Malware Analysis Report

2025-04-03 10:20

Sample ID 250312-bcw3haswb1
Target 0a717705a7797e35b6f5af62ffe43abb.bin
SHA256 59aadef5bc9181b1849f339e10498f28825a0e5a9b914b2f774b70d2a6ff30a3
Tags
latentbot quasar hugrix discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59aadef5bc9181b1849f339e10498f28825a0e5a9b914b2f774b70d2a6ff30a3

Threat Level: Known bad

The file 0a717705a7797e35b6f5af62ffe43abb.bin was found to be: Known bad.

Malicious Activity Summary

latentbot quasar hugrix discovery spyware trojan

Quasar RAT

LatentBot

Quasar payload

Latentbot family

Quasar family

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-12 01:00

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-12 01:00

Reported

2025-03-12 01:03

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\Java\JavaUpdater.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Java C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File created C:\Windows\system32\Java\JavaUpdater.exe C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2372 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2372 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2372 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2536 wrote to memory of 1700 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2536 wrote to memory of 1700 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2536 wrote to memory of 3920 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 3920 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3920 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3920 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3920 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3920 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3920 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3920 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 4620 wrote to memory of 1780 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4620 wrote to memory of 1780 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4620 wrote to memory of 564 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 4620 wrote to memory of 564 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 564 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 564 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 564 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 564 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 564 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 564 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 4148 wrote to memory of 2268 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4148 wrote to memory of 2268 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4148 wrote to memory of 3832 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 4148 wrote to memory of 3832 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3832 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3832 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3832 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3832 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3832 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3832 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 1560 wrote to memory of 2672 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1560 wrote to memory of 2672 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1560 wrote to memory of 3044 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 1560 wrote to memory of 3044 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3044 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3044 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3044 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3044 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3044 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2452 wrote to memory of 2264 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2452 wrote to memory of 2264 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2452 wrote to memory of 2060 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2452 wrote to memory of 2060 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2060 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2060 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2060 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2836 wrote to memory of 4368 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2836 wrote to memory of 4368 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2836 wrote to memory of 4600 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 4600 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 4600 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4600 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4600 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4600 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4600 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 4600 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe

"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emI2pQFTVETG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m8jTyVZ1tL6o.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kE3VCNs3HmIf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqU7hByQZj2a.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wPHgy42qR5hz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOh9s3P46ioM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZsmJFumbfvm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8UXJfh5eDxVy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iHrdhRUvCAwp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Heqf1xOBbft1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeDmWPe93JlR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEhT1hZr5ZTj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izuTijULCLri.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fRgq5xYSsW0I.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3c6u8WcKyUCh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 prxprodquasar.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2372-0-0x00007FFAD2B93000-0x00007FFAD2B95000-memory.dmp

memory/2372-1-0x0000000000010000-0x000000000034E000-memory.dmp

memory/2372-2-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

C:\Windows\System32\Java\JavaUpdater.exe

MD5 0a717705a7797e35b6f5af62ffe43abb
SHA1 4c823754c6cebe13ae0aec7ba874318f20445145
SHA256 c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512 75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

memory/2536-10-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

memory/2372-9-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

memory/2536-11-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

memory/2536-12-0x0000000002D00000-0x0000000002D50000-memory.dmp

memory/2536-13-0x000000001BF30000-0x000000001BFE2000-memory.dmp

memory/2536-18-0x00007FFAD2B90000-0x00007FFAD3651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\emI2pQFTVETG.bat

MD5 71bb662edbbdb74f3bf207fb261abc22
SHA1 6b9169c3ae1cebf19cff5b81b4c354589505c2ae
SHA256 b4f613523f9e1f996c42194450d6d0d31bbb34bcb1c337a9facc8e78d687635e
SHA512 da9a96f14d3efc81c8775ff7f58371c63a29f1300ff600a2f8ccc2cccc75d3ac7cb907f4ef4d98ca3f01866097d0af4bdfb94612e9a6e464032943fa87f3e361

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JavaUpdater.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\m8jTyVZ1tL6o.bat

MD5 0c66ae96adec758164c95df7efb336d7
SHA1 98ebe681de9bdd2ed8f0e2df18e59446bd9a1155
SHA256 e940b899744abc5f7d59c1128cbbcf57893608cd11e16dab92eb5497a0414448
SHA512 199b06664d01be9f9a61ed65525dced4eedb9d9a5179b47c984c1f13ab1261d2934794fc5d87b05e5359b3fccd1f45de518bf58acd15331fed00bab741fa2cd8

C:\Users\Admin\AppData\Local\Temp\kE3VCNs3HmIf.bat

MD5 d4064340d67f6521f3a3ded7627e1454
SHA1 9179fdd25c407d5aad2dbea90d11fbdade1e9a73
SHA256 5ae4ba003c79beee0cbbca8f63cfb332dfd34c734fd92c2285da072216a2d76d
SHA512 f8cd54464ba3261850840a3253d725b9a682b7ee0014d7749489e7e1ed72cefc53c4f861ee4fc891f3715df343fd58b1136595b0bf903848fbaffdd68d2d6ba1

C:\Users\Admin\AppData\Local\Temp\MqU7hByQZj2a.bat

MD5 0f55798c05380085ae79b36e403255c8
SHA1 bffab650dc6e1cd74131542dcd1ccc26b99fd86e
SHA256 d89b29be0316c5d14a0fa93d0e6cb97bc53dd878730a4b2aa1c2f6112c132710
SHA512 425415ee47aea8edc5e987e10fa9b591e8dc004a52ab3ad24bf53c05c3e9578b06b95783a6b53d3861d18a95ff376910e1081794c5266eb5f6a1b8cdde75f6ba

C:\Users\Admin\AppData\Local\Temp\wPHgy42qR5hz.bat

MD5 41069b4cfb2c5af844e52eca106adb61
SHA1 aca4f3b3424a3cf2308e925c330acc5538f0687b
SHA256 2f83e960d239b9a2ed9aef0182330112041ee2e7e9e5d1e991c020e3d55406cf
SHA512 18a08b48836818815ffac32729a9440ba784b2383036083c6efc8bab0e061887b56700d68637ad61b3449baa04e8ee29ebfcdbaa99629446a1653990a1b1f646

C:\Users\Admin\AppData\Local\Temp\tOh9s3P46ioM.bat

MD5 d1d39c8bc96687d260a1a29d951d5bde
SHA1 bb3f304ef268b9f479c89d43e41a4e1a9901a373
SHA256 37be42be27d45c93ac1741840eae9cef6483f00d69ad5eea7dfb6109753c9872
SHA512 2be7382671acbabf64120492c8228a03304576cd665d294ba35c9d3a9084532de33d3c4f38e0376dd27192b7e034be0b1a2365b31873fcd8b33623367fdfb3dc

C:\Users\Admin\AppData\Local\Temp\XZsmJFumbfvm.bat

MD5 595a45cd852611cf95e2cf281c9275c8
SHA1 443800337a9c56bcc48193a4b02ecf25ae0be417
SHA256 60c464ad2f5e26fc93103d41b4b353c2ccf8379ec19a0e5a5c223a9d2ecaff20
SHA512 ac9294b140ede4e94fa0e568b36ed1e5f62afc0251455a54f12c1865dbe0a3950b0ecb8cf9a997137f912df9df15b8721efa69139adc91d84ad9e2a337b8883b

C:\Users\Admin\AppData\Local\Temp\8UXJfh5eDxVy.bat

MD5 2e295c8f643f35e3d388798dfa0f7133
SHA1 43f26ff8ad427732a0c97e7c14e12338d2078b8e
SHA256 26108739f37ecf4e032d0142e1489fe651dda0425ffe8cdf468e02ecfcbe6c9f
SHA512 0bcf7919823f2bf62d476a517e51ab1cc1aa2021c72062203d03c7749024095ed298e2ee11b52edd3955273b0d90fd8f34eb2ac42ecf701cbf3fb60c8442df32

C:\Users\Admin\AppData\Local\Temp\iHrdhRUvCAwp.bat

MD5 40f2de0dec3e5645a86fdc8972971b23
SHA1 3b123aa75e43f2f1f64bba883e4f4f4a79f134d3
SHA256 ddac9c17966cb1dc2da36cf918da9088c7095f3611a524479f008b317999cfae
SHA512 5dd78808b2603ee4ceb2db8ea2094cb1da661d62aa9567652f55229b9d7154ec784bf152013c9f5d02640a185d137c2972c3360635b75067583f98cc72c5336d

C:\Users\Admin\AppData\Local\Temp\Heqf1xOBbft1.bat

MD5 57bfe71e07bfde68655b3e891bbbde22
SHA1 d714e548e4d602d0630e15246912a324d4cdbe97
SHA256 a22f987cfce799e641ac900991a868b5c8958fc1457cc0069676b62299d268d1
SHA512 42dd88cc568564b4f2523b97c2d158762e50101b7f6599e57024a3f8d6c30d04067dfc35ca8f646f4883823da457ed1e8fe652bda29a6aabd4592ebf44b04814

C:\Users\Admin\AppData\Local\Temp\AeDmWPe93JlR.bat

MD5 588558b4397c358818d59a535af362a2
SHA1 0306658779d1ed545b07226ec4376d1f2c182198
SHA256 31ebf90a175bb5e80f9ce0e52045ef61a84b47fff0d7c95735b1fe4423c99df5
SHA512 c909719969ad7adf84c1c1e5db4aa1db3f933e9ba881d06321af960f5653cd7f6e343ba75023667f808823db4de667901c141a3727e99d72c90c924b21d2a903

C:\Users\Admin\AppData\Local\Temp\bEhT1hZr5ZTj.bat

MD5 d4f5f5b83f91eed2873360c86a9716d2
SHA1 3934b98acd5c3c0806aaea12041eea1beebc0785
SHA256 6978c76035d8f8f159ca8f4e8991513badbe60c299d54741092439aa3a3d030d
SHA512 eaf3aca3cbe355d547087d105a6d9d5a262de50904d97d2691fc25c588a2cc333bd945fea8e61dac130f7336ba3987f9cc7228d8f0787ac64f0042173d3bb230

C:\Users\Admin\AppData\Local\Temp\izuTijULCLri.bat

MD5 73a44aff3d2f50511bc177ed6a746333
SHA1 6c91b9800abe9ca2f840ab2876aaab279a16e6a9
SHA256 c631ff0f6ad000fc61c204f6ac4dae834e3709a2434f5f799e2ead6b0df273c7
SHA512 85a0352555bfca704517ce1f9fafa15eaf9bd0b639324e1278e6fb4ed2a38a9175bc72170aba3a226bb08bec172d1e5232732676274b7ba10efd1d477794fca8

C:\Users\Admin\AppData\Local\Temp\fRgq5xYSsW0I.bat

MD5 508288b988701349acb58a43e975374f
SHA1 247937d337fc5ccd5a0d9ec897cf93b8799893b6
SHA256 cb65c6f54937dc024ef3991c996806058a922fdd79f730e07886e2ddfa6147cb
SHA512 3b7918baa8f91fd3ed2d7ba79e1dd0e683155279cc72299ab1aceb66d59bf105c22f165c7a258b33f8cf7b8fe29d7e76a30bee91cec89ae4f8d8aafde1993f5a

C:\Users\Admin\AppData\Local\Temp\3c6u8WcKyUCh.bat

MD5 64121b4cba67eb6410bc0360b4490f52
SHA1 053b521b7fab8d29cb9911161a9be7ecf61f2ac4
SHA256 9ec860b173073263f6626339c55afa7a6c4263e07ad1de99e75375de024b26d5
SHA512 434250e6ffefce9df98494aa6181a8c84bd405f8bee8bedbcccc29520f695e590b6b9dc69c0abc2d8e6f78d0307fd75ded43012a9a42c732546c1dd103f898ae

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-12 01:00

Reported

2025-03-12 01:03

Platform

win7-20240903-en

Max time kernel

143s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File created C:\Windows\system32\Java\JavaUpdater.exe C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
File opened for modification C:\Windows\system32\Java C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A
File opened for modification C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Java\JavaUpdater.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\schtasks.exe
PID 1632 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\schtasks.exe
PID 1632 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\schtasks.exe
PID 1632 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 1632 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 1632 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 3012 wrote to memory of 860 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 3012 wrote to memory of 860 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 3012 wrote to memory of 860 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 3012 wrote to memory of 2704 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2704 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2704 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2704 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2704 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2704 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2704 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2704 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2704 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2704 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2704 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2712 wrote to memory of 2720 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2712 wrote to memory of 2720 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2712 wrote to memory of 2720 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2712 wrote to memory of 2596 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2596 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2596 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2596 wrote to memory of 372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2596 wrote to memory of 372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2596 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2596 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2596 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2596 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2596 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2596 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2884 wrote to memory of 596 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 596 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 596 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 2792 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2792 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2792 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2792 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2792 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2792 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2792 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2792 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2792 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe
PID 2164 wrote to memory of 2260 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2164 wrote to memory of 2260 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2164 wrote to memory of 2260 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\schtasks.exe
PID 2164 wrote to memory of 676 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2164 wrote to memory of 676 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 2164 wrote to memory of 676 N/A C:\Windows\system32\Java\JavaUpdater.exe C:\Windows\system32\cmd.exe
PID 676 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 676 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 676 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 676 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 676 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 676 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 676 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\Java\JavaUpdater.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe

"C:\Users\Admin\AppData\Local\Temp\c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1oimqLULYSx8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IhqzCyAqwa7h.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4cPh8hbWCyTe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiF2pPfrfF4R.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEgpcEcMccxZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3XwlpQQ9fcQu.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DrScEOTKtmVk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cH62OIpLkUAe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zxC3DXtRKmOt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\v2YjOJDZLzOl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kq3Td8Wbg1ED.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GRBKQBZuOQOj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OxEBsL6pa1u2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\seaZUiBVvPKg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Java\JavaUpdater.exe

"C:\Windows\system32\Java\JavaUpdater.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQJWe9n5BkSf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 prxprodquasar.zapto.org udp

Files

memory/1632-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

memory/1632-1-0x0000000001390000-0x00000000016CE000-memory.dmp

memory/1632-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

C:\Windows\System32\Java\JavaUpdater.exe

MD5 0a717705a7797e35b6f5af62ffe43abb
SHA1 4c823754c6cebe13ae0aec7ba874318f20445145
SHA256 c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512 75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

memory/3012-8-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/1632-10-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/3012-9-0x0000000000EC0000-0x00000000011FE000-memory.dmp

memory/3012-11-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1oimqLULYSx8.bat

MD5 2873dbf84fafcc5051d36910555b8287
SHA1 704c645d25214436383f1ffb6db6009945106f3f
SHA256 070591d44424296b756ee069957e7441e7da7122fbbc3151970a9a38a3d8ee4f
SHA512 1cfdc4bf6d02095995354cb700392eacdbe4864fe848abf5ff7a2577463a362a25e7d94715173c59d1dc14971582c299ef5636d7c6a5770091b5bd51d436fc90

memory/3012-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IhqzCyAqwa7h.bat

MD5 38b9393f7ae240b2d58dae13c82bf618
SHA1 6d4077c966d568ebbccf13e96d774980d27bae8f
SHA256 3c247026654cc2d59f63b3a81c7d9a5f4f0b7d921122642b0267f8e9d8973b92
SHA512 0d03de8b0f43e197ba59b57636ffd4748bdd4affec3fd6857a4e82b8b6c5aeb71a8cbd927c22c784e81a2646c8a7eb101a62aaaebd0f2cb95ebdbe3b57e902ee

memory/2884-33-0x0000000000310000-0x000000000064E000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\4cPh8hbWCyTe.bat

MD5 8cc8fedb4bb70e02df478a64c26508be
SHA1 502f05cf583911e11921681c2460a9c9768a365e
SHA256 08978878252a87735f7e2b4d21fe70c317b92f8d44bc47b9cbd04d77d72f8f65
SHA512 b7b3363caa354d6b89d49fcd94f61cbc9efe52a31a9780cb7e23f9a415ea1b783f52c7e5506e57d303b10785071aeac47dce46672e1399f4c0de9612ddad4401

memory/2164-45-0x0000000000070000-0x00000000003AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aiF2pPfrfF4R.bat

MD5 4894f007f4a5f3a5945742e7f253a6ba
SHA1 d38e3536f3c6f3dfce3a3d98a66e5f8e469121d7
SHA256 d6fc24368b47039f65143dbe25821ad655977b260ce67e410cc21096d3aec8d3
SHA512 75adbaf08d3def9088169b6be6d71000e579d55f80e0056da8768520a28009237b84a7e814e8ed7b0dade2348e5144421e5bc1f5381506d0166698a29a8eed58

memory/1092-56-0x0000000000820000-0x0000000000B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pEgpcEcMccxZ.bat

MD5 ffe0adf99ab59e78efc5df3d20085ee4
SHA1 8444f4a11a1999181adedfd821deb7a9e04e3f94
SHA256 befed449506eadb483a20fd625c50f4b93a9cfcffa49bacee2d003259f0e76f8
SHA512 2e6795eb9f13aba8a9c066ac7d6f0143b211ef5a39c23c620348db425ec4f76f12a7bf8d982d80eda5d4113e87397067f530aba3eb4b4dfd98f949a061e6a1ff

memory/3040-67-0x0000000001150000-0x000000000148E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3XwlpQQ9fcQu.bat

MD5 b20586b34ac79d1981dc53722b7df62d
SHA1 4934b8395811760d91f9536543a84970c39f3a04
SHA256 cd97274a2b216b57817f2df295b4fed27ed9d643542fb50338e5dbef629a7a18
SHA512 32c94955e0d38c27889dfdb49fc921895c0adfeee1f7f9f7914364848df739115606c0a583e853e6fde306dd42f8c0a376a965f9de6c427a257ced087a9ca601

C:\Users\Admin\AppData\Local\Temp\DrScEOTKtmVk.bat

MD5 5a79ac45b04fb73c90ba80632fa9d2dc
SHA1 b49e9f2e7b5a2b994beaac88d02eed5254ae69f7
SHA256 5aba75327c05ffee02349f43df2e9d68e4a3b80ec369981c321221e8efe9cdce
SHA512 7f2db2622189eb4bdbbe64a60d37879dbffc0477b1248e5f685011a6326699cff630ab6b8eea2e0bcba64c0f20ccc72d3589b6bd8c70ae2bbe1ba9fffadd572a

memory/2968-89-0x00000000001B0000-0x00000000004EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cH62OIpLkUAe.bat

MD5 5857fd335ac3c83eb3325a9d7854c547
SHA1 943826a5a99eec43afa5a82e9c9c672403084069
SHA256 a9f1b28695a1a290fd108b819189a74e841ab70450df8e2eb56f9037bf6b5fcf
SHA512 a3c40b6a8988670e18528ee9ec15e409196fe112ec3995d53a382830f57980ac251618e3fdb56f1bfa31658db81193b0d86ff29d6240ea8a8c10dbc2a1bf6b76

memory/2092-100-0x0000000000190000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zxC3DXtRKmOt.bat

MD5 3bda7c4c5781a5baa2682bad5d0db405
SHA1 668355201f743142095fb6c81a94fbb9c283a8c2
SHA256 b8813f65f2c177fadf6810ef7e2046e2263f206876117bb804c379684de1aa2e
SHA512 40bd122a6cf8e8b46a870eaa0fd98296153506559e6366ce7a4294ad9628b717f2ee7cba6b7efc5e5c355c825293ae88dffbc3aed0b3e8703da8296da26cc48a

memory/588-111-0x0000000000E30000-0x000000000116E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v2YjOJDZLzOl.bat

MD5 9eabe1c74156cf61054ee40375164829
SHA1 14812f020a93fac733b10e32525eaa29d1a94cea
SHA256 3926f4d00a42e67787632b6bd587aad8d9b2fd7d2b69d444ad9544e743b2d493
SHA512 8e8ef1c9f31f50736964a5a2fd1d760b850fc94b21fccbf5c8fa01ea11c4db016446955d8cee6ff4b7517c5b65a713d59393340f67ab4fe10b1b220d00c2511e

memory/2128-122-0x0000000000E40000-0x000000000117E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kq3Td8Wbg1ED.bat

MD5 9c1ce88cfe67293b17903a7665f831b0
SHA1 d11bd7ecd534db1b0bd7e6770b78b371d6d8ed58
SHA256 7fe001cc819bba2689eee126efd0dda296bf72e9b88953e5c1487c1f64012d3a
SHA512 cf19e0ecbbb1b7609e7c03e9ada5ae83dd054f38f6a04833eb9da191dd68f4fd37414f5a39001ac52dce615ee75c08b88588c2c6640e256d9f34c7aa4d1f2789

memory/992-133-0x0000000000FD0000-0x000000000130E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GRBKQBZuOQOj.bat

MD5 48e7741884e2b04f29b97ee4f2eb827a
SHA1 941a02de9d0e02af2ce491a566e7c805e63400b0
SHA256 36fa01092216cee2fdc0d324489256c2667bc17d1d9aa9be7afac45e6ea36397
SHA512 6f9acf7a718fee58523dd2ecea14be126fd22628e7404b33d046ee69eb86ea401e6580e6a40544aa7de4493d41c791f9cb244c489c81bb1b12d2e844f3d8dc8c

memory/1708-144-0x0000000000080000-0x00000000003BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OxEBsL6pa1u2.bat

MD5 22220ec1aafc16c86db193feb5d558c0
SHA1 83b544e78025aa3b51e783ffc91b1afca9cb18b3
SHA256 c1866866518e7db06369f7035e62e56f5137037bdc93fb56771aa1c6b71cb189
SHA512 4d404d5faad4ab312beac3e7f1cced7fed80b0d1dd3118b0a92dea2e5a03e4d5ab78c58a46e62b365c3b3cced4c8f16dbb9229515690ae6bba594af3f9ddf93f

memory/1564-155-0x0000000000E20000-0x000000000115E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\seaZUiBVvPKg.bat

MD5 512f2603a4db4f9dc2b699328364d558
SHA1 ca246f815c0ceb651565d818779b4d8cabd95292
SHA256 c9d4c7bae96e9263b3324d6f06f8b071425bc36bf84e177832b9451acb5a6c86
SHA512 e5a39da1febefa5fcc9cb992475e40e5f49f8fe0ad879da7d230212f2dda63c2bc10a11fb33b42487efc25654c0df124a17d596c5c1b6a4e6bb3981ba546e6c8

memory/2952-166-0x00000000011A0000-0x00000000014DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GQJWe9n5BkSf.bat

MD5 86afc3bfeef0c804b9b37a302d995d68
SHA1 5d5d95c1711ed60c8a2fa8584273fb39de41908b
SHA256 f41788a3bdaf2160d656bc02f2846d062f62d7b301945e76631bc7fc3219ea7b
SHA512 55d87c2e7fe0dac92fbdda5f8f79cf99ab37b700f6c707c2371d8d31ebe101932fdf15a4a08adf9a5a0818c50196d7cc6b535ae1db87808fa1a82436c81bbd5b