latentbot | 59aadef5bc9181b1849f339e10498f28825a0e5a9b914b2f774b70d2a6ff30a3

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
Size

3.2MB
MD5

0a717705a7797e35b6f5af62ffe43abb
SHA1

4c823754c6cebe13ae0aec7ba874318f20445145
SHA256

c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512

75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead
SSDEEP

98304:zvr62XlaSFNWPjljiFXRoUYITrUCgLEEa1:75ZY2gLEEa1

Score

10^/10

latentbot quasar hugrix discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Hugrix

prxprodquasar.zapto.org:4782

Mutex

ad6032ec-a1ba-49fe-a6c9-21a847436cda

Attributes

encryption_key
7AB142AC063BEB01BE33EE315E2D0BBA3E071A0B
install_name
JavaUpdater.exe
log_directory
JavaInstallLogs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
Java

Extracted

Family

latentbot

prxprodquasar.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2372-1-0x0000000000010000-0x000000000034E000-memory.dmp	family_quasar
behavioral2/files/0x000300000001e0fd-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	JavaUpdater.exe

Executes dropped EXE 15 IoCs

pid	Process
2536	JavaUpdater.exe
4620	JavaUpdater.exe
4148	JavaUpdater.exe
1560	JavaUpdater.exe
2452	JavaUpdater.exe
2836	JavaUpdater.exe
2612	JavaUpdater.exe
3972	JavaUpdater.exe
2556	JavaUpdater.exe
3692	JavaUpdater.exe
1436	JavaUpdater.exe
1272	JavaUpdater.exe
64	JavaUpdater.exe
2096	JavaUpdater.exe
1688	JavaUpdater.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Java	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File created	C:\Windows\system32\Java\JavaUpdater.exe	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java\JavaUpdater.exe	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe
File opened for modification	C:\Windows\system32\Java	JavaUpdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1376	PING.EXE
4672	PING.EXE
4296	PING.EXE
4304	PING.EXE
5040	PING.EXE
2060	PING.EXE
3584	PING.EXE
4368	PING.EXE
3724	PING.EXE
4028	PING.EXE
2788	PING.EXE
1532	PING.EXE
1444	PING.EXE
4412	PING.EXE
2300	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2788	PING.EXE
1376	PING.EXE
4028	PING.EXE
4296	PING.EXE
2060	PING.EXE
1444	PING.EXE
3584	PING.EXE
1532	PING.EXE
2300	PING.EXE
5040	PING.EXE
4412	PING.EXE
4672	PING.EXE
4304	PING.EXE
4368	PING.EXE
3724	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2268	schtasks.exe
4368	schtasks.exe
3496	schtasks.exe
1780	schtasks.exe
2652	schtasks.exe
4992	schtasks.exe
2896	schtasks.exe
2116	schtasks.exe
1700	schtasks.exe
2264	schtasks.exe
440	schtasks.exe
3772	schtasks.exe
3172	schtasks.exe
3852	schtasks.exe
2672	schtasks.exe
4336	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
Token: SeDebugPrivilege	2536	JavaUpdater.exe
Token: SeDebugPrivilege	4620	JavaUpdater.exe
Token: SeDebugPrivilege	4148	JavaUpdater.exe
Token: SeDebugPrivilege	1560	JavaUpdater.exe
Token: SeDebugPrivilege	2452	JavaUpdater.exe
Token: SeDebugPrivilege	2836	JavaUpdater.exe
Token: SeDebugPrivilege	2612	JavaUpdater.exe
Token: SeDebugPrivilege	3972	JavaUpdater.exe
Token: SeDebugPrivilege	2556	JavaUpdater.exe
Token: SeDebugPrivilege	3692	JavaUpdater.exe
Token: SeDebugPrivilege	1436	JavaUpdater.exe
Token: SeDebugPrivilege	1272	JavaUpdater.exe
Token: SeDebugPrivilege	64	JavaUpdater.exe
Token: SeDebugPrivilege	2096	JavaUpdater.exe
Token: SeDebugPrivilege	1688	JavaUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2116	2372	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	89
PID 2372 wrote to memory of 2116	2372	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	89
PID 2372 wrote to memory of 2536	2372	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	91
PID 2372 wrote to memory of 2536	2372	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe	91
PID 2536 wrote to memory of 1700	2536	JavaUpdater.exe	92
PID 2536 wrote to memory of 1700	2536	JavaUpdater.exe	92
PID 2536 wrote to memory of 3920	2536	JavaUpdater.exe	94
PID 2536 wrote to memory of 3920	2536	JavaUpdater.exe	94
PID 3920 wrote to memory of 3824	3920	cmd.exe	96
PID 3920 wrote to memory of 3824	3920	cmd.exe	96
PID 3920 wrote to memory of 1376	3920	cmd.exe	97
PID 3920 wrote to memory of 1376	3920	cmd.exe	97
PID 3920 wrote to memory of 4620	3920	cmd.exe	106
PID 3920 wrote to memory of 4620	3920	cmd.exe	106
PID 4620 wrote to memory of 1780	4620	JavaUpdater.exe	107
PID 4620 wrote to memory of 1780	4620	JavaUpdater.exe	107
PID 4620 wrote to memory of 564	4620	JavaUpdater.exe	109
PID 4620 wrote to memory of 564	4620	JavaUpdater.exe	109
PID 564 wrote to memory of 4336	564	cmd.exe	111
PID 564 wrote to memory of 4336	564	cmd.exe	111
PID 564 wrote to memory of 4368	564	cmd.exe	112
PID 564 wrote to memory of 4368	564	cmd.exe	112
PID 564 wrote to memory of 4148	564	cmd.exe	113
PID 564 wrote to memory of 4148	564	cmd.exe	113
PID 4148 wrote to memory of 2268	4148	JavaUpdater.exe	114
PID 4148 wrote to memory of 2268	4148	JavaUpdater.exe	114
PID 4148 wrote to memory of 3832	4148	JavaUpdater.exe	116
PID 4148 wrote to memory of 3832	4148	JavaUpdater.exe	116
PID 3832 wrote to memory of 560	3832	cmd.exe	118
PID 3832 wrote to memory of 560	3832	cmd.exe	118
PID 3832 wrote to memory of 3724	3832	cmd.exe	119
PID 3832 wrote to memory of 3724	3832	cmd.exe	119
PID 3832 wrote to memory of 1560	3832	cmd.exe	126
PID 3832 wrote to memory of 1560	3832	cmd.exe	126
PID 1560 wrote to memory of 2672	1560	JavaUpdater.exe	128
PID 1560 wrote to memory of 2672	1560	JavaUpdater.exe	128
PID 1560 wrote to memory of 3044	1560	JavaUpdater.exe	130
PID 1560 wrote to memory of 3044	1560	JavaUpdater.exe	130
PID 3044 wrote to memory of 652	3044	cmd.exe	132
PID 3044 wrote to memory of 652	3044	cmd.exe	132
PID 3044 wrote to memory of 5040	3044	cmd.exe	133
PID 3044 wrote to memory of 5040	3044	cmd.exe	133
PID 3044 wrote to memory of 2452	3044	cmd.exe	139
PID 3044 wrote to memory of 2452	3044	cmd.exe	139
PID 2452 wrote to memory of 2264	2452	JavaUpdater.exe	140
PID 2452 wrote to memory of 2264	2452	JavaUpdater.exe	140
PID 2452 wrote to memory of 2060	2452	JavaUpdater.exe	142
PID 2452 wrote to memory of 2060	2452	JavaUpdater.exe	142
PID 2060 wrote to memory of 2984	2060	cmd.exe	144
PID 2060 wrote to memory of 2984	2060	cmd.exe	144
PID 2060 wrote to memory of 4412	2060	cmd.exe	145
PID 2060 wrote to memory of 4412	2060	cmd.exe	145
PID 2060 wrote to memory of 2836	2060	cmd.exe	146
PID 2060 wrote to memory of 2836	2060	cmd.exe	146
PID 2836 wrote to memory of 4368	2836	JavaUpdater.exe	147
PID 2836 wrote to memory of 4368	2836	JavaUpdater.exe	147
PID 2836 wrote to memory of 4600	2836	JavaUpdater.exe	149
PID 2836 wrote to memory of 4600	2836	JavaUpdater.exe	149
PID 4600 wrote to memory of 2936	4600	cmd.exe	151
PID 4600 wrote to memory of 2936	4600	cmd.exe	151
PID 4600 wrote to memory of 4028	4600	cmd.exe	152
PID 4600 wrote to memory of 4028	4600	cmd.exe	152
PID 4600 wrote to memory of 2612	4600	cmd.exe	153
PID 4600 wrote to memory of 2612	4600	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe
"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2116
- C:\Windows\system32\Java\JavaUpdater.exe
  "C:\Windows\system32\Java\JavaUpdater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emI2pQFTVETG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3824
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1376
  - - C:\Windows\system32\Java\JavaUpdater.exe
      "C:\Windows\system32\Java\JavaUpdater.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m8jTyVZ1tL6o.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4336
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4368
      - C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kE3VCNs3HmIf.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3724
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqU7hByQZj2a.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5040
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wPHgy42qR5hz.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4412
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOh9s3P46ioM.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4028
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZsmJFumbfvm.bat" "
        15⤵
        
        PID:3492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4672
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8UXJfh5eDxVy.bat" "
        17⤵
        
        PID:3576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4296
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iHrdhRUvCAwp.bat" "
        19⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2060
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Heqf1xOBbft1.bat" "
        21⤵
        
        PID:4532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3584
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeDmWPe93JlR.bat" "
        23⤵
        
        PID:3596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4304
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEhT1hZr5ZTj.bat" "
        25⤵
        
        PID:4712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izuTijULCLri.bat" "
        27⤵
        
        PID:4800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1532
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fRgq5xYSsW0I.bat" "
        29⤵
        
        PID:1920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
        
        C:\Windows\system32\Java\JavaUpdater.exe
        
        "C:\Windows\system32\Java\JavaUpdater.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3c6u8WcKyUCh.bat" "
        31⤵
        
        PID:2676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JavaUpdater.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c6u8WcKyUCh.bat

Filesize
199B

MD5
64121b4cba67eb6410bc0360b4490f52

SHA1
053b521b7fab8d29cb9911161a9be7ecf61f2ac4

SHA256
9ec860b173073263f6626339c55afa7a6c4263e07ad1de99e75375de024b26d5

SHA512
434250e6ffefce9df98494aa6181a8c84bd405f8bee8bedbcccc29520f695e590b6b9dc69c0abc2d8e6f78d0307fd75ded43012a9a42c732546c1dd103f898ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UXJfh5eDxVy.bat

Filesize
199B

MD5
2e295c8f643f35e3d388798dfa0f7133

SHA1
43f26ff8ad427732a0c97e7c14e12338d2078b8e

SHA256
26108739f37ecf4e032d0142e1489fe651dda0425ffe8cdf468e02ecfcbe6c9f

SHA512
0bcf7919823f2bf62d476a517e51ab1cc1aa2021c72062203d03c7749024095ed298e2ee11b52edd3955273b0d90fd8f34eb2ac42ecf701cbf3fb60c8442df32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AeDmWPe93JlR.bat

Filesize
199B

MD5
588558b4397c358818d59a535af362a2

SHA1
0306658779d1ed545b07226ec4376d1f2c182198

SHA256
31ebf90a175bb5e80f9ce0e52045ef61a84b47fff0d7c95735b1fe4423c99df5

SHA512
c909719969ad7adf84c1c1e5db4aa1db3f933e9ba881d06321af960f5653cd7f6e343ba75023667f808823db4de667901c141a3727e99d72c90c924b21d2a903

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heqf1xOBbft1.bat

Filesize
199B

MD5
57bfe71e07bfde68655b3e891bbbde22

SHA1
d714e548e4d602d0630e15246912a324d4cdbe97

SHA256
a22f987cfce799e641ac900991a868b5c8958fc1457cc0069676b62299d268d1

SHA512
42dd88cc568564b4f2523b97c2d158762e50101b7f6599e57024a3f8d6c30d04067dfc35ca8f646f4883823da457ed1e8fe652bda29a6aabd4592ebf44b04814

Download Submit
C:\Users\Admin\AppData\Local\Temp\MqU7hByQZj2a.bat

Filesize
199B

MD5
0f55798c05380085ae79b36e403255c8

SHA1
bffab650dc6e1cd74131542dcd1ccc26b99fd86e

SHA256
d89b29be0316c5d14a0fa93d0e6cb97bc53dd878730a4b2aa1c2f6112c132710

SHA512
425415ee47aea8edc5e987e10fa9b591e8dc004a52ab3ad24bf53c05c3e9578b06b95783a6b53d3861d18a95ff376910e1081794c5266eb5f6a1b8cdde75f6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZsmJFumbfvm.bat

Filesize
199B

MD5
595a45cd852611cf95e2cf281c9275c8

SHA1
443800337a9c56bcc48193a4b02ecf25ae0be417

SHA256
60c464ad2f5e26fc93103d41b4b353c2ccf8379ec19a0e5a5c223a9d2ecaff20

SHA512
ac9294b140ede4e94fa0e568b36ed1e5f62afc0251455a54f12c1865dbe0a3950b0ecb8cf9a997137f912df9df15b8721efa69139adc91d84ad9e2a337b8883b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEhT1hZr5ZTj.bat

Filesize
199B

MD5
d4f5f5b83f91eed2873360c86a9716d2

SHA1
3934b98acd5c3c0806aaea12041eea1beebc0785

SHA256
6978c76035d8f8f159ca8f4e8991513badbe60c299d54741092439aa3a3d030d

SHA512
eaf3aca3cbe355d547087d105a6d9d5a262de50904d97d2691fc25c588a2cc333bd945fea8e61dac130f7336ba3987f9cc7228d8f0787ac64f0042173d3bb230

Download Submit
C:\Users\Admin\AppData\Local\Temp\emI2pQFTVETG.bat

Filesize
199B

MD5
71bb662edbbdb74f3bf207fb261abc22

SHA1
6b9169c3ae1cebf19cff5b81b4c354589505c2ae

SHA256
b4f613523f9e1f996c42194450d6d0d31bbb34bcb1c337a9facc8e78d687635e

SHA512
da9a96f14d3efc81c8775ff7f58371c63a29f1300ff600a2f8ccc2cccc75d3ac7cb907f4ef4d98ca3f01866097d0af4bdfb94612e9a6e464032943fa87f3e361

Download Submit
C:\Users\Admin\AppData\Local\Temp\fRgq5xYSsW0I.bat

Filesize
199B

MD5
508288b988701349acb58a43e975374f

SHA1
247937d337fc5ccd5a0d9ec897cf93b8799893b6

SHA256
cb65c6f54937dc024ef3991c996806058a922fdd79f730e07886e2ddfa6147cb

SHA512
3b7918baa8f91fd3ed2d7ba79e1dd0e683155279cc72299ab1aceb66d59bf105c22f165c7a258b33f8cf7b8fe29d7e76a30bee91cec89ae4f8d8aafde1993f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iHrdhRUvCAwp.bat

Filesize
199B

MD5
40f2de0dec3e5645a86fdc8972971b23

SHA1
3b123aa75e43f2f1f64bba883e4f4f4a79f134d3

SHA256
ddac9c17966cb1dc2da36cf918da9088c7095f3611a524479f008b317999cfae

SHA512
5dd78808b2603ee4ceb2db8ea2094cb1da661d62aa9567652f55229b9d7154ec784bf152013c9f5d02640a185d137c2972c3360635b75067583f98cc72c5336d

Download Submit
C:\Users\Admin\AppData\Local\Temp\izuTijULCLri.bat

Filesize
199B

MD5
73a44aff3d2f50511bc177ed6a746333

SHA1
6c91b9800abe9ca2f840ab2876aaab279a16e6a9

SHA256
c631ff0f6ad000fc61c204f6ac4dae834e3709a2434f5f799e2ead6b0df273c7

SHA512
85a0352555bfca704517ce1f9fafa15eaf9bd0b639324e1278e6fb4ed2a38a9175bc72170aba3a226bb08bec172d1e5232732676274b7ba10efd1d477794fca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kE3VCNs3HmIf.bat

Filesize
199B

MD5
d4064340d67f6521f3a3ded7627e1454

SHA1
9179fdd25c407d5aad2dbea90d11fbdade1e9a73

SHA256
5ae4ba003c79beee0cbbca8f63cfb332dfd34c734fd92c2285da072216a2d76d

SHA512
f8cd54464ba3261850840a3253d725b9a682b7ee0014d7749489e7e1ed72cefc53c4f861ee4fc891f3715df343fd58b1136595b0bf903848fbaffdd68d2d6ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\m8jTyVZ1tL6o.bat

Filesize
199B

MD5
0c66ae96adec758164c95df7efb336d7

SHA1
98ebe681de9bdd2ed8f0e2df18e59446bd9a1155

SHA256
e940b899744abc5f7d59c1128cbbcf57893608cd11e16dab92eb5497a0414448

SHA512
199b06664d01be9f9a61ed65525dced4eedb9d9a5179b47c984c1f13ab1261d2934794fc5d87b05e5359b3fccd1f45de518bf58acd15331fed00bab741fa2cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOh9s3P46ioM.bat

Filesize
199B

MD5
d1d39c8bc96687d260a1a29d951d5bde

SHA1
bb3f304ef268b9f479c89d43e41a4e1a9901a373

SHA256
37be42be27d45c93ac1741840eae9cef6483f00d69ad5eea7dfb6109753c9872

SHA512
2be7382671acbabf64120492c8228a03304576cd665d294ba35c9d3a9084532de33d3c4f38e0376dd27192b7e034be0b1a2365b31873fcd8b33623367fdfb3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wPHgy42qR5hz.bat

Filesize
199B

MD5
41069b4cfb2c5af844e52eca106adb61

SHA1
aca4f3b3424a3cf2308e925c330acc5538f0687b

SHA256
2f83e960d239b9a2ed9aef0182330112041ee2e7e9e5d1e991c020e3d55406cf

SHA512
18a08b48836818815ffac32729a9440ba784b2383036083c6efc8bab0e061887b56700d68637ad61b3449baa04e8ee29ebfcdbaa99629446a1653990a1b1f646

Download Submit
C:\Windows\System32\Java\JavaUpdater.exe

Filesize
3.2MB

MD5
0a717705a7797e35b6f5af62ffe43abb

SHA1
4c823754c6cebe13ae0aec7ba874318f20445145

SHA256
c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

SHA512
75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

Download Submit
memory/2372-0-0x00007FFAD2B93000-0x00007FFAD2B95000-memory.dmp

Filesize
8KB

Download
memory/2372-9-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/2372-2-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/2372-1-0x0000000000010000-0x000000000034E000-memory.dmp

Filesize
3.2MB

Download
memory/2536-18-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/2536-13-0x000000001BF30000-0x000000001BFE2000-memory.dmp

Filesize
712KB

Download
memory/2536-12-0x0000000002D00000-0x0000000002D50000-memory.dmp

Filesize
320KB

Download
memory/2536-11-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download
memory/2536-10-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads