Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:32
Behavioral task
behavioral1
Sample
Java.exe
Resource
win7-20240903-en
General
-
Target
Java.exe
-
Size
3.3MB
-
MD5
f29f701e76e3a435acdd474a41fa60ba
-
SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478
-
SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
-
SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9
-
SSDEEP
49152:gvmI22SsaNYfdPBldt698dBcjHinQ1CGarv2oGdUBTHHB72eh2NT:gvr22SsaNYfdPBldt6+dBcjH6yCO
Malware Config
Extracted
quasar
1.4.1
Java
dez3452-33187.portmap.host:33187
f0e53bcd-851e-44af-8fd5-07d8ab5ed968
-
encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java ©
-
subdirectory
Programfiles
Signatures
-
Quasar family
-
Quasar payload 8 IoCs
resource yara_rule behavioral1/memory/2216-1-0x0000000001300000-0x000000000164E000-memory.dmp family_quasar behavioral1/files/0x0032000000016d68-6.dat family_quasar behavioral1/memory/2804-9-0x0000000000ED0000-0x000000000121E000-memory.dmp family_quasar behavioral1/memory/576-23-0x0000000000060000-0x00000000003AE000-memory.dmp family_quasar behavioral1/memory/1028-34-0x00000000011C0000-0x000000000150E000-memory.dmp family_quasar behavioral1/memory/2728-86-0x00000000003A0000-0x00000000006EE000-memory.dmp family_quasar behavioral1/memory/2524-97-0x0000000000FF0000-0x000000000133E000-memory.dmp family_quasar behavioral1/memory/2040-109-0x00000000010F0000-0x000000000143E000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2804 java.exe 576 java.exe 1028 java.exe 532 java.exe 2940 java.exe 904 java.exe 3000 java.exe 2728 java.exe 2524 java.exe 2040 java.exe 1812 java.exe 292 java.exe 580 java.exe 2520 java.exe 1224 java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3028 PING.EXE 2676 PING.EXE 1436 PING.EXE 1344 PING.EXE 1952 PING.EXE 2932 PING.EXE 2400 PING.EXE 1300 PING.EXE 1672 PING.EXE 2464 PING.EXE 2452 PING.EXE 1436 PING.EXE 1300 PING.EXE 1844 PING.EXE 2708 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1844 PING.EXE 1300 PING.EXE 1952 PING.EXE 1672 PING.EXE 2676 PING.EXE 2400 PING.EXE 2464 PING.EXE 3028 PING.EXE 1436 PING.EXE 1344 PING.EXE 1436 PING.EXE 2932 PING.EXE 2708 PING.EXE 1300 PING.EXE 2452 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2612 schtasks.exe 1380 schtasks.exe 2568 schtasks.exe 828 schtasks.exe 1032 schtasks.exe 2704 schtasks.exe 2472 schtasks.exe 844 schtasks.exe 2464 schtasks.exe 2108 schtasks.exe 2164 schtasks.exe 2696 schtasks.exe 2672 schtasks.exe 1512 schtasks.exe 964 schtasks.exe 1636 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2216 Java.exe Token: SeDebugPrivilege 2804 java.exe Token: SeDebugPrivilege 576 java.exe Token: SeDebugPrivilege 1028 java.exe Token: SeDebugPrivilege 532 java.exe Token: SeDebugPrivilege 2940 java.exe Token: SeDebugPrivilege 904 java.exe Token: SeDebugPrivilege 3000 java.exe Token: SeDebugPrivilege 2728 java.exe Token: SeDebugPrivilege 2524 java.exe Token: SeDebugPrivilege 2040 java.exe Token: SeDebugPrivilege 1812 java.exe Token: SeDebugPrivilege 292 java.exe Token: SeDebugPrivilege 580 java.exe Token: SeDebugPrivilege 2520 java.exe Token: SeDebugPrivilege 1224 java.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2804 java.exe 576 java.exe 1028 java.exe 532 java.exe 2940 java.exe 904 java.exe 3000 java.exe 2728 java.exe 2524 java.exe 2040 java.exe 1812 java.exe 292 java.exe 580 java.exe 2520 java.exe 1224 java.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2804 java.exe 576 java.exe 1028 java.exe 532 java.exe 2940 java.exe 904 java.exe 3000 java.exe 2728 java.exe 2524 java.exe 2040 java.exe 1812 java.exe 292 java.exe 580 java.exe 2520 java.exe 1224 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2704 2216 Java.exe 30 PID 2216 wrote to memory of 2704 2216 Java.exe 30 PID 2216 wrote to memory of 2704 2216 Java.exe 30 PID 2216 wrote to memory of 2804 2216 Java.exe 32 PID 2216 wrote to memory of 2804 2216 Java.exe 32 PID 2216 wrote to memory of 2804 2216 Java.exe 32 PID 2804 wrote to memory of 2672 2804 java.exe 33 PID 2804 wrote to memory of 2672 2804 java.exe 33 PID 2804 wrote to memory of 2672 2804 java.exe 33 PID 2804 wrote to memory of 1952 2804 java.exe 35 PID 2804 wrote to memory of 1952 2804 java.exe 35 PID 2804 wrote to memory of 1952 2804 java.exe 35 PID 1952 wrote to memory of 2620 1952 cmd.exe 37 PID 1952 wrote to memory of 2620 1952 cmd.exe 37 PID 1952 wrote to memory of 2620 1952 cmd.exe 37 PID 1952 wrote to memory of 2676 1952 cmd.exe 38 PID 1952 wrote to memory of 2676 1952 cmd.exe 38 PID 1952 wrote to memory of 2676 1952 cmd.exe 38 PID 1952 wrote to memory of 576 1952 cmd.exe 39 PID 1952 wrote to memory of 576 1952 cmd.exe 39 PID 1952 wrote to memory of 576 1952 cmd.exe 39 PID 576 wrote to memory of 1512 576 java.exe 40 PID 576 wrote to memory of 1512 576 java.exe 40 PID 576 wrote to memory of 1512 576 java.exe 40 PID 576 wrote to memory of 2140 576 java.exe 42 PID 576 wrote to memory of 2140 576 java.exe 42 PID 576 wrote to memory of 2140 576 java.exe 42 PID 2140 wrote to memory of 2188 2140 cmd.exe 44 PID 2140 wrote to memory of 2188 2140 cmd.exe 44 PID 2140 wrote to memory of 2188 2140 cmd.exe 44 PID 2140 wrote to memory of 1844 2140 cmd.exe 45 PID 2140 wrote to memory of 1844 2140 cmd.exe 45 PID 2140 wrote to memory of 1844 2140 cmd.exe 45 PID 2140 wrote to memory of 1028 2140 cmd.exe 47 PID 2140 wrote to memory of 1028 2140 cmd.exe 47 PID 2140 wrote to memory of 1028 2140 cmd.exe 47 PID 1028 wrote to memory of 1380 1028 java.exe 48 PID 1028 wrote to memory of 1380 1028 java.exe 48 PID 1028 wrote to memory of 1380 1028 java.exe 48 PID 1028 wrote to memory of 2136 1028 java.exe 50 PID 1028 wrote to memory of 2136 1028 java.exe 50 PID 1028 wrote to memory of 2136 1028 java.exe 50 PID 2136 wrote to memory of 1920 2136 cmd.exe 52 PID 2136 wrote to memory of 1920 2136 cmd.exe 52 PID 2136 wrote to memory of 1920 2136 cmd.exe 52 PID 2136 wrote to memory of 1436 2136 cmd.exe 53 PID 2136 wrote to memory of 1436 2136 cmd.exe 53 PID 2136 wrote to memory of 1436 2136 cmd.exe 53 PID 2136 wrote to memory of 532 2136 cmd.exe 54 PID 2136 wrote to memory of 532 2136 cmd.exe 54 PID 2136 wrote to memory of 532 2136 cmd.exe 54 PID 532 wrote to memory of 2472 532 java.exe 55 PID 532 wrote to memory of 2472 532 java.exe 55 PID 532 wrote to memory of 2472 532 java.exe 55 PID 532 wrote to memory of 1044 532 java.exe 57 PID 532 wrote to memory of 1044 532 java.exe 57 PID 532 wrote to memory of 1044 532 java.exe 57 PID 1044 wrote to memory of 864 1044 cmd.exe 59 PID 1044 wrote to memory of 864 1044 cmd.exe 59 PID 1044 wrote to memory of 864 1044 cmd.exe 59 PID 1044 wrote to memory of 1300 1044 cmd.exe 60 PID 1044 wrote to memory of 1300 1044 cmd.exe 60 PID 1044 wrote to memory of 1300 1044 cmd.exe 60 PID 1044 wrote to memory of 2940 1044 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Java.exe"C:\Users\Admin\AppData\Local\Temp\Java.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2704
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pq3EIoYtrLuM.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2676
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1512
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\plShHm4btX3Q.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2188
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1844
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1380
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rNkM3WvOAedC.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1920
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1436
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2472
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\268b2fwlcZK4.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:864
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1300
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2108
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Q3bpCC1yv4tS.bat" "11⤵PID:1848
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1528
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1344
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:904 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:844
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cV9EFnJvRTMT.bat" "13⤵PID:1632
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2932
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2464
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3TtdWMFWkZg2.bat" "15⤵PID:2704
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2708
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QbAAv5AlzdHN.bat" "17⤵PID:2984
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2556
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1952
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2524 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2164
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MoIIBCm0Z6l2.bat" "19⤵PID:1764
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2064
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2400
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:828
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1RJsaH1mjXnn.bat" "21⤵PID:464
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1436
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1032
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oho6GZRpZQSG.bat" "23⤵PID:2540
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1096
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1300
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:292 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:964
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZebdJqIXx9Sm.bat" "25⤵PID:1344
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2488
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1672
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:580 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1636
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uqp0HMBxUNHm.bat" "27⤵PID:1904
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2464
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2696
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lg9qs8YlXUb7.bat" "29⤵PID:2692
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2204
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3028
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1224 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2612
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rZ1oJjFl7gJ5.bat" "31⤵PID:608
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD574ca6e493a2f0726c0f61e21d5606142
SHA11721e47f7fe406a5cfbef7a3c41652327f937b1c
SHA256da1e002664a7c3b36de31a1065acac0968ca69153cf291ab6847c4483d77a033
SHA512b69c1ae7c46e6cfcc86dddd6add64db7dfdc504731cc8da18045cb86ae6c2e4fa4263d0192a4269bb111d1c21259977a69a222c395fd7eb6a7152369c36f0b30
-
Filesize
211B
MD5c2a1de7eee074f8755c0552274516aa3
SHA185adb7d119461da6eeee55eb0252d5462e51149e
SHA256976a3cd58d60dd90046ca385a344fc7c1b483f39f43ec0fb7d136719d1df0807
SHA5123a8d2dec9e9d4040a6e7cd651cf66217040abc77851a736def473cfa02df2ed91bfdc9c0e8c8a45bdedb84641bc1b5e7fde8753473405588d1e2e4e9e2ff55de
-
Filesize
211B
MD50c24aa303fe9f63d881f0d07d323ab94
SHA110488b58e9f2bda3d118754dfcb6ab4254c5d83a
SHA2565e9db6d298bbf2f59f7e22bae6088a9fdcc9e7225b6fbcab806d1a2eae9624b0
SHA51245e10be9fe569caba3294922f52c665b6434b1ee8da6f41a9c0c3604e1f3e9a3971b767a7ae0f30076fb96fb5cf37b63bafe322637743d7b24a5ed2f4ac9f0c1
-
Filesize
211B
MD51dc341caef6c8602fcfd908a14965bf2
SHA1bf2c473018900d4bbbd97d793c8d3ad231159a29
SHA256dbac98c4113c981e01e2e250e91fae12c053140c1ca31542f9c7b2515940afeb
SHA5122412e9ac4d1b887cbcb111412b2387e815dcbfeaa92f6f8e371f416a152bb0bcd8031412653dc975a066c61b0b4ad9358ade2e57d679ccb1675d7d049d4ce77a
-
Filesize
211B
MD54198566c8aaeb8d95bfef64197d178be
SHA1c69f061914ba7c7102f65c0b7d5fa6995bcd4e69
SHA256024d1c9e84216f4d8f160f8d00b037a118b1e8c30345ccde5c89b38eabbf7a45
SHA5127c3c99b12dd8a10076eafdc0fc49cd80629acd48a8ff9236b3fc6ddba11edd2eb9697efb61248545d22bcdbbc6f98fd742450ed28650ced1641f1952559bb17d
-
Filesize
211B
MD599e9c4cc0257311a75c5971f63b3a68c
SHA172ae6e5d315eb3ab786140a94ed198e797e1850e
SHA256daec4cdf94319873ff522b0d2e8636561cb5d073a3c4e88db4f04607d59ba7ee
SHA5128148dee5ed60382c8cd65e48680dc3cdee843aad89438dbd029ec1ce15ff53dacb796ff1af928433368c6f39a95eb669206a50318d3c0e0836440ad630d27799
-
Filesize
211B
MD545ab22758c3056903a8408bd1857ad8a
SHA1c65a51aa6217d9ce07e151c4b8504ea3e8f277ad
SHA2563c0a0ecb2d912bd7e0e20c5430f46b6d813469456c8d08c5cfedf086ebed097b
SHA5129f74fc0679faf80ae86ba949e61c5b13202512dccfd2a780fa233a281d711c64cf85ca08c3ec5b303853f268fbf770ca683f21e65eda9bac607772f886a37ca3
-
Filesize
211B
MD52e85509f7062404c36f482fe7c9f040f
SHA1f46e978b0b814b4001676601eb1ba6b1b162de2a
SHA256cd1c0204da702ad6ae01a05dd1895befa8721e9e81fd9a59cc6f96369eccc88d
SHA512f0db95a7e9eb7ad45469d7fa68f06e0c201c3d092dd3fa9421719790bc23890c9122dd790cbad61cbe15ff5e3d56ed0e0511e8a06eb3434e1d4871d67441d787
-
Filesize
211B
MD567f81d7157dfaa2c130fa0c436393192
SHA128bf7ca051c56dbf4bb43a83e2dc68f8a98973d9
SHA256145402d57743611fc5a56214bf90c12937e8edbc0f14f0baae784e739380fdc9
SHA512475694abf1b26f60f7bb8f5607c545d554f7274f5f87f1ffeb28c461b42356c0277359e6f78027aeab5dc1f1f9f0d42de90c087f2ab05748688b393acfecb682
-
Filesize
211B
MD54aa041216f2d55bfab17d976ab896115
SHA1193b538ad679118c4a99b4ad5add97b45d38be06
SHA2567464803351af8c9d30c9f26d2a7933a14369292732571dbf06947112fb390d31
SHA5129e095d1f13ba279aba444fbd9b7e8ce8f36836c1b51a18d8e84eadfe137afbbd375bf71331b4dcbabafad435f34b085956467eb46dcd798359630e3ad29b844e
-
Filesize
211B
MD57778fdff24b67fda0b051b3b01830f9e
SHA1c925c0dfe491f10e2cf3cdcf9808d9d73ba5db31
SHA2567e75dcf7c1b960560d4ccd34abad0cd515418786eb54b087f859f59200ac35bf
SHA512b59f28ba15775e658907ddc5da29485703c88282e419f5a4e40bdefee23d2ce5d7f7d9898f7321cd03f003cc5af9219cd3ed6f8761d78f878e286c01b2d32e8b
-
Filesize
211B
MD53fa56610126f929fcf284cfac0c417f6
SHA1ccea9cfd28fbf4dfd74a359bf2dee928f5c5e7f5
SHA256d0904abd43f5773d1accdad97bce5f39a883726cc8d5555b053a681adbe9e9f6
SHA512bf12e9fa6dbc57a4bbea1e46e1dbb2daa5b65478fee0d2c03ff34621b5ab0a40944808bdf746ed3184dc5feba9476d1d4ac4bf397dbc403e1ef1ea14287efff3
-
Filesize
211B
MD541bf04bbf2df2755bf513253c8da9db1
SHA178f35cf7ae43fd40cec4831763ef2af7c995b167
SHA2568fe838a6188ff06fa4b9b5b5ef7c121d7723891651ac0ab57a44070db1995dc3
SHA51201fa52601c50e18c048ebfb5e882e9b02817c45292242bdaaf23dddfed6a0b0b3b3ca4c015f5f8463cc0297cc10e6fb32adda00c5404dfd889c769a9e56d6874
-
Filesize
211B
MD57bac8d9d4ce995eb87521fc7db173495
SHA1fff90c2960a2b82c67f0dcefa2fc771642cdb9a1
SHA2567f7322054a4bb98cd433c8e63d6d7aa817ca2968e4fc54a5b9a0486eb04e1d12
SHA51250024400a167c695fc2c59a0ddf6db6b3d8ca8b6a1463c6789859af01c70ec7e27153ba733e9a6eaf9a747624db6b7e9fd6feececda02b096860d7751aecd7b2
-
Filesize
211B
MD5110c1405679da33a035cac8797c75b27
SHA10300d05654cba9303438f6cc0a8cfe245506e515
SHA256a5fc133a3e7f568a8b88e51482bdda3f50801631cfc27a01551e7c2309771877
SHA51288228cb1e1906f2bf70d26c8b265dfb56b32eacf88eb73b026dc234aaecbfef0a49ba6ab26c4e85e7510154fb36b60fbe5fae0495d6ea745e7ddb4edb7d600d2
-
Filesize
3.3MB
MD5f29f701e76e3a435acdd474a41fa60ba
SHA110f06b6fc259131d8b6a5423972a1e55b62ce478
SHA2569cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA5120d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9