Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:31
Behavioral task
behavioral1
Sample
Java32.exe
Resource
win7-20241010-en
General
-
Target
Java32.exe
-
Size
3.3MB
-
MD5
bc884c0edbc8df559985b42fdd2fc985
-
SHA1
9611a03c424e0285ab1a8ea9683918ce7b5909ab
-
SHA256
e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270
-
SHA512
1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc
-
SSDEEP
49152:BvmI22SsaNYfdPBldt698dBcjHideEErHFk/uVSoGdf3THHB72eh2NT:Bvr22SsaNYfdPBldt6+dBcjHidel8
Malware Config
Extracted
quasar
1.4.1
Java
dez345-37245.portmap.host:37245
f0e53bcd-851e-44af-8fd5-07d8ab5ed968
-
encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java ©
-
subdirectory
Programfiles
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2180-1-0x0000000000380000-0x00000000006CE000-memory.dmp family_quasar behavioral2/files/0x0007000000023c9a-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation java.exe -
Executes dropped EXE 15 IoCs
pid Process 4608 java.exe 3528 java.exe 5020 java.exe 1012 java.exe 2956 java.exe 3812 java.exe 4836 java.exe 5012 java.exe 2704 java.exe 1904 java.exe 4616 java.exe 4272 java.exe 396 java.exe 2900 java.exe 1276 java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1920 PING.EXE 4476 PING.EXE 4748 PING.EXE 116 PING.EXE 2216 PING.EXE 4192 PING.EXE 4176 PING.EXE 2908 PING.EXE 3388 PING.EXE 2940 PING.EXE 3916 PING.EXE 3972 PING.EXE 4824 PING.EXE 3500 PING.EXE 3348 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 4192 PING.EXE 4748 PING.EXE 4176 PING.EXE 2908 PING.EXE 4824 PING.EXE 3500 PING.EXE 2940 PING.EXE 116 PING.EXE 2216 PING.EXE 4476 PING.EXE 3388 PING.EXE 1920 PING.EXE 3916 PING.EXE 3348 PING.EXE 3972 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 988 schtasks.exe 4980 schtasks.exe 4612 schtasks.exe 3856 schtasks.exe 4260 schtasks.exe 2144 schtasks.exe 4284 schtasks.exe 4444 schtasks.exe 4832 schtasks.exe 4448 schtasks.exe 5108 schtasks.exe 4736 schtasks.exe 4724 schtasks.exe 4308 schtasks.exe 4300 schtasks.exe 4992 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2180 Java32.exe Token: SeDebugPrivilege 4608 java.exe Token: SeDebugPrivilege 3528 java.exe Token: SeDebugPrivilege 5020 java.exe Token: SeDebugPrivilege 1012 java.exe Token: SeDebugPrivilege 2956 java.exe Token: SeDebugPrivilege 3812 java.exe Token: SeDebugPrivilege 4836 java.exe Token: SeDebugPrivilege 5012 java.exe Token: SeDebugPrivilege 2704 java.exe Token: SeDebugPrivilege 1904 java.exe Token: SeDebugPrivilege 4616 java.exe Token: SeDebugPrivilege 4272 java.exe Token: SeDebugPrivilege 396 java.exe Token: SeDebugPrivilege 2900 java.exe Token: SeDebugPrivilege 1276 java.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 4608 java.exe 3528 java.exe 5020 java.exe 1012 java.exe 2956 java.exe 3812 java.exe 4836 java.exe 5012 java.exe 2704 java.exe 1904 java.exe 4616 java.exe 4272 java.exe 396 java.exe 2900 java.exe 1276 java.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 4608 java.exe 3528 java.exe 5020 java.exe 1012 java.exe 2956 java.exe 3812 java.exe 4836 java.exe 5012 java.exe 2704 java.exe 1904 java.exe 4616 java.exe 4272 java.exe 396 java.exe 2900 java.exe 1276 java.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4608 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 4736 2180 Java32.exe 82 PID 2180 wrote to memory of 4736 2180 Java32.exe 82 PID 2180 wrote to memory of 4608 2180 Java32.exe 84 PID 2180 wrote to memory of 4608 2180 Java32.exe 84 PID 4608 wrote to memory of 4444 4608 java.exe 85 PID 4608 wrote to memory of 4444 4608 java.exe 85 PID 4608 wrote to memory of 1244 4608 java.exe 87 PID 4608 wrote to memory of 1244 4608 java.exe 87 PID 1244 wrote to memory of 3356 1244 cmd.exe 89 PID 1244 wrote to memory of 3356 1244 cmd.exe 89 PID 1244 wrote to memory of 4192 1244 cmd.exe 90 PID 1244 wrote to memory of 4192 1244 cmd.exe 90 PID 1244 wrote to memory of 3528 1244 cmd.exe 96 PID 1244 wrote to memory of 3528 1244 cmd.exe 96 PID 3528 wrote to memory of 4724 3528 java.exe 97 PID 3528 wrote to memory of 4724 3528 java.exe 97 PID 3528 wrote to memory of 4068 3528 java.exe 99 PID 3528 wrote to memory of 4068 3528 java.exe 99 PID 4068 wrote to memory of 828 4068 cmd.exe 101 PID 4068 wrote to memory of 828 4068 cmd.exe 101 PID 4068 wrote to memory of 4748 4068 cmd.exe 102 PID 4068 wrote to memory of 4748 4068 cmd.exe 102 PID 4068 wrote to memory of 5020 4068 cmd.exe 105 PID 4068 wrote to memory of 5020 4068 cmd.exe 105 PID 5020 wrote to memory of 4832 5020 java.exe 106 PID 5020 wrote to memory of 4832 5020 java.exe 106 PID 5020 wrote to memory of 2636 5020 java.exe 108 PID 5020 wrote to memory of 2636 5020 java.exe 108 PID 2636 wrote to memory of 4360 2636 cmd.exe 110 PID 2636 wrote to memory of 4360 2636 cmd.exe 110 PID 2636 wrote to memory of 3916 2636 cmd.exe 111 PID 2636 wrote to memory of 3916 2636 cmd.exe 111 PID 2636 wrote to memory of 1012 2636 cmd.exe 114 PID 2636 wrote to memory of 1012 2636 cmd.exe 114 PID 1012 wrote to memory of 988 1012 java.exe 115 PID 1012 wrote to memory of 988 1012 java.exe 115 PID 1012 wrote to memory of 2504 1012 java.exe 117 PID 1012 wrote to memory of 2504 1012 java.exe 117 PID 2504 wrote to memory of 208 2504 cmd.exe 119 PID 2504 wrote to memory of 208 2504 cmd.exe 119 PID 2504 wrote to memory of 116 2504 cmd.exe 120 PID 2504 wrote to memory of 116 2504 cmd.exe 120 PID 2504 wrote to memory of 2956 2504 cmd.exe 121 PID 2504 wrote to memory of 2956 2504 cmd.exe 121 PID 2956 wrote to memory of 4308 2956 java.exe 122 PID 2956 wrote to memory of 4308 2956 java.exe 122 PID 2956 wrote to memory of 2600 2956 java.exe 124 PID 2956 wrote to memory of 2600 2956 java.exe 124 PID 2600 wrote to memory of 1432 2600 cmd.exe 126 PID 2600 wrote to memory of 1432 2600 cmd.exe 126 PID 2600 wrote to memory of 2216 2600 cmd.exe 127 PID 2600 wrote to memory of 2216 2600 cmd.exe 127 PID 2600 wrote to memory of 3812 2600 cmd.exe 128 PID 2600 wrote to memory of 3812 2600 cmd.exe 128 PID 3812 wrote to memory of 4260 3812 java.exe 129 PID 3812 wrote to memory of 4260 3812 java.exe 129 PID 3812 wrote to memory of 1844 3812 java.exe 131 PID 3812 wrote to memory of 1844 3812 java.exe 131 PID 1844 wrote to memory of 2112 1844 cmd.exe 133 PID 1844 wrote to memory of 2112 1844 cmd.exe 133 PID 1844 wrote to memory of 4176 1844 cmd.exe 134 PID 1844 wrote to memory of 4176 1844 cmd.exe 134 PID 1844 wrote to memory of 4836 1844 cmd.exe 135 PID 1844 wrote to memory of 4836 1844 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Java32.exe"C:\Users\Admin\AppData\Local\Temp\Java32.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4736
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xdOm4jUCaRrh.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3356
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4192
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXpN2gabX9tk.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:828
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4748
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nubSkf0SrQEx.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3916
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMk5AUx30wds.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:208
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:116
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4h6UG2YqxcSl.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1432
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2216
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QDNKXXzEzzwq.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2112
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4176
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4836 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iDeZ2mSOpkVb.bat" "15⤵PID:2924
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4428
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4476
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5012 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKdl7dEiK0nz.bat" "17⤵PID:1800
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3220
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3348
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWgCBhRE4xvD.bat" "19⤵PID:1412
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7qG58GGHLDf9.bat" "21⤵PID:1504
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2908
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieqwswIZ4NVn.bat" "23⤵PID:1128
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3388
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4272 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGoLtMvghMSH.bat" "25⤵PID:672
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1664
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4824
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:396 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VynZsGEZXkjH.bat" "27⤵PID:2540
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1920
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aR29bYjYYd1p.bat" "29⤵PID:1160
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3500
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1276 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z90uFtDPzHrl.bat" "31⤵PID:5088
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4648
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
211B
MD5d04c53e9316518494bdb02c6820a289c
SHA10a64200ba3ccc40dce8150d9eee7e6c05c6a9ae6
SHA25668b77ada96f88dac321825288c0ed1b4bc30784b520b95e59caf53260513fcde
SHA5121dc767d52a654e797eb34ec8fb763c152ab313c23554e147c5d3fc893520b422ca7e45ff66585261fc97b568f86b143b79a2abd5384e016cefd6f242e702934b
-
Filesize
211B
MD5805afc961414131a163f15d10aff691d
SHA1be9f64989a38cbada64386857bc56737c4bb1593
SHA256474ae9270e4766ae5651e7314130081292b131aeebd4b8e9bbd295bcb94e1711
SHA51293d396854a18743e71defaf3e38bc126e49dea8e558c586d1e486c482e019889d20d21caa1e4a66b282023e72397bb99a13ef17bf4aab6cd591037e90ae27a28
-
Filesize
211B
MD5cf8e3eb45ed2a9ccb4532babbfbe2e1d
SHA134bd7e56dda374837dc336a613e828a487b1f090
SHA2561550440373298a9aa686a152ffb342badf822a1a3e33463c147efa898510c08b
SHA5121c689989a4cc9972261419a75ca5ccbe4a27cfcffa68c7f566addba6438cdb630ee56e360ece524a1354d2bb4d9789525fd3d532f9e3455b3a1c6b6118104bdd
-
Filesize
211B
MD5513511dc7a8e27cb6f450f7643df4f4e
SHA11fbe930571e6a8e06ca3399e0954ac073700f449
SHA256249577a12bfe733b377c2037a88aaa2e615518ee92ae836515baacdb7ac225c1
SHA51203de74a613042a05969308cddfde03420c26c4c7454ae54175c407b6f1fcf31625dc38ff9c9d6bba91a99a04e58cac46bdd9508e1afa3b2a8c4fa80f657d16e7
-
Filesize
211B
MD53129277a7d64b444fbeff2a24541b62b
SHA1fcdaea6d9543c02ca6ed74132d05b9594ae0fecf
SHA25603d7cb153bae4c284e790d87d353b0b7d44c2cb40a39696d13870750453dc99e
SHA512da399bc851dcbdcbf93a192c681fea9aaadbb0b9940f4fdf046ab2961f940143c8037b777aa6b52e0acc58588e62908068300ca4a323b029627fda398c85dc7d
-
Filesize
211B
MD5b29e1169689e32557fafa3eccccc67d1
SHA14f3b94cd76a15db5455a26a0615ba83bdac7ca51
SHA2566bd7e55f89ff0400e5c29236f20ef1283322e46202775ed5fb9c5f34205e2889
SHA51232a04c0e202fdfdb1c623ab75e96022456b8c37e3ffd16e031e54b074f2fd3f6cca9b252ef5709b61c9a33acb5ad033993370f8533ca044830712ca0021d86cf
-
Filesize
211B
MD5dc6980e5a74784e2d0f0aae810a02b76
SHA1355fddc2ad784b7454dd03e7e510c49e43bc1de7
SHA2561e579805fc39e29b32dc80651d437e4973709d730470531ba135d16b3d870775
SHA51286b0724b1981ec5c4904aa46d73be2ce231b6ed14615b9d44757c17a5fc788adc0f5bdae449fe1e7ed99f2225e35a99ef6eedb3c7a066e56009ff56eef2517d5
-
Filesize
211B
MD5d83268c823f716fa8ee217dd9a5e608c
SHA17d3ce389e47074bbea85fbd7f92675c29f0db9c5
SHA25609e788d000b4252518a481aec76edb54b0a97674ef64a36e22061725301591b7
SHA512ea6167ccc210b00b370d966c87fead6a18534a76f165bee7f2b37c1e17734dbf970c1af49a5331f368ea35057494e9d26dc5e976c6be1ab122a167fa22fcc29f
-
Filesize
211B
MD5d3db761817b4f9c8207b82ee59a03d3a
SHA1363745cfc5250c767e69a16b21e0bb23f2c7e7aa
SHA2566552abd8080b37f3039358772401c8244ae61aaa4015271d90e609ffcb8b5def
SHA512c5fce0a43c4614b6346272eb4e4e7967ba2bf6a546592d0dac9f4492f741cdfabda6e5132009daaedfbf7399f5b3e95ebeb22041d3a70d0f28db4bad5fffbc37
-
Filesize
211B
MD5f37c8969d2bf94f33d9d76fb6a4a494b
SHA15ccc776eac90b8f8aee7a02449b546b9d956b6d1
SHA25643fe39147072576babb7ee6c1345b8ee0e396b7343fe440fdee79525f28bb75c
SHA51280379390bbb29cc91029347affb58ed9fc6162770c3091507679ca68e1bdcde9871dab6a680d286583bf6032482102299dec656c18b592778173a52b05d07d0d
-
Filesize
211B
MD55188c4a1a9cf5ff781d8b903f242b422
SHA12cfd6603345dae6ad2f35c8918879dfdb1bdaeaa
SHA25608f8a8c5598d3cd3775bdea60f49d6bf44732962778e756bc77514b5c074f001
SHA5121e745347f340557f99730cbf1e453b2761e9d98475a6fb49cd3862fce10b07b2f9a17aa2fdfd62b77ae878c9e2cba1866b68ebd71f9b62bad4e75e04f7420c88
-
Filesize
211B
MD5b2f65de528fec4e4dc2c466a450098be
SHA15a8220634b9d1d63afb7839d9149272413d9d49e
SHA25673b2382eb0485af71c0eb6226f068b5c8db53a658da5a6395db0787e2af025a1
SHA512e4b6842e5cee299396788af4d09436469e3b01e9a178a1618cdcef078d3b3dd43844d159abe6b13c19517015864a9b7ec2897537d205f42b72807614ce92b5d2
-
Filesize
211B
MD5a514c431f3a63cf8685a95caa8fed39e
SHA1cabfa756cf4a2ac356e41bbf0b2cc4d75b6b2bbb
SHA256db4d9d6436cbaba28600c6da2d33653704cdde5275d88bee0e69d8fcf8ff39f3
SHA512aaacd00b1f08ef75293f9a1b9508defaa4b6ff1af32a6190d0db2757acdcbba72ac9ce5edddb4852282dd503de4c0071533e36a35e2e6221d89698be015e9f46
-
Filesize
211B
MD5c20ca83c16e42df57825765b19873751
SHA1a1dda9196536d2eb35d472c58e7b215712d36a73
SHA256d17ca482071267615dbe6ef9eb983a17dea4fa216f625aa6c3ea3a3d55afd854
SHA512d7d3d7d507cd61fb985ff94e7f50a4e713fd44f2098fe7802ddd330a30eb71aed9c62626fb40d9739ea6fb517ba818524472cf02a32112ab747cea69257a7f8a
-
Filesize
211B
MD56e15ec6598a43c12f828aca4368e49ce
SHA18776c5641df824f9bc5039d4171c9bb62aa06af7
SHA256a175416d2a521ab77f35923e3e8af3d6422922f94baa66fe27c622413dc1de04
SHA5126b4da6b692e9f010c13c8fb19290c48fa5ef1a869e391925df474f78d3f6dd8d3e7b2af8819e132b3fbd3c1a22e5e1160acef099fa6d154e343b0c52419a04ea
-
Filesize
3.3MB
MD5bc884c0edbc8df559985b42fdd2fc985
SHA19611a03c424e0285ab1a8ea9683918ce7b5909ab
SHA256e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270
SHA5121b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc