quasar | e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270

Analysis

max time kernel
145s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
Size

3.3MB
MD5

bc884c0edbc8df559985b42fdd2fc985
SHA1

9611a03c424e0285ab1a8ea9683918ce7b5909ab
SHA256

e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270
SHA512

1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc
SSDEEP

49152:BvmI22SsaNYfdPBldt698dBcjHideEErHFk/uVSoGdf3THHB72eh2NT:Bvr22SsaNYfdPBldt6+dBcjHidel8

Score

10^/10

quasar java discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez345-37245.portmap.host:37245

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2760-1-0x0000000000250000-0x000000000059E000-memory.dmp	family_quasar
behavioral1/files/0x0036000000016ca5-6.dat	family_quasar
behavioral1/memory/2852-10-0x0000000001060000-0x00000000013AE000-memory.dmp	family_quasar
behavioral1/memory/2992-33-0x0000000001210000-0x000000000155E000-memory.dmp	family_quasar
behavioral1/memory/1064-54-0x0000000000220000-0x000000000056E000-memory.dmp	family_quasar
behavioral1/memory/1964-65-0x0000000000270000-0x00000000005BE000-memory.dmp	family_quasar
behavioral1/memory/1540-76-0x0000000000C50000-0x0000000000F9E000-memory.dmp	family_quasar
behavioral1/memory/2960-88-0x0000000001070000-0x00000000013BE000-memory.dmp	family_quasar
behavioral1/memory/1516-99-0x0000000001200000-0x000000000154E000-memory.dmp	family_quasar
behavioral1/memory/2368-120-0x00000000001E0000-0x000000000052E000-memory.dmp	family_quasar
behavioral1/memory/880-131-0x0000000001170000-0x00000000014BE000-memory.dmp	family_quasar
behavioral1/memory/2884-153-0x00000000002A0000-0x00000000005EE000-memory.dmp	family_quasar
behavioral1/memory/2620-165-0x00000000013B0000-0x00000000016FE000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2852	java.exe
1292	java.exe
2992	java.exe
2204	java.exe
1064	java.exe
1964	java.exe
1540	java.exe
2960	java.exe
1516	java.exe
3008	java.exe
2368	java.exe
880	java.exe
2560	java.exe
2884	java.exe
2620	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2932	PING.EXE
1848	PING.EXE
556	PING.EXE
2224	PING.EXE
2732	PING.EXE
2064	PING.EXE
1680	PING.EXE
2448	PING.EXE
1576	PING.EXE
1316	PING.EXE
1388	PING.EXE
1600	PING.EXE
3032	PING.EXE
2936	PING.EXE
3044	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2936	PING.EXE
2448	PING.EXE
2064	PING.EXE
1316	PING.EXE
1680	PING.EXE
1388	PING.EXE
2932	PING.EXE
1576	PING.EXE
2224	PING.EXE
2732	PING.EXE
3044	PING.EXE
556	PING.EXE
1848	PING.EXE
1600	PING.EXE
3032	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2068	schtasks.exe
1028	schtasks.exe
2452	schtasks.exe
700	schtasks.exe
1680	schtasks.exe
2740	schtasks.exe
2868	schtasks.exe
2212	schtasks.exe
696	schtasks.exe
2996	schtasks.exe
1684	schtasks.exe
2328	schtasks.exe
2032	schtasks.exe
872	schtasks.exe
2760	schtasks.exe
2740	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
Token: SeDebugPrivilege	2852	java.exe
Token: SeDebugPrivilege	1292	java.exe
Token: SeDebugPrivilege	2992	java.exe
Token: SeDebugPrivilege	2204	java.exe
Token: SeDebugPrivilege	1064	java.exe
Token: SeDebugPrivilege	1964	java.exe
Token: SeDebugPrivilege	1540	java.exe
Token: SeDebugPrivilege	2960	java.exe
Token: SeDebugPrivilege	1516	java.exe
Token: SeDebugPrivilege	3008	java.exe
Token: SeDebugPrivilege	2368	java.exe
Token: SeDebugPrivilege	880	java.exe
Token: SeDebugPrivilege	2560	java.exe
Token: SeDebugPrivilege	2884	java.exe
Token: SeDebugPrivilege	2620	java.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2852	java.exe
1292	java.exe
2992	java.exe
2204	java.exe
1064	java.exe
1964	java.exe
1540	java.exe
2960	java.exe
1516	java.exe
3008	java.exe
2368	java.exe
880	java.exe
2560	java.exe
2884	java.exe
2620	java.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2852	java.exe
1292	java.exe
2992	java.exe
2204	java.exe
1064	java.exe
1964	java.exe
1540	java.exe
2960	java.exe
1516	java.exe
3008	java.exe
2368	java.exe
880	java.exe
2560	java.exe
2884	java.exe
2620	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2212	2760	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	31
PID 2760 wrote to memory of 2212	2760	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	31
PID 2760 wrote to memory of 2212	2760	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	31
PID 2760 wrote to memory of 2852	2760	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	33
PID 2760 wrote to memory of 2852	2760	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	33
PID 2760 wrote to memory of 2852	2760	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	33
PID 2852 wrote to memory of 2740	2852	java.exe	34
PID 2852 wrote to memory of 2740	2852	java.exe	34
PID 2852 wrote to memory of 2740	2852	java.exe	34
PID 2852 wrote to memory of 2724	2852	java.exe	36
PID 2852 wrote to memory of 2724	2852	java.exe	36
PID 2852 wrote to memory of 2724	2852	java.exe	36
PID 2724 wrote to memory of 2332	2724	cmd.exe	38
PID 2724 wrote to memory of 2332	2724	cmd.exe	38
PID 2724 wrote to memory of 2332	2724	cmd.exe	38
PID 2724 wrote to memory of 2448	2724	cmd.exe	39
PID 2724 wrote to memory of 2448	2724	cmd.exe	39
PID 2724 wrote to memory of 2448	2724	cmd.exe	39
PID 2724 wrote to memory of 1292	2724	cmd.exe	40
PID 2724 wrote to memory of 1292	2724	cmd.exe	40
PID 2724 wrote to memory of 1292	2724	cmd.exe	40
PID 1292 wrote to memory of 2452	1292	java.exe	41
PID 1292 wrote to memory of 2452	1292	java.exe	41
PID 1292 wrote to memory of 2452	1292	java.exe	41
PID 1292 wrote to memory of 2272	1292	java.exe	43
PID 1292 wrote to memory of 2272	1292	java.exe	43
PID 1292 wrote to memory of 2272	1292	java.exe	43
PID 2272 wrote to memory of 840	2272	cmd.exe	45
PID 2272 wrote to memory of 840	2272	cmd.exe	45
PID 2272 wrote to memory of 840	2272	cmd.exe	45
PID 2272 wrote to memory of 3032	2272	cmd.exe	46
PID 2272 wrote to memory of 3032	2272	cmd.exe	46
PID 2272 wrote to memory of 3032	2272	cmd.exe	46
PID 2272 wrote to memory of 2992	2272	cmd.exe	47
PID 2272 wrote to memory of 2992	2272	cmd.exe	47
PID 2272 wrote to memory of 2992	2272	cmd.exe	47
PID 2992 wrote to memory of 700	2992	java.exe	48
PID 2992 wrote to memory of 700	2992	java.exe	48
PID 2992 wrote to memory of 700	2992	java.exe	48
PID 2992 wrote to memory of 2440	2992	java.exe	50
PID 2992 wrote to memory of 2440	2992	java.exe	50
PID 2992 wrote to memory of 2440	2992	java.exe	50
PID 2440 wrote to memory of 1988	2440	cmd.exe	52
PID 2440 wrote to memory of 1988	2440	cmd.exe	52
PID 2440 wrote to memory of 1988	2440	cmd.exe	52
PID 2440 wrote to memory of 1576	2440	cmd.exe	53
PID 2440 wrote to memory of 1576	2440	cmd.exe	53
PID 2440 wrote to memory of 1576	2440	cmd.exe	53
PID 2440 wrote to memory of 2204	2440	cmd.exe	54
PID 2440 wrote to memory of 2204	2440	cmd.exe	54
PID 2440 wrote to memory of 2204	2440	cmd.exe	54
PID 2204 wrote to memory of 2068	2204	java.exe	55
PID 2204 wrote to memory of 2068	2204	java.exe	55
PID 2204 wrote to memory of 2068	2204	java.exe	55
PID 2204 wrote to memory of 2564	2204	java.exe	57
PID 2204 wrote to memory of 2564	2204	java.exe	57
PID 2204 wrote to memory of 2564	2204	java.exe	57
PID 2564 wrote to memory of 1752	2564	cmd.exe	59
PID 2564 wrote to memory of 1752	2564	cmd.exe	59
PID 2564 wrote to memory of 1752	2564	cmd.exe	59
PID 2564 wrote to memory of 1848	2564	cmd.exe	60
PID 2564 wrote to memory of 1848	2564	cmd.exe	60
PID 2564 wrote to memory of 1848	2564	cmd.exe	60
PID 2564 wrote to memory of 1064	2564	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
"C:\Users\Admin\AppData\Local\Temp\e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2212
- C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
  "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2740
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ixKXjQ98iPhX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2332
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2448
  - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
      "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2452
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TToqJeK9ys9g.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:840
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3032
      - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:700
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pb9LHzkt2CuH.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vglpKdm2Dbxn.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1064
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:696
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mv0DckN4gmsJ.bat" "
        11⤵
        
        PID:908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1964
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1BBRGFSsVLe9.bat" "
        13⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1540
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OJKbswEdQZwS.bat" "
        15⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2960
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7kRnVrihuwif.bat" "
        17⤵
        
        PID:2140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1516
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkSAXdPqwpHW.bat" "
        19⤵
        
        PID:2912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3008
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IcwAtNXPCFLq.bat" "
        21⤵
        
        PID:2072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2368
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\v0gMcQooGICi.bat" "
        23⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:880
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gRztixFpvziu.bat" "
        25⤵
        
        PID:908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2560
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9mV5vJLjtrqv.bat" "
        27⤵
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2884
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nI7A83kOhKng.bat" "
        29⤵
        
        PID:584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2620
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycjKuZeQE94R.bat" "
        31⤵
        
        PID:600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1BBRGFSsVLe9.bat

Filesize
211B

MD5
e692377f434c714955b34e459b870dc8

SHA1
5b7a16fd781bb8f32aa731363eb04c91020c96b7

SHA256
e7710fd645346dcaaa3734c8087301109670a2fe7dfc3c0f69b5c31d20aa3357

SHA512
c127114f173e566313a2914cf7d526ef7fc5c3049a459e18e042c5285bc55c0033f58fdcb9f1f4a5ccb25cd68b9e1b5d56218759dfefb7fda4966395d27b0150

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kRnVrihuwif.bat

Filesize
211B

MD5
c8f05ff5b84c9371027ee42ae0ca6c48

SHA1
a97462b65b500fb75d227b8bb398dceb2db91936

SHA256
98656bc18a11b26f65ef4ba2aa965732d0d94357fbfc3ffd8f564103cfedb879

SHA512
9036bc87c0897db6a412330297de659a47b562db4d7c9e44683eae976415c1b317223eb5501e327a0714855de84f67ae98f8751633ffdc16e0e5caefb56a8e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\9mV5vJLjtrqv.bat

Filesize
211B

MD5
f392a09379a095b3bc28679e24c9bd72

SHA1
bfac1c13fda4889eac399d5b61ba99e8534648a4

SHA256
bf4aa2f1eaa1f07cfe199e1605967b032eb758194973b89b16a77de16c518748

SHA512
edea4c356a12d2e9f9081bbf0f200692585924468ee65e73df4ac9e4b5723e26d56eea1b41e0ba33587b3162bebe36c8b3c8b7d61ff769d9527a81563f3457e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcwAtNXPCFLq.bat

Filesize
211B

MD5
28ed23bc974be7dad1d046da4f26be05

SHA1
f0d5aa477cf6f28db2699b11dbfc1847a1061f33

SHA256
e1e177e76cc3939174496fad61dd9c9fbfd622c611a52a050ee6c2574da5dda7

SHA512
67bfaee67a83683b8a7a14bb74280804c9ce595212e5ad57079d5107ef257d847f11ae9dffa49baf832defa51d871bdc45e200216f35a4492f74866ce153a322

Download Submit
C:\Users\Admin\AppData\Local\Temp\OJKbswEdQZwS.bat

Filesize
211B

MD5
1468db77182c97a68f3192ac7fed91d9

SHA1
b6cc803b4f1e8aefe2d0e24066458acfacee85a5

SHA256
5387c3242606e040d574d512de1d6844a1bda08090331e371903b17a627b859e

SHA512
aa674b5e4bb283b2d2f37b6e29eec0bafd893bd3dc1b3f0b1ecebf294c3de17be5d9211402bb27d8a1e7894b22265283f3cca758601bcc826c15b1afaeddc9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TToqJeK9ys9g.bat

Filesize
211B

MD5
7aefc616ee50613e6fb6ab6a48fcae47

SHA1
9465af950637ee829b03e5c6d091cc5ea77e825d

SHA256
1d2719aca5d45a42a6a2fd9fc6b5dd96dc9a11ded263aff52f84d92887941cb3

SHA512
f7f4751fe0238445ca8024d60ff000d7dafff3e1a476d9e26d3970cc7b0a90a2e3b6d1585f54bc3699bc70b6112c8d68394d3f19dbca642341f3b973bc9186fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkSAXdPqwpHW.bat

Filesize
211B

MD5
83f384cbf3ed9ce4ae8cbfdab7aacf9e

SHA1
4bb20c16f8f43b0d56b3be321130875583fa9663

SHA256
67eb5fa410693572f60144e629825e6718edbaaed55a6a972b6047c362f54688

SHA512
a85995d6f59ae038c77dfcf3a13dca1c663f8aadb691ba5605e87446796e09379f6df990aa79c424de50fb71e5d8940c06537c892690b8f9cdd2cf1dd5d114b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gRztixFpvziu.bat

Filesize
211B

MD5
c9618c77e1cae1609e05ecea131e455a

SHA1
e8d9f9a710e24c24e5ab6b2c64b34f2ea9fb1904

SHA256
5728fb1749e467b4948846c4e8718042357357c7c79dd7c3112ca957498b69af

SHA512
f87ca5da8e7806035fbbf0fb9a0f8a9c8498ddc5afb4f14553abae9b05e973c16db990ab02bc080d272887a69946b39980d977c35c4cd69299dff2b3d5ae9e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixKXjQ98iPhX.bat

Filesize
211B

MD5
06d16e0664bc272e523a4b2b8b6124ee

SHA1
ebf29c920dd453e7616f271eb22d7eee2a3d2024

SHA256
926f84141b3fbcebdd41986dc8809c82c6e3116ba4c3fb6560975be25ec66d89

SHA512
4d2e0c3050aed648b60e7b1bf8267dc828873a739810a2d141c3e924c1116a7a4de1a28cb72bd3ed9502a63d943ef38f37ef7d6c4c376a76a5080c9c8dc9f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv0DckN4gmsJ.bat

Filesize
211B

MD5
87a01ad089ee76cd2ee57d760d87f867

SHA1
3fde12be6e6b83e7f5d5532af3065f7a0760f6b6

SHA256
289d1d74955d3768fd44febd718cc9fed8d8d154e25c68143b1f0303347b74f2

SHA512
0906913aea2cd3b90aeaee462b01e42bac7b9355ee87c93592e040d9ce2e82d405244165376f5295f32cff6e130c8750fc706644e49c32757d35de51ca6235d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nI7A83kOhKng.bat

Filesize
211B

MD5
b61ca22add0006cfba5da58e74a1a446

SHA1
10064b514c98ea555f839302de7554fdcbcebe5b

SHA256
06d4cd9473ccf149f1a8a93862b23904713e118cd8ca25fb27cc29f0b483a204

SHA512
a065bc45bd9df970f969189f903602d96633535e570c24c2a71a0a07644d44fda7e07f722e1395e371e56681ca5b1b22b9ddb1a9a0949bfd1d7b6f4349ee7307

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb9LHzkt2CuH.bat

Filesize
211B

MD5
343253d38a638dfc370edc8e403ab98f

SHA1
715bd52c4a87379d2c85e7599e56dfbb7dac0217

SHA256
90a11ff74fe22e48584db0d661b4e4e5621b77efa070318c75ea6f7d2a1aa4e2

SHA512
f504b362839a7c3d40069c14a99e034b4aee3f6edf33eb5b12712ab1285fb94e804a9324d67292d5a9931741d01aefba7bfec38e9ed1f5603a4086eb4082046e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0gMcQooGICi.bat

Filesize
211B

MD5
fc91c641183d8b4e2fa11741884792de

SHA1
623f642fcc84cd310077f5f3fe9a600d66b19406

SHA256
f95443724c9dfee6b078ac6f7c15fd5db25a86c8c9c113462d2f39ad83dc1e99

SHA512
95c9a883197a4edbf3ed8b13e24a96bf5994d07f85dc00787885f0a67a9debd12f1e297d6406fb3321c8a60253a0c50b77a38a550916e5cd010943e25528b32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vglpKdm2Dbxn.bat

Filesize
211B

MD5
34688ef0ecc6f20570107df614c05f5a

SHA1
c9140486c575774a4e767bbb993644604756e63c

SHA256
2db0a1761ee2b0d5fc772651669e6f776749bdf18003e64ceb04b8a5a861b102

SHA512
c2bffb4e8a449ee32bb6d008bbe6c9f34808e023193fc01a2da85735faa3d75436f224438e4eb403e7beed3534e3c325d426b3e74cd4a244db0485eb30e0b931

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycjKuZeQE94R.bat

Filesize
211B

MD5
16da5df6ba69e4396fe2e05862105b19

SHA1
62a24795de99dffd611b23659bdee053e30bce17

SHA256
d8d179afc31698d293aacbc5ab035a5487d218f5f1cc15247aa85c56422c5147

SHA512
44a5f8f0f74cf7a91d7f7c1e49d39ac518c5bfd71fe6eca54705b9292e9fcd624912b530fc28ae11749ad1ea4b864d5e8088e54a65e609328176a6eed2d4b3d7

Download Submit
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe

Filesize
3.3MB

MD5
bc884c0edbc8df559985b42fdd2fc985

SHA1
9611a03c424e0285ab1a8ea9683918ce7b5909ab

SHA256
e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270

SHA512
1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc

Download Submit
memory/880-131-0x0000000001170000-0x00000000014BE000-memory.dmp

Filesize
3.3MB

Download
memory/1064-54-0x0000000000220000-0x000000000056E000-memory.dmp

Filesize
3.3MB

Download
memory/1516-99-0x0000000001200000-0x000000000154E000-memory.dmp

Filesize
3.3MB

Download
memory/1540-76-0x0000000000C50000-0x0000000000F9E000-memory.dmp

Filesize
3.3MB

Download
memory/1964-65-0x0000000000270000-0x00000000005BE000-memory.dmp

Filesize
3.3MB

Download
memory/2368-120-0x00000000001E0000-0x000000000052E000-memory.dmp

Filesize
3.3MB

Download
memory/2620-165-0x00000000013B0000-0x00000000016FE000-memory.dmp

Filesize
3.3MB

Download
memory/2760-8-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-2-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-1-0x0000000000250000-0x000000000059E000-memory.dmp

Filesize
3.3MB

Download
memory/2760-0-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

Filesize
4KB

Download
memory/2852-9-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2852-11-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2852-10-0x0000000001060000-0x00000000013AE000-memory.dmp

Filesize
3.3MB

Download
memory/2852-20-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-153-0x00000000002A0000-0x00000000005EE000-memory.dmp

Filesize
3.3MB

Download
memory/2960-88-0x0000000001070000-0x00000000013BE000-memory.dmp

Filesize
3.3MB

Download
memory/2992-33-0x0000000001210000-0x000000000155E000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads