Malware Analysis Report

2025-08-11 08:37

Sample ID 241103-evtlwatqft
Target LK Rat.jar
SHA256 74148c3575a944b44668549c4a25c9a02a822b464c70c20d91cef1866fd54e9c
Tags
discovery persistence evasion execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

74148c3575a944b44668549c4a25c9a02a822b464c70c20d91cef1866fd54e9c

Threat Level: Shows suspicious behavior

The file LK Rat.jar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence evasion execution

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

JavaScript

Resource Forking

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 04:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 04:16

Reported

2024-11-03 04:46

Platform

win10ltsc2021-20241023-en

Max time kernel

1775s

Max time network

1800s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\LK Rat.jar"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730607381620.tmp" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730607382417.tmp" C:\Windows\system32\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3636 wrote to memory of 4564 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
PID 3636 wrote to memory of 4564 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
PID 3636 wrote to memory of 2680 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 3636 wrote to memory of 2680 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 3636 wrote to memory of 3296 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3636 wrote to memory of 3296 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3296 wrote to memory of 3572 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 3296 wrote to memory of 3572 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4564 wrote to memory of 1580 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 4564 wrote to memory of 1580 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 4564 wrote to memory of 2980 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4564 wrote to memory of 2980 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2980 wrote to memory of 3408 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 2980 wrote to memory of 3408 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4564 wrote to memory of 4156 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4564 wrote to memory of 4156 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4156 wrote to memory of 888 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4156 wrote to memory of 888 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4564 wrote to memory of 3448 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4564 wrote to memory of 3448 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4564 wrote to memory of 4744 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre-1.8\bin\java.exe
PID 4564 wrote to memory of 4744 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre-1.8\bin\java.exe
PID 3448 wrote to memory of 4752 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 3448 wrote to memory of 4752 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\LK Rat.jar"

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\pULHfy895942203317978330.tmp

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381620.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381620.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381620.tmp" /f

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607382417.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607382417.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607382417.tmp" /f

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f"

C:\Windows\system32\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /f

C:\Windows\SYSTEM32\cmd.exe

cmd /c ping localhost -n 6 > nul && del C:\Users\Admin\AppData\Local\Temp\pULHfy895942203317978330.tmp

C:\Program Files\Java\jre-1.8\bin\java.exe

"C:\Program Files\Java\jre-1.8\bin\java" -cp C:\Users\Admin\AppData\Local\Temp\pULHfy895942203317978330.tmp org.bridj.Platform$DeleteFiles C:\Users\Admin\AppData\Local\Temp\BridJExtractedLibraries6414967750426932588\bridj.dll C:\Users\Admin\AppData\Local\Temp\BridJExtractedLibraries6414967750426932588 C:\Users\Admin\AppData\Local\Temp\BridJExtractedLibraries6414967750426932588\OpenIMAJGrabber.dll

C:\Windows\system32\PING.EXE

ping localhost -n 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
CA 64.39.174.60:23750 tcp
US 8.8.8.8:53 60.174.39.64.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
CA 64.39.174.60:23750 tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
CA 64.39.174.60:23750 tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp

Files

memory/3636-2-0x0000024305380000-0x00000243055F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pULHfy895942203317978330.tmp

MD5 ea32d3a9a0a4c7dd26bc75b770b8d6e6
SHA1 79dd917e26e45af4e20a19592bbaa88c44629a76
SHA256 68de0bf850720a72c68ea6cec582131b176222cfc90856b744c35bde551f57d3
SHA512 6602ab5c0f36611e5ffec8f4f077d72f7b9858fec7104b0ad8ad0bf4b5c3ebf1d0fbf9ed53720c4dd0a6d288b3b1b050c2e9cc34f54361d811f49b19980a7a47

memory/4564-21-0x000002209AB10000-0x000002209AD80000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 e4fef829f55c5835f5b2080bbb1a5606
SHA1 4e638a5cc62b5632eef009ca4879539b310fee1e
SHA256 76078661cc809e27745d1517647c6060f9cecf49b904ec5d59f74ca3f38963c5
SHA512 11aa7d21d87fb601b710c4ae9d8790ec9debb273be88338eee0310ef61d932c2513e9a76ed53ceb8391ea8d2455d2dd14f1550598d2725291f560decf5bb2609

memory/3636-30-0x0000024305600000-0x0000024305610000-memory.dmp

memory/3636-29-0x00000243055F0000-0x0000024305600000-memory.dmp

memory/3636-41-0x0000024305640000-0x0000024305650000-memory.dmp

memory/3636-39-0x0000024305630000-0x0000024305640000-memory.dmp

memory/3636-38-0x0000024305620000-0x0000024305630000-memory.dmp

memory/3636-37-0x0000024305610000-0x0000024305620000-memory.dmp

memory/3636-45-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-44-0x0000024305650000-0x0000024305660000-memory.dmp

memory/3636-50-0x0000024305660000-0x0000024305670000-memory.dmp

memory/3636-52-0x0000024305670000-0x0000024305680000-memory.dmp

memory/3636-55-0x0000024305680000-0x0000024305690000-memory.dmp

memory/3636-60-0x0000024305690000-0x00000243056A0000-memory.dmp

memory/3636-59-0x0000024305380000-0x00000243055F0000-memory.dmp

memory/3636-67-0x0000024305600000-0x0000024305610000-memory.dmp

memory/4564-73-0x000002209ADA0000-0x000002209ADB0000-memory.dmp

memory/3636-72-0x0000024305630000-0x0000024305640000-memory.dmp

memory/4564-77-0x000002209ADB0000-0x000002209ADC0000-memory.dmp

memory/3636-76-0x0000024305620000-0x0000024305630000-memory.dmp

memory/3636-75-0x0000024305610000-0x0000024305620000-memory.dmp

memory/3636-66-0x00000243055F0000-0x0000024305600000-memory.dmp

memory/4564-65-0x000002209AD90000-0x000002209ADA0000-memory.dmp

memory/4564-64-0x000002209AD80000-0x000002209AD90000-memory.dmp

memory/4564-63-0x000002209AB10000-0x000002209AD80000-memory.dmp

memory/4564-78-0x0000022099230000-0x0000022099231000-memory.dmp

memory/4564-82-0x000002209ADC0000-0x000002209ADD0000-memory.dmp

memory/3636-81-0x0000024305640000-0x0000024305650000-memory.dmp

memory/3636-87-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/4564-88-0x0000022099230000-0x0000022099231000-memory.dmp

memory/3636-105-0x0000024305650000-0x0000024305660000-memory.dmp

memory/4564-106-0x0000022099230000-0x0000022099231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-870806430-2618236806-3023919190-1000\83aa4cc77f591dfc2374580bbd95f6ba_f8cb507d-35a1-48c2-aef3-a249a39aae63

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/3636-116-0x0000024305660000-0x0000024305670000-memory.dmp

memory/4564-117-0x0000022099230000-0x0000022099231000-memory.dmp

memory/3636-119-0x0000024305670000-0x0000024305680000-memory.dmp

memory/4564-120-0x0000022099230000-0x0000022099231000-memory.dmp

memory/3636-121-0x0000024305680000-0x0000024305690000-memory.dmp

memory/3636-126-0x0000024305690000-0x00000243056A0000-memory.dmp

memory/4564-127-0x000002209AD80000-0x000002209AD90000-memory.dmp

memory/4564-128-0x000002209AD90000-0x000002209ADA0000-memory.dmp

memory/4564-129-0x000002209ADA0000-0x000002209ADB0000-memory.dmp

memory/3636-130-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-131-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/4564-136-0x000002209ADB0000-0x000002209ADC0000-memory.dmp

memory/4564-137-0x000002209ADC0000-0x000002209ADD0000-memory.dmp

memory/3636-139-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-150-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-165-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-167-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-176-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-175-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-193-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-205-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-212-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-218-0x0000024303B20000-0x0000024303B21000-memory.dmp

memory/3636-231-0x0000024303B20000-0x0000024303B21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\imageio1649898983950272527.tmp

MD5 a3fd87970caee840ceece9d5f03705cd
SHA1 1ffab512b78568dbb851b1afd5a59aada4b9f517
SHA256 96f81802a005cab4416fe2667a969d614b47fd51287ddb312d429b592554ddf3
SHA512 551dfd67d9cf9057f69d884522169b39d2c0775cac08329829cb6c3691725c32f25be6ca75e6f116dbc2d248d46ebc276ac8fde0d51324cf709acbbfb0faf055

C:\Users\Admin\AppData\Local\Temp\imageio5178256615677831783.tmp

MD5 a849b8a304f12e6bbf2a28f81be42ca4
SHA1 d84561551274349e34df3bed6bdb141548057831
SHA256 102e104b20b3ed98a8f2ef238f40b111f4a8edbba38be2314b23027e2878f51b
SHA512 be3981bca6e57fd3acc21f37a0509e57524c3bb497fa75e67ebe896d3b254103fd943f8e7e10dd5cc24e168a195800041673b4f9cd2e3bc8915b5df56d87c7bd

C:\Users\Admin\AppData\Local\Temp\imageio940787065608812075.tmp

MD5 cd0c2043597804c30094da08dbd2ec9a
SHA1 ddc0fc70e620df19a150425f4d66ab930a58e98d
SHA256 1aaaa86dd3757d589325b3fd34a98948cb38c60d6ed6302380291a4600c01734
SHA512 a8a32c3194a725293165d065151b6d6c5ef8bc10a09dca5655df4d309a876f9f613ae51eccd42c47eaf510289f1626eecb02f6b80c19cd9287996022f07e1d19

C:\Users\Admin\AppData\Local\Temp\imageio1885075669698556530.tmp

MD5 99f63bc3411fb5e0d8341d148e90728f
SHA1 8e93e18e223574d591b38d26d27ef6b76ec0e2de
SHA256 44a9b7b4c03a1d80bcf40103320be2e07af556a93117f2ff2cd4addc1e1cd92d
SHA512 5a244a2f966073ef644bb1f12662729ba82fee09b8fab112f91dc2c7c2f2145a163150a9a263df69cc7c96ba4e08ca5b38e5adfe54863ea1c49c97e54e82055f

C:\Users\Admin\AppData\Local\Temp\imageio3204320663984823416.tmp

MD5 7cf685211ab057057348162d17a3b241
SHA1 d0c9ad2894189714a2bd2dd771781033d77e4e55
SHA256 6538a9e54498dc9bd08870ced04865d46d66d32640b18f8eb076a0df15c78d4d
SHA512 14e1c5deb8c359ab8eae8169596044d9f6a3099174cb379acb51af74a0c668a926dcc72fd69033416c1f64aa21dceb42c59d55ae62127fdd64259f94ec8cfe13

C:\Users\Admin\.plugins\.libraries\jna70

MD5 b22ef746fd14c702e5bd29b466c6312b
SHA1 19674f9167c56c0bbdaa3a4a48277b802e480000
SHA256 121f7a1d3aa9f538fd4710fd3a2175a7f062e1260d3e2df83752512a28f290d6
SHA512 0b1757fb6d17077b1046c73909623ddb180c6a02b872bcbb9aef40fceb9ed6ff268438e7cb62b9c5ce4c2fd944ea99cf4aa9d2d4b31d70806f1ba607fdb05b6e

C:\Users\Admin\.plugins\.libraries\jnh40

MD5 de6cf300c801226d4b19e4fdc258975e
SHA1 49e72ddee45ca9cf332c50b4c716781ac0df07fd
SHA256 41565e543a043ee2073a0b3d93082b78614d2241aa2c6669e05385d94511851c
SHA512 1a152efe851bd1fb029924f4854a9374f0fbb8a78b5a73efd49b5807f45e7ffccac7ca780cc1bdf3090eda6e491b2e4afb57162efafba274196d92cb972fc05c

C:\Users\Admin\AppData\Local\Temp\JNativeHook-2.1.0.x86_64.dll

MD5 0285a117e67739776220c34ef08b2d43
SHA1 d32e6b1128407a7e59eff481c8643a116aa2f56a
SHA256 332c71776659988159f98e0e6621b1e37694a7a57f954e0c5ca2f95c939b8f59
SHA512 7a967cb11d5bb80adda24cd966aa4d389a54cb156e0b74406dd09023c48a39490b8cb18d84fa840c107b73e7008981a049544248dbce8c9e43bba212ed8352d2

C:\Users\Admin\.plugins\.libraries\wbcm40

MD5 4331bdf536b724b5c49cfa83e89f55cb
SHA1 a9442345f3aa6f4e61fd9516b800f5fbb00d56b7
SHA256 54a8a2f553e7448eb01c90ed5d40fa1d61be15706131206d155ea3a2f70593ab
SHA512 4fbf66406871873b508a516178fee2bd7cbff9a44942b1f86c8c874057a08402a89b56342dbe5d81ae35fff4624a7b32f294898b99ee50585455b928245c32ee

C:\Users\Admin\AppData\Local\Temp\BridJExtractedLibraries6414967750426932588\bridj.dll

MD5 eb31babd3452d99aeab24f0655e7610a
SHA1 3250d3ffa350d0d41fec53d7cbd73d7351b958e7
SHA256 ab1c3d1211903f7cd938702d806c423fbc32414589a5a4f77b6d4f999a7b6c02
SHA512 f5f81648c5462d1b19d2eac414a7afe8898c69436ca153f04a4862d6e267a939ddc2bd46a6a8df89d46d7703f7ad25700b2360b4882d79a5510629014973431e

C:\Users\Admin\AppData\Local\Temp\BridJExtractedLibraries6414967750426932588\OpenIMAJGrabber.dll

MD5 85f770f1418eac0ce7ba2858af58e728
SHA1 00dccd40f789ad5f3bff3954955f3c9f1b5eb0e0
SHA256 dc5671b2816a4c93d47193b9481aec9cad587414a5d5a3a51fc410abdef412cc
SHA512 d24cef1bb8bba8f0baed8ab71f995b04176b601128a607d37ba5747539a0458d06083a507ed2e7c20a34585ca98d9e2a5881336ad971edb065c7f9dc865bfc4f

C:\Users\Admin\.plugins\.libraries\pr60

MD5 137a448313d5b6d19279833d841b3590
SHA1 6ed5b437fb5c03879e8c1afcc0d97df4b7f1bbcd
SHA256 de349716e627e245e4b17fd487dba4033dbc92e5e22fb950c25514700334f97e
SHA512 6cca760abb063e97404cdd43a633c19f4afe459a1b975857e24040f503a77ab812c4347b150f4f3410522002a3c4365161cf4508b1e9d8e53987e3799638f573

C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna1349542195846350125.dll

MD5 719d6ba1946c25aa61ce82f90d77ffd5
SHA1 94d2191378cac5719daecc826fc116816284c406
SHA256 69c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512 119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b

C:\Users\Admin\AppData\Local\Temp\sqlite-unknown-e2e5f399-3ace-4d02-875b-0278fa68c90a-sqlitejdbc.dll

MD5 98eac6ad76d39e73967252542f6f40e4
SHA1 76923dd88c42c2536e969009927282025be4e79d
SHA256 51cc105f172859e6866f3cad5c99188663be503cd4bb618c946b0c83faabf0b8
SHA512 076bd432b21220f023b861b3d31aabb702386e073209b54d0401058f67aa3205938909a32637f48770e63c0ff512338248a8c1131cd5159daf8eec35249ca7ef

C:\Users\Admin\AppData\Local\Temp\imageio1134102006538769684.tmp

MD5 cc8fbb4440ae04418928c8d42e4ccb21
SHA1 bbbeed8e96bcfa4dfd977441a83566dbc638e079
SHA256 cd899a1183aeeac6a4c6a0f17d8af1845d244896d7e9fd309b1f486d918f89c0
SHA512 569892d513c1c56ceac24ee757e4868a14b4c3a5084c2b21192a36a171dd5240914621a203ebacb0ada0d65fc406c31be8346445fb3a86c0280515006376472c

C:\Users\Admin\AppData\Local\Temp\imageio7269693736234604634.tmp

MD5 3338aa57aaaded7c314425d22be5483e
SHA1 b09b6bc78079488dba2112e92a5ca59388f0d382
SHA256 6ec54458e0593bd19cb9437e7c778d913c8cdf942bb0396e34866fae1aa96767
SHA512 d3c3c6c1a4ea7bd6c68c502bc2c720ae79d54f31062a55aac280d05e4ce27224a42e092fc3b9d0639e575722825b071e7d52b1a284fc20a0d4a30dbbb5bbf3f2

C:\Users\Admin\AppData\Local\Temp\imageio8431991807119653724.tmp

MD5 023126c0696b39485af6f57eb2911cdf
SHA1 60d74b4d1bc3b6f192b26c859bbafb23b8e4c9c9
SHA256 3d3c6dddbc54af1b647adab3fd9e84731891df92fdca5ddc5925496f5197f40a
SHA512 cb9c7ffb498855f3e5beace260029b860c9f22f35bc921e133574e1122c764ada17d0de5e6405a7e093ac48a8ff7f5c4ae0579af68bec8e0af1ecb32f640291b

C:\Users\Admin\AppData\Local\Temp\imageio6483592888713931545.tmp

MD5 b04d66da7b58ca382de0823bb8289f83
SHA1 f1cda021b46b23b6dd492efc1b4836ec66ecfe8a
SHA256 2aeb1f880743aa3a8fadf54c21ddbeb03e8dc335aea4d51a7ff4125b36ff77dd
SHA512 78afe40dfe9c0a55442bd8744ee0471898058d3f7898167dc47183ab58e5d2453155983e1ce59271baac3c3995c0c9a561513fdfc0d523f7f9fe216876200dce

C:\Users\Admin\AppData\Local\Temp\imageio7242620488406760401.tmp

MD5 21c3facdf1026c2dd79f0110eb9f7f0f
SHA1 93e0449d1e8a845a6253762b2af0d57efe97e036
SHA256 fb88993dd5cab2af179a4d0818b1114f17b6dd07f122370ef03da6c88f14afa2
SHA512 680ac6318c04416b26e3dc8192bdee5be269bd33ec422ca1700cc0b886f15e55a4d64dda0f0113cc3d7b7315b6cd61b37d2de4fec4fba5a04fc0a92f65c5761c

C:\Users\Admin\AppData\Local\Temp\imageio101858737201356375.tmp

MD5 c6545ac56e958270088b4842f484756b
SHA1 f6381b020b0e2e6d8e26babfb0b65aa19522c527
SHA256 b2483dd24cc16817588d7fa3d9ab0c18d710e806c81bec419e7b918b4b07564c
SHA512 135e8bc052a56de4ddacb9fafea36657b09ed6a5e41d9ddb94a53adfe89ef0f6aeb9d41036949329c6a3d6f0d4375cbbcf8c09d0de4626ef14dc5a02edcb4e95

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4564-5296-0x000002209AD90000-0x000002209ADA0000-memory.dmp

memory/4564-5297-0x000002209AD80000-0x000002209AD90000-memory.dmp

memory/4564-5298-0x000002209AB10000-0x000002209AD80000-memory.dmp

memory/4564-5301-0x000002209ADC0000-0x000002209ADD0000-memory.dmp

memory/4564-5300-0x000002209ADB0000-0x000002209ADC0000-memory.dmp

memory/4564-5299-0x000002209ADA0000-0x000002209ADB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\imageio8391449983481194295.tmp

MD5 8de294160f203eb55b8b5501ba785a48
SHA1 12726c32898647770a9a9ca3c5a89c8c203fa06b
SHA256 5768f893300d7260542dd79dad6ba7f17581559f902a72348079458c2e3f2490
SHA512 bdb8ac4c9497ca0725dbb6b92f83f254465737c383e27e611f39a859a5ec9f1e6bdd9a44b97ff2899e661d625a4a12862780fc23abb7a4b1ebfece48709f16d6

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 04:16

Reported

2024-11-03 04:32

Platform

win11-20241007-en

Max time kernel

873s

Max time network

967s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\LK Rat.jar"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730607380598.tmp" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1730607381239.tmp" C:\Windows\system32\reg.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 1572 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
PID 1288 wrote to memory of 1572 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
PID 1288 wrote to memory of 3668 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 1288 wrote to memory of 3668 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 1288 wrote to memory of 3220 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1288 wrote to memory of 3220 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3220 wrote to memory of 1028 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 3220 wrote to memory of 1028 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 1572 wrote to memory of 2540 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 1572 wrote to memory of 2540 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\attrib.exe
PID 1572 wrote to memory of 3156 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1572 wrote to memory of 3156 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3156 wrote to memory of 1544 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 3156 wrote to memory of 1544 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4280 wrote to memory of 2068 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\splwow64.exe
PID 4280 wrote to memory of 2068 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\splwow64.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\LK Rat.jar"

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\pULHfy60799363049740799.tmp

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607380598.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607380598.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607380598.tmp" /f

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381239.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381239.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607381239.tmp" /f

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RepairRedo.xlsx"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
CA 64.39.174.60:23750 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
CA 64.39.174.60:23750 tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
CA 64.39.174.60:23750 tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp

Files

memory/1288-2-0x000002143E510000-0x000002143E780000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pULHfy60799363049740799.tmp

MD5 ea32d3a9a0a4c7dd26bc75b770b8d6e6
SHA1 79dd917e26e45af4e20a19592bbaa88c44629a76
SHA256 68de0bf850720a72c68ea6cec582131b176222cfc90856b744c35bde551f57d3
SHA512 6602ab5c0f36611e5ffec8f4f077d72f7b9858fec7104b0ad8ad0bf4b5c3ebf1d0fbf9ed53720c4dd0a6d288b3b1b050c2e9cc34f54361d811f49b19980a7a47

memory/1572-21-0x0000024A6AE80000-0x0000024A6B0F0000-memory.dmp

memory/1288-27-0x000002143E790000-0x000002143E7A0000-memory.dmp

memory/1288-26-0x000002143E780000-0x000002143E790000-memory.dmp

memory/1288-36-0x000002143CD20000-0x000002143CD21000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 d475ad3f3e32d0c0ac429ccbe2a70582
SHA1 b3124dbb48c42d35b94712614963f93514d40cbb
SHA256 c1d34fe5ced03ab025ce20043f030149c522d73496791660f5df7110550575ba
SHA512 a0a2760ab868e7b4efc118bea1a6def4d3e878687789f61ea0e8bea9a60e0e163b9e4ca19b8595927aeab77aa03c9c87125216ca30a0ea6e438ee4eba1edb766

memory/1288-41-0x000002143E7C0000-0x000002143E7D0000-memory.dmp

memory/1288-47-0x000002143E7F0000-0x000002143E800000-memory.dmp

memory/1288-46-0x000002143E7E0000-0x000002143E7F0000-memory.dmp

memory/1288-45-0x000002143E7D0000-0x000002143E7E0000-memory.dmp

memory/1288-40-0x000002143E7B0000-0x000002143E7C0000-memory.dmp

memory/1288-39-0x000002143E7A0000-0x000002143E7B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1730607380598.tmp

MD5 8c65d5456bcd4e07d64e87b856ffb2b2
SHA1 81ec28c78875d17f08603b427b7783c0cc55bb80
SHA256 74148c3575a944b44668549c4a25c9a02a822b464c70c20d91cef1866fd54e9c
SHA512 6b3a424eb3f83308400007020bd81d71b60b7c6b15cdf5a1e45d53ab7cc343eb66de5077492686f582025c790a496804b8e6a36d49574ed9292fb3be0cf1178e

memory/1572-72-0x0000024A695C0000-0x0000024A695C1000-memory.dmp

memory/1572-79-0x0000024A695C0000-0x0000024A695C1000-memory.dmp

memory/1288-83-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1572-97-0x0000024A695C0000-0x0000024A695C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4249425805-3408538557-1766626484-1000\83aa4cc77f591dfc2374580bbd95f6ba_02510207-a8a1-401b-a8b2-969e44fe3fef

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/1572-106-0x0000024A695C0000-0x0000024A695C1000-memory.dmp

memory/1288-107-0x000002143E510000-0x000002143E780000-memory.dmp

memory/1572-110-0x0000024A695C0000-0x0000024A695C1000-memory.dmp

memory/1572-111-0x0000024A6AE80000-0x0000024A6B0F0000-memory.dmp

memory/1288-115-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-118-0x000002143E780000-0x000002143E790000-memory.dmp

memory/1288-119-0x000002143E790000-0x000002143E7A0000-memory.dmp

memory/1572-122-0x0000024A695C0000-0x0000024A695C1000-memory.dmp

memory/1288-126-0x000002143E7A0000-0x000002143E7B0000-memory.dmp

memory/1288-128-0x000002143E7C0000-0x000002143E7D0000-memory.dmp

memory/1288-127-0x000002143E7B0000-0x000002143E7C0000-memory.dmp

memory/1288-136-0x000002143E7E0000-0x000002143E7F0000-memory.dmp

memory/1288-137-0x000002143E7F0000-0x000002143E800000-memory.dmp

memory/1288-166-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1572-172-0x0000024A695C0000-0x0000024A695C1000-memory.dmp

memory/1288-181-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-185-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-187-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-195-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-198-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-200-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-210-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-209-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-222-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/1288-221-0x000002143CD20000-0x000002143CD21000-memory.dmp

memory/4280-227-0x00007FFEF8230000-0x00007FFEF8240000-memory.dmp

memory/4280-229-0x00007FFEF8230000-0x00007FFEF8240000-memory.dmp

memory/4280-228-0x00007FFEF8230000-0x00007FFEF8240000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b20aad2670a5609512adb693ed6d378a
SHA1 d73f1650fc40c5e821d739a0cb1dfa39a7260832
SHA256 09797f593ff738891a54b2a55caed74038493183cbe4ca0249df85edb3b3479c
SHA512 1a49d7fe03e6652491f4e8d6f23a3360db6e030644f3a71ad23c058ac7a945a67c247b6f2d4ab3e37344c8ca9566b63f5181a9e1ef9a406d3d40b5add64fe22e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 e7e25fd019cc589ec80081ae3eb1cd69
SHA1 5fd0baeee4a375c85c4ed1b226599b128892fe19
SHA256 82d59717a7755000c265d77e1adbd5d74b17d1fc86a391daa5fd0ad09efd4911
SHA512 b0be3e8a7802cacd413485adf2e4fb70a0b77678cf217165614044a2b79c487b04c07523bd9fcc2436d9bf4ed3b88ca9778307f08268e7d0d0938528e4c764ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 cabcf08a53dbb4e5ad107d23d12c791f
SHA1 1ff2298d7aeb346c85e67b2190c16c02e5ea99dd
SHA256 52dac7eaec9958c28454f6c94d81e0609cb4a5faff119045131db29c6b60ae89
SHA512 c9e568e25af15308d192c015eb6bf32f9881302d39c486a22bb4aebd11407157a9dc3cc16ee897ad0e477a7ce2358b7416771a5a08f72539aa800f90837d8fa2

C:\Users\Admin\AppData\Local\Temp\imageio8114762163680020574.tmp

MD5 814f5bbbce5210fc68661e8887ea8844
SHA1 69272975cc1b86b6bd2190de7df5a8cde859578a
SHA256 72f8fdc0bbf00859b5cc9a0e585fd56c98012229adc83b7c242acaba89600e84
SHA512 37c47173c0373c72d58f35b38d75688be4b7ecaa2792bb827cb724da87528c3abbdcf645c9d8418afac9ac4ac44fd3df329d26c1a1c7bc63e93e733c1af5dcb6

C:\Users\Admin\AppData\Local\Temp\imageio3081979267321781896.tmp

MD5 50affb41a526e6d58b24afc6664a8f33
SHA1 6d4c60a5965dd9f0df868c3def14625c56eb4a73
SHA256 f8307cf2f5bb19216e089bc23371f414ed3a299569e0c92e5daf1b3d76197e0a
SHA512 653bd409b83a845a5384e05fe2be659660b52f6b2bb95ba004d08af581833278367f70c0a01e45c18881cc8c70b9ff29f8f7d08086a3cdf49f1bb3c33dbaa32a

C:\Users\Admin\.plugins\.libraries\jna70

MD5 b22ef746fd14c702e5bd29b466c6312b
SHA1 19674f9167c56c0bbdaa3a4a48277b802e480000
SHA256 121f7a1d3aa9f538fd4710fd3a2175a7f062e1260d3e2df83752512a28f290d6
SHA512 0b1757fb6d17077b1046c73909623ddb180c6a02b872bcbb9aef40fceb9ed6ff268438e7cb62b9c5ce4c2fd944ea99cf4aa9d2d4b31d70806f1ba607fdb05b6e

C:\Users\Admin\AppData\Local\Temp\imageio8051290321402650827.tmp

MD5 7ae9e5ab7be7e000e3130959b10fd41f
SHA1 75ea22029f4e7b34cf7cb11846ccbcf952343c11
SHA256 15b62421835d8f439eb11095d522544a43de58f157e868c25eca080f96b0e951
SHA512 c7a3a3cb9bfa72319ece066b9ab3d0fa7606d61ae8919d5aa389593382f25960b64bd57e5002663b538a2a20a34a4da24f006a6d84224187e487a0c5c651764b

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 04:16

Reported

2024-11-03 04:46

Platform

macos-20240711.1-en

Max time kernel

839s

Max time network

1800s

Command Line

[xpcproxy com.apple.gkreport]

Signatures

JavaScript

execution
Description Indicator Process Target
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar "/Users/run/LK Rat.jar" N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer N/A N/A
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.gkreport]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemstats.daily]

/usr/libexec/gkreport

[/usr/libexec/gkreport]

/bin/sh

[sh -c sudo /bin/zsh -c "open /Users/run/LK\ Rat.jar"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Users/run/LK\ Rat.jar"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Users/run/LK\ Rat.jar]

/usr/bin/xar

[/usr/bin/xar -c -f dslocal-backup.xar dslocal]

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged

[/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged]

/usr/libexec/pkreporter

[/usr/libexec/pkreporter]

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd

[/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd]

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer

[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/bin/zsh

[/bin/zsh -c open /Users/run/LK\ Rat.jar]

/usr/bin/open

[open /Users/run/LK Rat.jar]

/usr/libexec/xpcproxy

[xpcproxy com.apple.JarLauncher.1532]

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher

[/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -jar /Users/run/LK Rat.jar]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/jspawnhelper

[24:27]

/usr/bin/java

[java -jar /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/pULHfy922491553974830248.tmp]

/usr/libexec/xpcproxy

[xpcproxy com.apple.java.InstallOnDemand]

/System/Library/Java/Support/CoreDeploy.bundle/Contents/Download Java Components.app/Contents/MacOS/Download Java Components

[/System/Library/Java/Support/CoreDeploy.bundle/Contents/Download Java Components.app/Contents/MacOS/Download Java Components]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.diagnosticd]

/usr/libexec/diagnosticd

[/usr/libexec/diagnosticd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.newsyslog]

/usr/sbin/newsyslog

[/usr/sbin/newsyslog]

Network

Country Destination Domain Proto
GB 184.85.51.234:443 tcp
US 8.8.8.8:53 12-courier.push.apple.com udp
US 8.8.8.8:53 itunes.apple.com udp
GB 23.219.192.23:443 itunes.apple.com tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 36-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 20.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 49-courier.push.apple.com udp
GB 2.18.109.84:443 tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 44-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 50.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 46-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 41-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 31-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 25.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 48.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 0-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 47.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 50.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 22.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 13-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 1.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 33-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 20.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 42-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 7.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 3-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 38.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 12.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 26-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 15.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 46.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 32.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 28-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 4-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 43.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 46.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 1.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 6-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 24-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 39.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 15.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 28.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 27-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 44.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 31.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 8.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 7.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 11.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 0.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 39.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 29-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 10-courier.push.apple.com udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 30-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 43.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 7.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 44.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 25.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 11.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 43.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 0.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 27.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 17.courier-push-apple.com.akadns.net udp
GB 17.57.146.154:5223 0.courier-push-apple.com.akadns.net tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 34.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 29.courier-push-apple.com.akadns.net udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 5-courier.push.apple.com udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 local udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:45197 19.ip.gl.ply.gg tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-03 04:16

Reported

2024-11-03 04:16

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

0s

Max time network

1s

Command Line

[/tmp/LK Rat.jar]

Signatures

N/A

Processes

/tmp/LK Rat.jar

[/tmp/LK Rat.jar]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A