quasar | 9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
Size

3.3MB
MD5

f29f701e76e3a435acdd474a41fa60ba
SHA1

10f06b6fc259131d8b6a5423972a1e55b62ce478
SHA256

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA512

0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9
SSDEEP

49152:gvmI22SsaNYfdPBldt698dBcjHinQ1CGarv2oGdUBTHHB72eh2NT:gvr22SsaNYfdPBldt6+dBcjH6yCO

Score

10^/10

quasar java discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez3452-33187.portmap.host:33187

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1912-1-0x0000000000990000-0x0000000000CDE000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023be2-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 15 IoCs

pid	Process
8	java.exe
4624	java.exe
3252	java.exe
4344	java.exe
2564	java.exe
3980	java.exe
3828	java.exe
1344	java.exe
4720	java.exe
2064	java.exe
3248	java.exe
2080	java.exe
2024	java.exe
3888	java.exe
2544	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
716	PING.EXE
3388	PING.EXE
3508	PING.EXE
2728	PING.EXE
3572	PING.EXE
4408	PING.EXE
1960	PING.EXE
5108	PING.EXE
2196	PING.EXE
4224	PING.EXE
4744	PING.EXE
4616	PING.EXE
400	PING.EXE
5064	PING.EXE
5064	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3572	PING.EXE
716	PING.EXE
4616	PING.EXE
5064	PING.EXE
4224	PING.EXE
5108	PING.EXE
4744	PING.EXE
2196	PING.EXE
4408	PING.EXE
1960	PING.EXE
400	PING.EXE
3388	PING.EXE
3508	PING.EXE
5064	PING.EXE
2728	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4324	schtasks.exe
368	schtasks.exe
2492	schtasks.exe
1676	schtasks.exe
1848	schtasks.exe
1032	schtasks.exe
5068	schtasks.exe
4184	schtasks.exe
4532	schtasks.exe
1848	schtasks.exe
3864	schtasks.exe
4932	schtasks.exe
4140	schtasks.exe
3600	schtasks.exe
3120	schtasks.exe
4024	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
Token: SeDebugPrivilege	8	java.exe
Token: SeDebugPrivilege	4624	java.exe
Token: SeDebugPrivilege	3252	java.exe
Token: SeDebugPrivilege	4344	java.exe
Token: SeDebugPrivilege	2564	java.exe
Token: SeDebugPrivilege	3980	java.exe
Token: SeDebugPrivilege	3828	java.exe
Token: SeDebugPrivilege	1344	java.exe
Token: SeDebugPrivilege	4720	java.exe
Token: SeDebugPrivilege	2064	java.exe
Token: SeDebugPrivilege	3248	java.exe
Token: SeDebugPrivilege	2080	java.exe
Token: SeDebugPrivilege	2024	java.exe
Token: SeDebugPrivilege	3888	java.exe
Token: SeDebugPrivilege	2544	java.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
8	java.exe
4624	java.exe
3252	java.exe
4344	java.exe
2564	java.exe
3980	java.exe
3828	java.exe
1344	java.exe
4720	java.exe
2064	java.exe
3248	java.exe
2080	java.exe
2024	java.exe
3888	java.exe
2544	java.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
8	java.exe
4624	java.exe
3252	java.exe
4344	java.exe
2564	java.exe
3980	java.exe
3828	java.exe
1344	java.exe
4720	java.exe
2064	java.exe
3248	java.exe
2080	java.exe
2024	java.exe
3888	java.exe
2544	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1848	1912	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	83
PID 1912 wrote to memory of 1848	1912	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	83
PID 1912 wrote to memory of 8	1912	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	85
PID 1912 wrote to memory of 8	1912	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	85
PID 8 wrote to memory of 368	8	java.exe	86
PID 8 wrote to memory of 368	8	java.exe	86
PID 8 wrote to memory of 1380	8	java.exe	88
PID 8 wrote to memory of 1380	8	java.exe	88
PID 1380 wrote to memory of 2564	1380	cmd.exe	90
PID 1380 wrote to memory of 2564	1380	cmd.exe	90
PID 1380 wrote to memory of 3572	1380	cmd.exe	91
PID 1380 wrote to memory of 3572	1380	cmd.exe	91
PID 1380 wrote to memory of 4624	1380	cmd.exe	104
PID 1380 wrote to memory of 4624	1380	cmd.exe	104
PID 4624 wrote to memory of 4140	4624	java.exe	105
PID 4624 wrote to memory of 4140	4624	java.exe	105
PID 4624 wrote to memory of 4152	4624	java.exe	108
PID 4624 wrote to memory of 4152	4624	java.exe	108
PID 4152 wrote to memory of 1804	4152	cmd.exe	110
PID 4152 wrote to memory of 1804	4152	cmd.exe	110
PID 4152 wrote to memory of 4408	4152	cmd.exe	111
PID 4152 wrote to memory of 4408	4152	cmd.exe	111
PID 4152 wrote to memory of 3252	4152	cmd.exe	113
PID 4152 wrote to memory of 3252	4152	cmd.exe	113
PID 3252 wrote to memory of 1032	3252	java.exe	114
PID 3252 wrote to memory of 1032	3252	java.exe	114
PID 3252 wrote to memory of 2508	3252	java.exe	117
PID 3252 wrote to memory of 2508	3252	java.exe	117
PID 2508 wrote to memory of 2132	2508	cmd.exe	119
PID 2508 wrote to memory of 2132	2508	cmd.exe	119
PID 2508 wrote to memory of 716	2508	cmd.exe	120
PID 2508 wrote to memory of 716	2508	cmd.exe	120
PID 2508 wrote to memory of 4344	2508	cmd.exe	124
PID 2508 wrote to memory of 4344	2508	cmd.exe	124
PID 4344 wrote to memory of 3600	4344	java.exe	126
PID 4344 wrote to memory of 3600	4344	java.exe	126
PID 4344 wrote to memory of 2788	4344	java.exe	129
PID 4344 wrote to memory of 2788	4344	java.exe	129
PID 2788 wrote to memory of 384	2788	cmd.exe	131
PID 2788 wrote to memory of 384	2788	cmd.exe	131
PID 2788 wrote to memory of 1960	2788	cmd.exe	132
PID 2788 wrote to memory of 1960	2788	cmd.exe	132
PID 2788 wrote to memory of 2564	2788	cmd.exe	134
PID 2788 wrote to memory of 2564	2788	cmd.exe	134
PID 2564 wrote to memory of 3120	2564	java.exe	135
PID 2564 wrote to memory of 3120	2564	java.exe	135
PID 2564 wrote to memory of 4568	2564	java.exe	138
PID 2564 wrote to memory of 4568	2564	java.exe	138
PID 4568 wrote to memory of 3084	4568	cmd.exe	140
PID 4568 wrote to memory of 3084	4568	cmd.exe	140
PID 4568 wrote to memory of 4616	4568	cmd.exe	141
PID 4568 wrote to memory of 4616	4568	cmd.exe	141
PID 4568 wrote to memory of 3980	4568	cmd.exe	143
PID 4568 wrote to memory of 3980	4568	cmd.exe	143
PID 3980 wrote to memory of 4024	3980	java.exe	144
PID 3980 wrote to memory of 4024	3980	java.exe	144
PID 3980 wrote to memory of 3992	3980	java.exe	147
PID 3980 wrote to memory of 3992	3980	java.exe	147
PID 3992 wrote to memory of 5040	3992	cmd.exe	149
PID 3992 wrote to memory of 5040	3992	cmd.exe	149
PID 3992 wrote to memory of 400	3992	cmd.exe	150
PID 3992 wrote to memory of 400	3992	cmd.exe	150
PID 3992 wrote to memory of 3828	3992	cmd.exe	153
PID 3992 wrote to memory of 3828	3992	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
"C:\Users\Admin\AppData\Local\Temp\9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1848
- C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
  "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMqVidlDbuTm.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2564
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3572
  - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
      "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwRr8dq5C85G.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1804
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4408
      - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6lqKVBMhYiXZ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6uXe3hDBFYyi.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MU4HHtbNuPzS.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4616
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWVJBj8J03Br.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9qRwi6JsT8wR.bat" "
        15⤵
        
        PID:1564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5108
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cHkI9EU8ATib.bat" "
        17⤵
        
        PID:404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4720
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuYxU24Kw1he.bat" "
        19⤵
        
        PID:820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5064
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o6r2kxH2KfQY.bat" "
        21⤵
        
        PID:1160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3388
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w23YnMcedpS8.bat" "
        23⤵
        
        PID:4176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CW0IF9pS9Lqr.bat" "
        25⤵
        
        PID:2332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIq0oHWvq6Zp.bat" "
        27⤵
        
        PID:4540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KLiSGWIlZGAN.bat" "
        29⤵
        
        PID:4712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:5016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5064
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pi5ecY7AsKwC.bat" "
        31⤵
        
        PID:3092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\java.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6lqKVBMhYiXZ.bat

Filesize
211B

MD5
25ce4b6d9bc35edcc8bebf26688e57ca

SHA1
0843033f29d283187cc0a8cf109ae9ce17a982dd

SHA256
8156cc7a32aac4f9a5d6aed94b00524c08012d23d80c060d0f9ce7867fa8c5a7

SHA512
8294247ef70d4a51538f3f8a712d1886b64ac1d49c1504a086b0a4dd1a782c5e9a4f43944afe59f0046469e6b5de532b84b0e2db34f3a2ecacb7029cababec14

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uXe3hDBFYyi.bat

Filesize
211B

MD5
aed140ce7171ad349b046d091594f475

SHA1
a2832e899d49a08317db82cc7a1c8994b3c1501e

SHA256
292435f50a4e8fc5b8eb0bfa0d4813c7f885cc98a0bb46b4183eb614dadf618f

SHA512
83a27a932f7805659e15059bd531c337d4bcd58d887960360d2574c31ed5ccbd1cbabb6606502db914dad2a52a3de6d809d6dd6681bc5c939a3f513fa16bb3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9qRwi6JsT8wR.bat

Filesize
211B

MD5
bae8c9b6ee8e55f6f2f0d023453c744d

SHA1
9c00f1b208b6049c42f13bbd2e10d93c53f16237

SHA256
5f32f2063dcc57ebb693e2f49704db0bdb6eb21a9b5d8a1558386f33d6ebffbe

SHA512
6abcff82f30a0872e93bf2fb81679510bdfec9388d981b888ab1d0c835d141a9d2d2369377c2f4c83f6726b39c7226e63b427e59e8724ff10fe69d9dcc51b0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CW0IF9pS9Lqr.bat

Filesize
211B

MD5
1f7c1a7afd8934103dd583f5e13ca332

SHA1
6c5903eed6918d5ae608e5bac0ff5a89ba5f0b55

SHA256
d690badfc3b8e7e0044fbc3fe8f9609b8a7603f8de72b795ba3ce32faf9489e6

SHA512
4008aab354b00af8c1a6041335737b63ae18a17f171d00978c133057a0c3d0317947fa31a57db8aef306f92d82575ca56dba7c379d558c88bf957c91edc43f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLiSGWIlZGAN.bat

Filesize
211B

MD5
e4edddf5574bd51b1aabf36721b1c96e

SHA1
5b3e5509d3a0a5fe8bd63759e9a98130f0980872

SHA256
c0416a68b031ba01a7b0c1a34f49eddf6ef302b250cfa3994477cfbba0655528

SHA512
18176608aaa5bfa3fd871ec26024b80ed3d78715bb781cf367208cabe245429eb611169f9cff97fd28f7439d873279abf2e8c1ea3f9fda5d9d5a1e1eaf2ccc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MU4HHtbNuPzS.bat

Filesize
211B

MD5
69e9658876f4f0e39707aea4abbce7db

SHA1
7d71dc819825404c424c536cc6ee29094c06e94c

SHA256
dcce537d97ac78c796159c1038585e78dc931cba1e9002311691a7794e2545ea

SHA512
f54538bd5886139e6b1f74409b3a552e03adea31078105c5eae98318e02696207bd49629decb53a903d023bd7f60040f9d30161417bbeb9d42ec30ce51102040

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWVJBj8J03Br.bat

Filesize
211B

MD5
adb914549798be0faef798188b31b696

SHA1
40201083a5f323e0a65ffe52fb6cf7babdd720ec

SHA256
5d92b71df67feeb0aa51e7af68ea5d78ed02842ba6c4b5f00d4d6b27f97a2dff

SHA512
bd7dc3f37ec3528efacb82d8e717d00994fd145290d0c93f6ae4f8cde07f4dd25e9315edf36f974a596f70a7238647aac940d80d52648a5b36f048d35ef3641c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuYxU24Kw1he.bat

Filesize
211B

MD5
b23659d2bc852a3a2aef12b52ba0ae9e

SHA1
dfbd107f40f66569293fe6dc727532c0178a0d74

SHA256
99f5c59c014bd9155f2faa45ee0594ae2bd8973dddc673e3d5233ce8632f2a6b

SHA512
9271d5ee80724f67779c1060bae9a8d18b569f3bbdebb4012563b881c8b23a46c6bf09220b9fbd893b005d1c71290abce80dd1e8bb41ebb0d9e25d0ce58f4f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwRr8dq5C85G.bat

Filesize
211B

MD5
b90bdb550feb137b6dd34fb6b04b8b88

SHA1
f28eab7d6cd1b0b5d229aa72bf33da69ac2a9482

SHA256
9f80bad4924e59a8beb7213f8e3c081f58faeb1af980efbacba139791e76fc66

SHA512
e092588fbca8f4f8962da60e9ff871bbcde86ece31813f5026daf78db944cf39c0d54f73b6896f40a1d23a7d1643e9cbeff0435de406323f4518aed86a40ac1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cHkI9EU8ATib.bat

Filesize
211B

MD5
aa8d7a0085cc17fe5ff854606c13ada6

SHA1
84aa724bbaf4fc5a13e2c4f5c42dad5365da6d82

SHA256
e521cf0c34d0996047eaf977841b23b9bdbe9d8abcb6c4e4235d92fd63aeb1fe

SHA512
6e99e3f7dc4efdd8f18920f9cc9dfc08c39769b28fd849b956ab736b209969541242a6eaab516c5f9f53b3d1e415e0158b5b0339970685aef70a6837fedb0db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIq0oHWvq6Zp.bat

Filesize
211B

MD5
e7e019dddf453a2a2fa484c922e07fe9

SHA1
2ea5722bd6bbcf0de5620a5dfe8ae80c56d7e14f

SHA256
2d6725db5afc1e2855e0154b44cb2a00eb2730e73438bca7a5a71b0c023be6f2

SHA512
c996fc7b6ae7373d7f771890af4c0a958b6d4a03cf85535e9775591c7a520435ad883b773f2e9637f63d1a7846a4bf142d0aa897297cd540f4ecdd386b6bc5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6r2kxH2KfQY.bat

Filesize
211B

MD5
68006e655063a7931a935a913b35647b

SHA1
b649c240990a8447e15ca13aca0c54dfd4ee8565

SHA256
fbdc54c2df4a223092327226266d44750a638960c56eb0739e3c79ee1813bd99

SHA512
a05aa9202ab3d1eab7aee79fb4851a6d82033d4c0a81ef573dab5e5e5f0f03efc634946201e185e8ce0114b6548dc9d825b54838a1b458a36b21ba99ff38be90

Download Submit
C:\Users\Admin\AppData\Local\Temp\pi5ecY7AsKwC.bat

Filesize
211B

MD5
46f0b50d3cc1e2658df760328b04ab6b

SHA1
274decb586710df7fa929b6210b515f8e4567eec

SHA256
82df44a2cbcec64815d843617656cbeb76eea9cc0e43895e468c488bfc2ea3a9

SHA512
118552ba9913981e5454184482e1271ea92026f5ea9ea4558f90c73b6ad2d2e52c316fbe6aa9711bb8d315fd6c52a81457290964f314fd92d84ebb8bcca73eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMqVidlDbuTm.bat

Filesize
211B

MD5
9702fce6d7a2c157feb47eac73be97d9

SHA1
0f95874d134350189d687099d07e4dfb76055102

SHA256
d1760db21d6a2189aac982f0e6f81aa035adb67f756dea9b04eb357305ef22dd

SHA512
ebe3377968fea28beccf93b62e406d03e31652d5459be44fe7062d2e9684b9b003a861fa53cb69b1e0c0b2fbcd52111dffd6170156e4bb43dbecd7e94b7ba706

Download Submit
C:\Users\Admin\AppData\Local\Temp\w23YnMcedpS8.bat

Filesize
211B

MD5
65dc113e34b0180bfba099ec1a4f84f9

SHA1
21c13724dea8c294ef23ea33d0e308662dd9695c

SHA256
315782f399449a0e07065c8421bc15e439e008caa7f3487541b7d3c549ffbd28

SHA512
70c900dc344c1b24a464d65424098aae0fea1d6ad252cc1ecac59a8e53b2a800b2722bfc26a0bae85b84122b09994629f3546ea4a445964e712b381143e46595

Download Submit
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe

Filesize
3.3MB

MD5
f29f701e76e3a435acdd474a41fa60ba

SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478

SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9

Download Submit
memory/8-12-0x000000001B540000-0x000000001B590000-memory.dmp

Filesize
320KB

Download
memory/8-10-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/8-11-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/8-13-0x000000001BEC0000-0x000000001BF72000-memory.dmp

Filesize
712KB

Download
memory/8-18-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/1912-0-0x00007FFE236D3000-0x00007FFE236D5000-memory.dmp

Filesize
8KB

Download
memory/1912-9-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/1912-2-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/1912-1-0x0000000000990000-0x0000000000CDE000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads