latentbot | 59aadef5bc9181b1849f339e10498f28825a0e5a9b914b2f774b70d2a6ff30a3

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/03/2025, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
Size

3.2MB
MD5

0a717705a7797e35b6f5af62ffe43abb
SHA1

4c823754c6cebe13ae0aec7ba874318f20445145
SHA256

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512

75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead
SSDEEP

98304:zvr62XlaSFNWPjljiFXRoUYITrUCgLEEa1:75ZY2gLEEa1

Score

10^/10

latentbot quasar hugrix discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Hugrix

prxprodquasar.zapto.org:4782

Mutex

ad6032ec-a1ba-49fe-a6c9-21a847436cda

Attributes

encryption_key
7AB142AC063BEB01BE33EE315E2D0BBA3E071A0B
install_name
JavaUpdater.exe
log_directory
JavaInstallLogs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
Java

Extracted

Family

latentbot

prxprodquasar.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/1632-1-0x0000000001390000-0x00000000016CE000-memory.dmp	family_quasar
behavioral1/files/0x0007000000019609-6.dat	family_quasar
behavioral1/memory/3012-9-0x0000000000EC0000-0x00000000011FE000-memory.dmp	family_quasar
behavioral1/memory/2884-33-0x0000000000310000-0x000000000064E000-memory.dmp	family_quasar
behavioral1/memory/2164-45-0x0000000000070000-0x00000000003AE000-memory.dmp	family_quasar
behavioral1/memory/1092-56-0x0000000000820000-0x0000000000B5E000-memory.dmp	family_quasar
behavioral1/memory/3040-67-0x0000000001150000-0x000000000148E000-memory.dmp	family_quasar
behavioral1/memory/2968-89-0x00000000001B0000-0x00000000004EE000-memory.dmp	family_quasar
behavioral1/memory/2092-100-0x0000000000190000-0x00000000004CE000-memory.dmp	family_quasar
behavioral1/memory/588-111-0x0000000000E30000-0x000000000116E000-memory.dmp	family_quasar
behavioral1/memory/2128-122-0x0000000000E40000-0x000000000117E000-memory.dmp	family_quasar
behavioral1/memory/992-133-0x0000000000FD0000-0x000000000130E000-memory.dmp	family_quasar
behavioral1/memory/1708-144-0x0000000000080000-0x00000000003BE000-memory.dmp	family_quasar
behavioral1/memory/1564-155-0x0000000000E20000-0x000000000115E000-memory.dmp	family_quasar
behavioral1/memory/2952-166-0x00000000011A0000-0x00000000014DE000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
3012	JavaUpdater.exe
2712	JavaUpdater.exe
2884	JavaUpdater.exe
2164	JavaUpdater.exe
1092	JavaUpdater.exe
3040	JavaUpdater.exe
276	JavaUpdater.exe
2968	JavaUpdater.exe
2092	JavaUpdater.exe
588	JavaUpdater.exe
2128	JavaUpdater.exe
992	JavaUpdater.exe
1708	JavaUpdater.exe
1564	JavaUpdater.exe
2952	JavaUpdater.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File created	C:\Windows\system32\Java\JavaUpdater.exe	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2992	PING.EXE
2312	PING.EXE
2264	PING.EXE
336	PING.EXE
1344	PING.EXE
2024	PING.EXE
2684	PING.EXE
2188	PING.EXE
1040	PING.EXE
2076	PING.EXE
2324	PING.EXE
856	PING.EXE
2512	PING.EXE
2412	PING.EXE
964	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
856	PING.EXE
2512	PING.EXE
964	PING.EXE
2076	PING.EXE
1344	PING.EXE
2188	PING.EXE
2312	PING.EXE
2684	PING.EXE
2324	PING.EXE
1040	PING.EXE
2264	PING.EXE
336	PING.EXE
2024	PING.EXE
2992	PING.EXE
2412	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe
860	schtasks.exe
2720	schtasks.exe
1832	schtasks.exe
2188	schtasks.exe
2364	schtasks.exe
596	schtasks.exe
2712	schtasks.exe
2260	schtasks.exe
2472	schtasks.exe
2736	schtasks.exe
1156	schtasks.exe
1092	schtasks.exe
2244	schtasks.exe
996	schtasks.exe
1936	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
Token: SeDebugPrivilege	3012	JavaUpdater.exe
Token: SeDebugPrivilege	2712	JavaUpdater.exe
Token: SeDebugPrivilege	2884	JavaUpdater.exe
Token: SeDebugPrivilege	2164	JavaUpdater.exe
Token: SeDebugPrivilege	1092	JavaUpdater.exe
Token: SeDebugPrivilege	3040	JavaUpdater.exe
Token: SeDebugPrivilege	276	JavaUpdater.exe
Token: SeDebugPrivilege	2968	JavaUpdater.exe
Token: SeDebugPrivilege	2092	JavaUpdater.exe
Token: SeDebugPrivilege	588	JavaUpdater.exe
Token: SeDebugPrivilege	2128	JavaUpdater.exe
Token: SeDebugPrivilege	992	JavaUpdater.exe
Token: SeDebugPrivilege	1708	JavaUpdater.exe
Token: SeDebugPrivilege	1564	JavaUpdater.exe
Token: SeDebugPrivilege	2952	JavaUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2516	1632	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	31
PID 1632 wrote to memory of 2516	1632	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	31
PID 1632 wrote to memory of 2516	1632	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	31
PID 1632 wrote to memory of 3012	1632	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	33
PID 1632 wrote to memory of 3012	1632	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	33
PID 1632 wrote to memory of 3012	1632	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	33
PID 3012 wrote to memory of 860	3012	JavaUpdater.exe	34
PID 3012 wrote to memory of 860	3012	JavaUpdater.exe	34
PID 3012 wrote to memory of 860	3012	JavaUpdater.exe	34
PID 3012 wrote to memory of 2704	3012	JavaUpdater.exe	36
PID 3012 wrote to memory of 2704	3012	JavaUpdater.exe	36
PID 3012 wrote to memory of 2704	3012	JavaUpdater.exe	36
PID 2704 wrote to memory of 2708	2704	cmd.exe	38
PID 2704 wrote to memory of 2708	2704	cmd.exe	38
PID 2704 wrote to memory of 2708	2704	cmd.exe	38
PID 2704 wrote to memory of 856	2704	cmd.exe	39
PID 2704 wrote to memory of 856	2704	cmd.exe	39
PID 2704 wrote to memory of 856	2704	cmd.exe	39
PID 2704 wrote to memory of 2712	2704	cmd.exe	40
PID 2704 wrote to memory of 2712	2704	cmd.exe	40
PID 2704 wrote to memory of 2712	2704	cmd.exe	40
PID 2712 wrote to memory of 2720	2712	JavaUpdater.exe	41
PID 2712 wrote to memory of 2720	2712	JavaUpdater.exe	41
PID 2712 wrote to memory of 2720	2712	JavaUpdater.exe	41
PID 2712 wrote to memory of 2596	2712	JavaUpdater.exe	43
PID 2712 wrote to memory of 2596	2712	JavaUpdater.exe	43
PID 2712 wrote to memory of 2596	2712	JavaUpdater.exe	43
PID 2596 wrote to memory of 372	2596	cmd.exe	45
PID 2596 wrote to memory of 372	2596	cmd.exe	45
PID 2596 wrote to memory of 372	2596	cmd.exe	45
PID 2596 wrote to memory of 2512	2596	cmd.exe	46
PID 2596 wrote to memory of 2512	2596	cmd.exe	46
PID 2596 wrote to memory of 2512	2596	cmd.exe	46
PID 2596 wrote to memory of 2884	2596	cmd.exe	47
PID 2596 wrote to memory of 2884	2596	cmd.exe	47
PID 2596 wrote to memory of 2884	2596	cmd.exe	47
PID 2884 wrote to memory of 596	2884	JavaUpdater.exe	48
PID 2884 wrote to memory of 596	2884	JavaUpdater.exe	48
PID 2884 wrote to memory of 596	2884	JavaUpdater.exe	48
PID 2884 wrote to memory of 2792	2884	JavaUpdater.exe	50
PID 2884 wrote to memory of 2792	2884	JavaUpdater.exe	50
PID 2884 wrote to memory of 2792	2884	JavaUpdater.exe	50
PID 2792 wrote to memory of 2360	2792	cmd.exe	52
PID 2792 wrote to memory of 2360	2792	cmd.exe	52
PID 2792 wrote to memory of 2360	2792	cmd.exe	52
PID 2792 wrote to memory of 2024	2792	cmd.exe	53
PID 2792 wrote to memory of 2024	2792	cmd.exe	53
PID 2792 wrote to memory of 2024	2792	cmd.exe	53
PID 2792 wrote to memory of 2164	2792	cmd.exe	54
PID 2792 wrote to memory of 2164	2792	cmd.exe	54
PID 2792 wrote to memory of 2164	2792	cmd.exe	54
PID 2164 wrote to memory of 2260	2164	JavaUpdater.exe	55
PID 2164 wrote to memory of 2260	2164	JavaUpdater.exe	55
PID 2164 wrote to memory of 2260	2164	JavaUpdater.exe	55
PID 2164 wrote to memory of 676	2164	JavaUpdater.exe	57
PID 2164 wrote to memory of 676	2164	JavaUpdater.exe	57
PID 2164 wrote to memory of 676	2164	JavaUpdater.exe	57
PID 676 wrote to memory of 1816	676	cmd.exe	59
PID 676 wrote to memory of 1816	676	cmd.exe	59
PID 676 wrote to memory of 1816	676	cmd.exe	59
PID 676 wrote to memory of 964	676	cmd.exe	60
PID 676 wrote to memory of 964	676	cmd.exe	60
PID 676 wrote to memory of 964	676	cmd.exe	60
PID 676 wrote to memory of 1092	676	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2516
- C:\Windows\system32\Java\JavaUpdater.exe
  "C:\Windows\system32\Java\JavaUpdater.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:860
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1oimqLULYSx8.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2708
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:856
  - - C:\Windows\system32\Java\JavaUpdater.exe
      "C:\Windows\system32\Java\JavaUpdater.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IhqzCyAqwa7h.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:372
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
      - C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4cPh8hbWCyTe.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiF2pPfrfF4R.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:964
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEgpcEcMccxZ.bat" "
        11⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2992
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2188
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3XwlpQQ9fcQu.bat" "
        13⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2312
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DrScEOTKtmVk.bat" "
        15⤵
        
        PID:2516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2736
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cH62OIpLkUAe.bat" "
        17⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zxC3DXtRKmOt.bat" "
        19⤵
        
        PID:2512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:336
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\v2YjOJDZLzOl.bat" "
        21⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1156
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kq3Td8Wbg1ED.bat" "
        23⤵
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1344
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GRBKQBZuOQOj.bat" "
        25⤵
        
        PID:1256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:996
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OxEBsL6pa1u2.bat" "
        27⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\seaZUiBVvPKg.bat" "
        29⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1040
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQJWe9n5BkSf.bat" "
        31⤵
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1oimqLULYSx8.bat

Filesize
199B

MD5
2873dbf84fafcc5051d36910555b8287

SHA1
704c645d25214436383f1ffb6db6009945106f3f

SHA256
070591d44424296b756ee069957e7441e7da7122fbbc3151970a9a38a3d8ee4f

SHA512
1cfdc4bf6d02095995354cb700392eacdbe4864fe848abf5ff7a2577463a362a25e7d94715173c59d1dc14971582c299ef5636d7c6a5770091b5bd51d436fc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\3XwlpQQ9fcQu.bat

Filesize
199B

MD5
b20586b34ac79d1981dc53722b7df62d

SHA1
4934b8395811760d91f9536543a84970c39f3a04

SHA256
cd97274a2b216b57817f2df295b4fed27ed9d643542fb50338e5dbef629a7a18

SHA512
32c94955e0d38c27889dfdb49fc921895c0adfeee1f7f9f7914364848df739115606c0a583e853e6fde306dd42f8c0a376a965f9de6c427a257ced087a9ca601

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cPh8hbWCyTe.bat

Filesize
199B

MD5
8cc8fedb4bb70e02df478a64c26508be

SHA1
502f05cf583911e11921681c2460a9c9768a365e

SHA256
08978878252a87735f7e2b4d21fe70c317b92f8d44bc47b9cbd04d77d72f8f65

SHA512
b7b3363caa354d6b89d49fcd94f61cbc9efe52a31a9780cb7e23f9a415ea1b783f52c7e5506e57d303b10785071aeac47dce46672e1399f4c0de9612ddad4401

Download Submit
C:\Users\Admin\AppData\Local\Temp\DrScEOTKtmVk.bat

Filesize
199B

MD5
5a79ac45b04fb73c90ba80632fa9d2dc

SHA1
b49e9f2e7b5a2b994beaac88d02eed5254ae69f7

SHA256
5aba75327c05ffee02349f43df2e9d68e4a3b80ec369981c321221e8efe9cdce

SHA512
7f2db2622189eb4bdbbe64a60d37879dbffc0477b1248e5f685011a6326699cff630ab6b8eea2e0bcba64c0f20ccc72d3589b6bd8c70ae2bbe1ba9fffadd572a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQJWe9n5BkSf.bat

Filesize
199B

MD5
86afc3bfeef0c804b9b37a302d995d68

SHA1
5d5d95c1711ed60c8a2fa8584273fb39de41908b

SHA256
f41788a3bdaf2160d656bc02f2846d062f62d7b301945e76631bc7fc3219ea7b

SHA512
55d87c2e7fe0dac92fbdda5f8f79cf99ab37b700f6c707c2371d8d31ebe101932fdf15a4a08adf9a5a0818c50196d7cc6b535ae1db87808fa1a82436c81bbd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRBKQBZuOQOj.bat

Filesize
199B

MD5
48e7741884e2b04f29b97ee4f2eb827a

SHA1
941a02de9d0e02af2ce491a566e7c805e63400b0

SHA256
36fa01092216cee2fdc0d324489256c2667bc17d1d9aa9be7afac45e6ea36397

SHA512
6f9acf7a718fee58523dd2ecea14be126fd22628e7404b33d046ee69eb86ea401e6580e6a40544aa7de4493d41c791f9cb244c489c81bb1b12d2e844f3d8dc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IhqzCyAqwa7h.bat

Filesize
199B

MD5
38b9393f7ae240b2d58dae13c82bf618

SHA1
6d4077c966d568ebbccf13e96d774980d27bae8f

SHA256
3c247026654cc2d59f63b3a81c7d9a5f4f0b7d921122642b0267f8e9d8973b92

SHA512
0d03de8b0f43e197ba59b57636ffd4748bdd4affec3fd6857a4e82b8b6c5aeb71a8cbd927c22c784e81a2646c8a7eb101a62aaaebd0f2cb95ebdbe3b57e902ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxEBsL6pa1u2.bat

Filesize
199B

MD5
22220ec1aafc16c86db193feb5d558c0

SHA1
83b544e78025aa3b51e783ffc91b1afca9cb18b3

SHA256
c1866866518e7db06369f7035e62e56f5137037bdc93fb56771aa1c6b71cb189

SHA512
4d404d5faad4ab312beac3e7f1cced7fed80b0d1dd3118b0a92dea2e5a03e4d5ab78c58a46e62b365c3b3cced4c8f16dbb9229515690ae6bba594af3f9ddf93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiF2pPfrfF4R.bat

Filesize
199B

MD5
4894f007f4a5f3a5945742e7f253a6ba

SHA1
d38e3536f3c6f3dfce3a3d98a66e5f8e469121d7

SHA256
d6fc24368b47039f65143dbe25821ad655977b260ce67e410cc21096d3aec8d3

SHA512
75adbaf08d3def9088169b6be6d71000e579d55f80e0056da8768520a28009237b84a7e814e8ed7b0dade2348e5144421e5bc1f5381506d0166698a29a8eed58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cH62OIpLkUAe.bat

Filesize
199B

MD5
5857fd335ac3c83eb3325a9d7854c547

SHA1
943826a5a99eec43afa5a82e9c9c672403084069

SHA256
a9f1b28695a1a290fd108b819189a74e841ab70450df8e2eb56f9037bf6b5fcf

SHA512
a3c40b6a8988670e18528ee9ec15e409196fe112ec3995d53a382830f57980ac251618e3fdb56f1bfa31658db81193b0d86ff29d6240ea8a8c10dbc2a1bf6b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq3Td8Wbg1ED.bat

Filesize
199B

MD5
9c1ce88cfe67293b17903a7665f831b0

SHA1
d11bd7ecd534db1b0bd7e6770b78b371d6d8ed58

SHA256
7fe001cc819bba2689eee126efd0dda296bf72e9b88953e5c1487c1f64012d3a

SHA512
cf19e0ecbbb1b7609e7c03e9ada5ae83dd054f38f6a04833eb9da191dd68f4fd37414f5a39001ac52dce615ee75c08b88588c2c6640e256d9f34c7aa4d1f2789

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEgpcEcMccxZ.bat

Filesize
199B

MD5
ffe0adf99ab59e78efc5df3d20085ee4

SHA1
8444f4a11a1999181adedfd821deb7a9e04e3f94

SHA256
befed449506eadb483a20fd625c50f4b93a9cfcffa49bacee2d003259f0e76f8

SHA512
2e6795eb9f13aba8a9c066ac7d6f0143b211ef5a39c23c620348db425ec4f76f12a7bf8d982d80eda5d4113e87397067f530aba3eb4b4dfd98f949a061e6a1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\seaZUiBVvPKg.bat

Filesize
199B

MD5
512f2603a4db4f9dc2b699328364d558

SHA1
ca246f815c0ceb651565d818779b4d8cabd95292

SHA256
c9d4c7bae96e9263b3324d6f06f8b071425bc36bf84e177832b9451acb5a6c86

SHA512
e5a39da1febefa5fcc9cb992475e40e5f49f8fe0ad879da7d230212f2dda63c2bc10a11fb33b42487efc25654c0df124a17d596c5c1b6a4e6bb3981ba546e6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2YjOJDZLzOl.bat

Filesize
199B

MD5
9eabe1c74156cf61054ee40375164829

SHA1
14812f020a93fac733b10e32525eaa29d1a94cea

SHA256
3926f4d00a42e67787632b6bd587aad8d9b2fd7d2b69d444ad9544e743b2d493

SHA512
8e8ef1c9f31f50736964a5a2fd1d760b850fc94b21fccbf5c8fa01ea11c4db016446955d8cee6ff4b7517c5b65a713d59393340f67ab4fe10b1b220d00c2511e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxC3DXtRKmOt.bat

Filesize
199B

MD5
3bda7c4c5781a5baa2682bad5d0db405

SHA1
668355201f743142095fb6c81a94fbb9c283a8c2

SHA256
b8813f65f2c177fadf6810ef7e2046e2263f206876117bb804c379684de1aa2e

SHA512
40bd122a6cf8e8b46a870eaa0fd98296153506559e6366ce7a4294ad9628b717f2ee7cba6b7efc5e5c355c825293ae88dffbc3aed0b3e8703da8296da26cc48a

Download Submit
C:\Windows\System32\Java\JavaUpdater.exe

Filesize
3.2MB

MD5
0a717705a7797e35b6f5af62ffe43abb

SHA1
4c823754c6cebe13ae0aec7ba874318f20445145

SHA256
c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

SHA512
75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

Download Submit
memory/588-111-0x0000000000E30000-0x000000000116E000-memory.dmp

Filesize
3.2MB

Download
memory/992-133-0x0000000000FD0000-0x000000000130E000-memory.dmp

Filesize
3.2MB

Download
memory/1092-56-0x0000000000820000-0x0000000000B5E000-memory.dmp

Filesize
3.2MB

Download
memory/1564-155-0x0000000000E20000-0x000000000115E000-memory.dmp

Filesize
3.2MB

Download
memory/1632-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1632-1-0x0000000001390000-0x00000000016CE000-memory.dmp

Filesize
3.2MB

Download
memory/1632-10-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-144-0x0000000000080000-0x00000000003BE000-memory.dmp

Filesize
3.2MB

Download
memory/2092-100-0x0000000000190000-0x00000000004CE000-memory.dmp

Filesize
3.2MB

Download
memory/2128-122-0x0000000000E40000-0x000000000117E000-memory.dmp

Filesize
3.2MB

Download
memory/2164-45-0x0000000000070000-0x00000000003AE000-memory.dmp

Filesize
3.2MB

Download
memory/2884-33-0x0000000000310000-0x000000000064E000-memory.dmp

Filesize
3.2MB

Download
memory/2952-166-0x00000000011A0000-0x00000000014DE000-memory.dmp

Filesize
3.2MB

Download
memory/2968-89-0x00000000001B0000-0x00000000004EE000-memory.dmp

Filesize
3.2MB

Download
memory/3012-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-11-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-9-0x0000000000EC0000-0x00000000011FE000-memory.dmp

Filesize
3.2MB

Download
memory/3012-8-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-67-0x0000000001150000-0x000000000148E000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads