Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:31
Behavioral task
behavioral1
Sample
Java32.exe
Resource
win7-20241010-en
General
-
Target
Java32.exe
-
Size
3.3MB
-
MD5
bc884c0edbc8df559985b42fdd2fc985
-
SHA1
9611a03c424e0285ab1a8ea9683918ce7b5909ab
-
SHA256
e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270
-
SHA512
1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc
-
SSDEEP
49152:BvmI22SsaNYfdPBldt698dBcjHideEErHFk/uVSoGdf3THHB72eh2NT:Bvr22SsaNYfdPBldt6+dBcjHidel8
Malware Config
Extracted
quasar
1.4.1
Java
dez345-37245.portmap.host:37245
f0e53bcd-851e-44af-8fd5-07d8ab5ed968
-
encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java ©
-
subdirectory
Programfiles
Signatures
-
Quasar family
-
Quasar payload 12 IoCs
resource yara_rule behavioral1/memory/2676-1-0x0000000000330000-0x000000000067E000-memory.dmp family_quasar behavioral1/files/0x0008000000016c53-6.dat family_quasar behavioral1/memory/1800-9-0x0000000000810000-0x0000000000B5E000-memory.dmp family_quasar behavioral1/memory/2908-23-0x0000000000A10000-0x0000000000D5E000-memory.dmp family_quasar behavioral1/memory/1116-34-0x0000000001130000-0x000000000147E000-memory.dmp family_quasar behavioral1/memory/1688-66-0x0000000000310000-0x000000000065E000-memory.dmp family_quasar behavioral1/memory/1444-78-0x0000000001080000-0x00000000013CE000-memory.dmp family_quasar behavioral1/memory/2804-89-0x0000000000250000-0x000000000059E000-memory.dmp family_quasar behavioral1/memory/2588-100-0x0000000000890000-0x0000000000BDE000-memory.dmp family_quasar behavioral1/memory/2580-112-0x0000000000BC0000-0x0000000000F0E000-memory.dmp family_quasar behavioral1/memory/2104-123-0x0000000000CA0000-0x0000000000FEE000-memory.dmp family_quasar behavioral1/memory/2508-165-0x00000000000A0000-0x00000000003EE000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 1800 java.exe 2908 java.exe 1116 java.exe 2936 java.exe 2776 java.exe 1688 java.exe 1444 java.exe 2804 java.exe 2588 java.exe 2580 java.exe 2104 java.exe 1764 java.exe 296 java.exe 2492 java.exe 2508 java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1212 PING.EXE 2956 PING.EXE 948 PING.EXE 1592 PING.EXE 2872 PING.EXE 1592 PING.EXE 1376 PING.EXE 2152 PING.EXE 2860 PING.EXE 1708 PING.EXE 2600 PING.EXE 2360 PING.EXE 1420 PING.EXE 2032 PING.EXE 2220 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2152 PING.EXE 2600 PING.EXE 2860 PING.EXE 2032 PING.EXE 1708 PING.EXE 948 PING.EXE 2220 PING.EXE 2360 PING.EXE 1212 PING.EXE 2956 PING.EXE 1592 PING.EXE 1592 PING.EXE 2872 PING.EXE 1420 PING.EXE 1376 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 332 schtasks.exe 1552 schtasks.exe 1468 schtasks.exe 764 schtasks.exe 2424 schtasks.exe 2064 schtasks.exe 1560 schtasks.exe 2620 schtasks.exe 1636 schtasks.exe 2932 schtasks.exe 2112 schtasks.exe 856 schtasks.exe 2100 schtasks.exe 2796 schtasks.exe 3044 schtasks.exe 2044 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2676 Java32.exe Token: SeDebugPrivilege 1800 java.exe Token: SeDebugPrivilege 2908 java.exe Token: SeDebugPrivilege 1116 java.exe Token: SeDebugPrivilege 2936 java.exe Token: SeDebugPrivilege 2776 java.exe Token: SeDebugPrivilege 1688 java.exe Token: SeDebugPrivilege 1444 java.exe Token: SeDebugPrivilege 2804 java.exe Token: SeDebugPrivilege 2588 java.exe Token: SeDebugPrivilege 2580 java.exe Token: SeDebugPrivilege 2104 java.exe Token: SeDebugPrivilege 1764 java.exe Token: SeDebugPrivilege 296 java.exe Token: SeDebugPrivilege 2492 java.exe Token: SeDebugPrivilege 2508 java.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 1800 java.exe 2908 java.exe 1116 java.exe 2936 java.exe 2776 java.exe 1688 java.exe 1444 java.exe 2804 java.exe 2588 java.exe 2580 java.exe 2104 java.exe 1764 java.exe 296 java.exe 2492 java.exe 2508 java.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1800 java.exe 2908 java.exe 1116 java.exe 2936 java.exe 2776 java.exe 1688 java.exe 1444 java.exe 2804 java.exe 2588 java.exe 2580 java.exe 2104 java.exe 1764 java.exe 296 java.exe 2492 java.exe 2508 java.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1800 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2424 2676 Java32.exe 30 PID 2676 wrote to memory of 2424 2676 Java32.exe 30 PID 2676 wrote to memory of 2424 2676 Java32.exe 30 PID 2676 wrote to memory of 1800 2676 Java32.exe 32 PID 2676 wrote to memory of 1800 2676 Java32.exe 32 PID 2676 wrote to memory of 1800 2676 Java32.exe 32 PID 1800 wrote to memory of 2064 1800 java.exe 33 PID 1800 wrote to memory of 2064 1800 java.exe 33 PID 1800 wrote to memory of 2064 1800 java.exe 33 PID 1800 wrote to memory of 2992 1800 java.exe 35 PID 1800 wrote to memory of 2992 1800 java.exe 35 PID 1800 wrote to memory of 2992 1800 java.exe 35 PID 2992 wrote to memory of 2828 2992 cmd.exe 37 PID 2992 wrote to memory of 2828 2992 cmd.exe 37 PID 2992 wrote to memory of 2828 2992 cmd.exe 37 PID 2992 wrote to memory of 2872 2992 cmd.exe 38 PID 2992 wrote to memory of 2872 2992 cmd.exe 38 PID 2992 wrote to memory of 2872 2992 cmd.exe 38 PID 2992 wrote to memory of 2908 2992 cmd.exe 39 PID 2992 wrote to memory of 2908 2992 cmd.exe 39 PID 2992 wrote to memory of 2908 2992 cmd.exe 39 PID 2908 wrote to memory of 2932 2908 java.exe 40 PID 2908 wrote to memory of 2932 2908 java.exe 40 PID 2908 wrote to memory of 2932 2908 java.exe 40 PID 2908 wrote to memory of 2668 2908 java.exe 42 PID 2908 wrote to memory of 2668 2908 java.exe 42 PID 2908 wrote to memory of 2668 2908 java.exe 42 PID 2668 wrote to memory of 2644 2668 cmd.exe 44 PID 2668 wrote to memory of 2644 2668 cmd.exe 44 PID 2668 wrote to memory of 2644 2668 cmd.exe 44 PID 2668 wrote to memory of 2360 2668 cmd.exe 45 PID 2668 wrote to memory of 2360 2668 cmd.exe 45 PID 2668 wrote to memory of 2360 2668 cmd.exe 45 PID 2668 wrote to memory of 1116 2668 cmd.exe 47 PID 2668 wrote to memory of 1116 2668 cmd.exe 47 PID 2668 wrote to memory of 1116 2668 cmd.exe 47 PID 1116 wrote to memory of 1560 1116 java.exe 48 PID 1116 wrote to memory of 1560 1116 java.exe 48 PID 1116 wrote to memory of 1560 1116 java.exe 48 PID 1116 wrote to memory of 1644 1116 java.exe 50 PID 1116 wrote to memory of 1644 1116 java.exe 50 PID 1116 wrote to memory of 1644 1116 java.exe 50 PID 1644 wrote to memory of 1952 1644 cmd.exe 52 PID 1644 wrote to memory of 1952 1644 cmd.exe 52 PID 1644 wrote to memory of 1952 1644 cmd.exe 52 PID 1644 wrote to memory of 1212 1644 cmd.exe 53 PID 1644 wrote to memory of 1212 1644 cmd.exe 53 PID 1644 wrote to memory of 1212 1644 cmd.exe 53 PID 1644 wrote to memory of 2936 1644 cmd.exe 54 PID 1644 wrote to memory of 2936 1644 cmd.exe 54 PID 1644 wrote to memory of 2936 1644 cmd.exe 54 PID 2936 wrote to memory of 2112 2936 java.exe 55 PID 2936 wrote to memory of 2112 2936 java.exe 55 PID 2936 wrote to memory of 2112 2936 java.exe 55 PID 2936 wrote to memory of 2412 2936 java.exe 57 PID 2936 wrote to memory of 2412 2936 java.exe 57 PID 2936 wrote to memory of 2412 2936 java.exe 57 PID 2412 wrote to memory of 320 2412 cmd.exe 59 PID 2412 wrote to memory of 320 2412 cmd.exe 59 PID 2412 wrote to memory of 320 2412 cmd.exe 59 PID 2412 wrote to memory of 2956 2412 cmd.exe 60 PID 2412 wrote to memory of 2956 2412 cmd.exe 60 PID 2412 wrote to memory of 2956 2412 cmd.exe 60 PID 2412 wrote to memory of 2776 2412 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Java32.exe"C:\Users\Admin\AppData\Local\Temp\Java32.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2424
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2064
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xT6jAJ30dXZf.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2828
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2872
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2932
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LrHaGxnfxQbB.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2360
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1560
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9e6ixYVvxYzQ.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1952
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1212
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wRR9zTOCEfb2.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2956
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:332
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4tC1srfDD1uI.bat" "11⤵PID:1876
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2152
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:856
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\S3oguDwi68Hv.bat" "13⤵PID:1580
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1960
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1420
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1444 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2100
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2GMQsKKKsC4w.bat" "15⤵PID:2408
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2108
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2796
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VcDQdJ3EMk5o.bat" "17⤵PID:2716
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2860
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2620
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VZaTmRvoxy9W.bat" "19⤵PID:2272
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2032
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1552
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zlTfK3SIPVz1.bat" "21⤵PID:1948
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2924
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1376
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2104 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1636
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rdLgOjRM3J4R.bat" "23⤵PID:852
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1032
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1708
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1764 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1468
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aN9NpF9UI4Ft.bat" "25⤵PID:564
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2152
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:948
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:296 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:764
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\q6K00Ily7dJc.bat" "27⤵PID:684
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3040
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2220
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2492 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:3044
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JE320bMwvxnd.bat" "29⤵PID:2444
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2508 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2044
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QjRvs0BAyzA6.bat" "31⤵PID:932
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD5e98cf2f9d0e56bc4df5add3859d0da1e
SHA1fd7da40d6f1d75bd2a57569c1dbb7855846a3ff2
SHA256ce3d031a6cb836a754599030c6ab4185b519486ad6685f917034fd3c1cef8c2e
SHA512c0c3e67a7cb2a2b727b93eb698a06617a9d43b2bcfc8bdebb818b3118dd4c5470f1e4ef450a72924da71a139aeab93349479e10984322fe95cca9adfa5754453
-
Filesize
211B
MD5a6419a149305d28f8315340f3e0b8d3d
SHA13b81d2ec764d9ecdc96a53f97b9c6f292c014b47
SHA2565518bacf324fca0f660373370a563c989a559a7927a69d7b425afa2a282212a0
SHA512d70b8c78f5797b735975897abfacf51441202762dded06767185cf9ab54962d0753375fe24492c2cd8ba1cc7bb8967a8e7938421b18fd3a7872e2db5a5deaf9e
-
Filesize
211B
MD5a04dcc56d7851c2c318173c6dc49c970
SHA12de214c291544fa5920e7540f42a7840a67675be
SHA2565e423d343471cea6e77b5840b9aef75641374fc1ba5a57e58a72c6e486be0c79
SHA512b996b073749a171a28683423c830a6b11f5d2017b4e7752bbc9733d85875eb1d055ea84744f58559fc9e4542d0fb819312579d4c154f71fb45ef7bc19624a5fb
-
Filesize
211B
MD5bba5a378bcf0d505323c3ad93f17151a
SHA196ecabd4d7fd22c7f1bb00ab62eb9dc716a17b3c
SHA256f130ce25ba865e323b53a985cb4396af338a05c8610279943258d090771a51b3
SHA5123c3f2ae323af2cb6c37b16e9ed40f1797fe16df7f583e59ce62d4b6c4a78c309d394fefb572434d1e74a8d092655336ee122a9eb43b5e7bade5d39971b35b38a
-
Filesize
211B
MD5e30d4f50a936de76ec42afd291750ea1
SHA1539bd2b5aab39fcba251acc961aa22c6d0e6ce09
SHA2565871d7017337463db5b8fc87e98541807bf50a7f00f211121183595541e779fa
SHA5124843070e416e1a3908e0c30d35661bf2cfef0ca117792c5d18555d206ae649f83003e03fd162de113cbc047b441e5f8708d31a68d769a7da5d195f9ff7e3c757
-
Filesize
211B
MD5e1b4e4091fb9c9ff25a2e106ebcdbf96
SHA1e913613d2a4b486bfcac66e9f29014509c5334a6
SHA25665b2404e0228e392f52d0c6374b1072425df3b4de3b463e8a2cbef3f0fbecd20
SHA51202102834e59476b7bf4aea35afa1944ffef7a5b1945544aa6e2d47a395763fcbb3c645ade05a65e3f7d4f29479b0c3614f552d5d4f421c6599c3e15d1ec4eba1
-
Filesize
211B
MD5a0be1a5cbdc13360d4aca33e368bb9eb
SHA187afa65862a71ab3867dacdd0caf5b4c01c91ce8
SHA256ed75cd51a58a196f8c90bded095fc26cfabec1605e7d6acc564480968b0f9c4d
SHA512fe4f33df77b37c87ff2e3dfde514b515b32f6beebc01786596e492672985fad6a1e2fb78e8eb2a9a7250e0d875c63d21eaf654ea99dce388b021d115fb66c0aa
-
Filesize
211B
MD589a4055ca0280f4c8121f5569ab0c832
SHA10c5b461c5888f5e0a47bbcf4f1b044b84172ed30
SHA256392dc94968814e6a2a12001df2473e441fb5fb6c4648248cd3affa8a78be67eb
SHA512206fdabbbd0a811faad1e9e4db5d898eadc0212c77896652c99201df9dfc65f9d14254a16fc18936a4c4dc5719330382b79df2499a6a1ca0e35da5569051aa48
-
Filesize
211B
MD5e8341247210d0be9c2fd91bf65cada90
SHA1832eaf79c503f5b67e5ecce514a504c6bdc9fc9d
SHA256e1373f135491eba836d2b58297c2fc5c68fba524cc9bc8bdcb34a81a645b2168
SHA5128ccf9fa8e5b7996abed2ffa8c561599f0317ab839e872e31fa0dbf2e4721bd4e6227dab805efe9e86bc9946ed7ab1eb459cabf6c5b1397c91b176cc669d34bb3
-
Filesize
211B
MD587c31016bbd60c0317a5646d65a093b0
SHA126416983856ff63658568b5cd749cd2354df348c
SHA2560736aabbad89f08ee8a6fe23a01be0734ea3b9874b45be95cbeea3dc1189c13c
SHA512fce967aa5112768a7d16a40f4efec6c42757585f03041d8e5e8a9c47525d5e7c898169a4798460515f75319c5aaffeebe15a6be60b00e51f0ed13ae7f9c7bb99
-
Filesize
211B
MD5ac01ba0a9b048871d68b5b52fcdea65b
SHA1e616ba297f374e5730505a077e779821f57195f8
SHA25622420d94b887a66f0fbd785d955e795008a6c66e1cab85447375692af119af99
SHA512eaaa9dcaaff9adb0eaaf584466531deef881fc7d5f469c4b4626747d952edfd332979c7121eb9cfce475134787e995d20b9599b39f19af898e3679ee7806cf3a
-
Filesize
211B
MD556a61bbed40a277dd448c22e663515b8
SHA1772ea3a6d8436257c437da716e01463ebdf9a7e9
SHA256da47e219f07ca67b30078fd68c15037b259a8bfc3210ec9cd4e5d4cabc06aaa5
SHA512166b0db80f56fd15b753eb0e8cb31c241689137e62f3924d576cffcc31c4f3e931888c5e1adfbc9854648fd0de370712d7dfa23797621f5dabb4ea0658ef2731
-
Filesize
211B
MD5332a4110b0b6883193d4eb3a35379b02
SHA10607a038412e38abd7e999f0c02ce53077fdbf52
SHA256b2a144a3a5888173cd1c93008469822293aff1c25f4f881430f4a5de7c348735
SHA512eec006558f978e8d1b48fd942eb34a9ee894be9df19f56cd5eebce656489312309a5d1bb4c9867671377c2fca0ad68241f0c4a7bb96cd561406e38c79acaf6f8
-
Filesize
211B
MD572a664b90f04f7e056be2951731b4c5d
SHA12d78811d29af2ca0c43747d7127c2696582325be
SHA2563508010ba015246656292d841d9314c4535eadeb93b2f4b942fffcf9f3a63afa
SHA512bc674bd4e8382d401c60b17671f9fabb63f5568afff7aff711a4a05b61a07797ed2fa46925c349f949e0eb8c027a49da47e4443052f507f3ff5bbf8ffde6d8f4
-
Filesize
211B
MD52f85581f1888ece5a103ce19278ed09a
SHA15319c32c3847761af5689be5d9b07f9bf1804e63
SHA256c49e373ec460159c4e22323441cc40be755276b326e4e04105c80d2311aa7531
SHA5121ffd48dd40fe38cf5041906098f62157242fa6f302388371ff68114ad375e1d3a9867d157f8b856f84a35fd52835f98d3b9b3621751b3a3b303cc7aff8557156
-
Filesize
3.3MB
MD5bc884c0edbc8df559985b42fdd2fc985
SHA19611a03c424e0285ab1a8ea9683918ce7b5909ab
SHA256e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270
SHA5121b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc