2
SHA256 fe3b0b6067a5d84e6b5dcaa7989a92be43d5d62e299974f2e2f9739ddb884c20
SHA512 598896a5b93f441748ac00dc52cbbbeaaa40b131198c86bcde574f5873d883347f77a88512ce95d1408ffd84c17219a8c7e70a72c32acc8c275c5544feacf32f

C:\Users\Admin\AppData\Local\Temp\9TcFB4CGL9JP.bat

MD5 9cb48d83a3c91b883f1b0c8767ed7966
SHA1 9b076ac61dac089b2f39a047a822710d62bfda43
SHA256 23e2251e91a07a7a5230a60e0b7366249937f2d7fbf4e695f479cb98f328d58c
SHA512 8e0b8ccbe3b21f575c71cbdd02a9014a08944474661d09ba0ac8951ab0bbfc60ab5a2fb22f5dd9734cd4b827f78a084a322e6da17d4abd30e61161e783466b33

C:\Users\Admin\AppData\Local\Temp\qZ0vaYJZLGFq.bat

MD5 c55a3bb84b12943bb2f639c2028c618c
SHA1 ed6b9529fad9552679fa7b288b5eb1bb4096e7d6
SHA256 a8000a67663266b340177d43c4aab0307a270fdfab63078c666315228d9a5e30
SHA512 9a105218c06df50546b5d110b584ea7b6034649bf0a8a4f7b90314bdbe05bd64325610dc7a66569ae32c6883624e094576498aac7f6d5d8f11618cfa38e925f0

C:\Users\Admin\AppData\Local\Temp\XP79SJhszHVt.bat

MD5 72bdac270af73be8ea815dfd0890f96d
SHA1 5ae436a9596752d8106a7e33700fe13001aaba34
SHA256 9b387d62fb82a073dff94a4391fa44a142942e16cf8f1894eb56116e012f037d
SHA512 89619670d108bf1bee69d47286334ec8a6452b0023a32e2e27133ea3656ab18c7bf2c44c40443e6831bfb80a3fd728f6b5bf57bb33057cd358b9f8d4ccf69c7e

C:\Users\Admin\AppData\Local\Temp\HPcWzIj05pPy.bat

MD5 1d90067872728e13f9596071d7a50072
SHA1 e149f3b147e0a591c5ab19c1c0aff387992c21fc
SHA256 50f65336d42990a72a2a4d54f9c74042c69b92b2301625be90b48781266a2561
SHA512 e7513b441fa369b6a4feb96d06d3f719c01a2d75522c7e2295a86d0c31d0da54e0e29dacc8b87afa634b59278499fd1d464fd2f17f551082d222673d1069bd95

C:\Users\Admin\AppData\Local\Temp\fDGRHixDpAaA.bat

MD5 5ba76b5e32bf005f0e9694470d4db5e3
SHA1 05f777735cf0eafdad3d809f10c2ea3f1e1ac413
SHA256 ba494f7b7b81cc8e2fdcebfb6d838309c6bca6c44f2a1dbfb3d027db838cb58d
SHA512 ec9ccf23128bdeafe3a64bba04862cf28dbeb34676bfa7e614eaaa0c6b8147bbea2712163f8fc4b5c0efb0e11d9f2dfcc3eabc638714d2b096834834426b60db