Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:39
Behavioral task
behavioral1
Sample
Java.exe
Resource
win7-20240903-en
General
-
Target
Java.exe
-
Size
3.3MB
-
MD5
f29f701e76e3a435acdd474a41fa60ba
-
SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478
-
SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
-
SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9
-
SSDEEP
49152:gvmI22SsaNYfdPBldt698dBcjHinQ1CGarv2oGdUBTHHB72eh2NT:gvr22SsaNYfdPBldt6+dBcjH6yCO
Malware Config
Extracted
quasar
1.4.1
Java
dez3452-33187.portmap.host:33187
f0e53bcd-851e-44af-8fd5-07d8ab5ed968
-
encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java ©
-
subdirectory
Programfiles
Signatures
-
Quasar family
-
Quasar payload 12 IoCs
resource yara_rule behavioral1/memory/1576-1-0x0000000000990000-0x0000000000CDE000-memory.dmp family_quasar behavioral1/files/0x0008000000015da1-5.dat family_quasar behavioral1/memory/2480-10-0x0000000001150000-0x000000000149E000-memory.dmp family_quasar behavioral1/memory/1752-44-0x0000000000070000-0x00000000003BE000-memory.dmp family_quasar behavioral1/memory/996-56-0x0000000000E60000-0x00000000011AE000-memory.dmp family_quasar behavioral1/memory/2452-67-0x0000000000F60000-0x00000000012AE000-memory.dmp family_quasar behavioral1/memory/2756-88-0x0000000000250000-0x000000000059E000-memory.dmp family_quasar behavioral1/memory/2360-99-0x00000000012E0000-0x000000000162E000-memory.dmp family_quasar behavioral1/memory/3016-110-0x00000000003D0000-0x000000000071E000-memory.dmp family_quasar behavioral1/memory/1428-122-0x00000000012D0000-0x000000000161E000-memory.dmp family_quasar behavioral1/memory/1316-143-0x00000000002D0000-0x000000000061E000-memory.dmp family_quasar behavioral1/memory/2532-154-0x00000000013A0000-0x00000000016EE000-memory.dmp family_quasar -
Executes dropped EXE 16 IoCs
pid Process 2480 java.exe 2760 java.exe 3036 java.exe 1752 java.exe 996 java.exe 2452 java.exe 1496 java.exe 2756 java.exe 2360 java.exe 3016 java.exe 1428 java.exe 532 java.exe 1316 java.exe 2532 java.exe 2900 java.exe 1284 java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2508 PING.EXE 2484 PING.EXE 2960 PING.EXE 1788 PING.EXE 1468 PING.EXE 1708 PING.EXE 2912 PING.EXE 1740 PING.EXE 1044 PING.EXE 2708 PING.EXE 624 PING.EXE 2416 PING.EXE 1248 PING.EXE 2084 PING.EXE 1584 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1584 PING.EXE 624 PING.EXE 2708 PING.EXE 1248 PING.EXE 2912 PING.EXE 1044 PING.EXE 1708 PING.EXE 1788 PING.EXE 1468 PING.EXE 2508 PING.EXE 2484 PING.EXE 1740 PING.EXE 2960 PING.EXE 2416 PING.EXE 2084 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2840 schtasks.exe 816 schtasks.exe 1356 schtasks.exe 932 schtasks.exe 300 schtasks.exe 1972 schtasks.exe 2764 schtasks.exe 2380 schtasks.exe 2812 schtasks.exe 2024 schtasks.exe 2944 schtasks.exe 328 schtasks.exe 2240 schtasks.exe 2632 schtasks.exe 2992 schtasks.exe 2528 schtasks.exe 1708 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1576 Java.exe Token: SeDebugPrivilege 2480 java.exe Token: SeDebugPrivilege 2760 java.exe Token: SeDebugPrivilege 3036 java.exe Token: SeDebugPrivilege 1752 java.exe Token: SeDebugPrivilege 996 java.exe Token: SeDebugPrivilege 2452 java.exe Token: SeDebugPrivilege 1496 java.exe Token: SeDebugPrivilege 2756 java.exe Token: SeDebugPrivilege 2360 java.exe Token: SeDebugPrivilege 3016 java.exe Token: SeDebugPrivilege 1428 java.exe Token: SeDebugPrivilege 532 java.exe Token: SeDebugPrivilege 1316 java.exe Token: SeDebugPrivilege 2532 java.exe Token: SeDebugPrivilege 2900 java.exe Token: SeDebugPrivilege 1284 java.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 2480 java.exe 2760 java.exe 3036 java.exe 1752 java.exe 996 java.exe 2452 java.exe 1496 java.exe 2756 java.exe 2360 java.exe 3016 java.exe 1428 java.exe 532 java.exe 1316 java.exe 2532 java.exe 2900 java.exe 1284 java.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2480 java.exe 2760 java.exe 3036 java.exe 1752 java.exe 996 java.exe 2452 java.exe 1496 java.exe 2756 java.exe 2360 java.exe 3016 java.exe 1428 java.exe 532 java.exe 1316 java.exe 2532 java.exe 2900 java.exe 1284 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1576 wrote to memory of 1972 1576 Java.exe 31 PID 1576 wrote to memory of 1972 1576 Java.exe 31 PID 1576 wrote to memory of 1972 1576 Java.exe 31 PID 1576 wrote to memory of 2480 1576 Java.exe 33 PID 1576 wrote to memory of 2480 1576 Java.exe 33 PID 1576 wrote to memory of 2480 1576 Java.exe 33 PID 2480 wrote to memory of 2764 2480 java.exe 34 PID 2480 wrote to memory of 2764 2480 java.exe 34 PID 2480 wrote to memory of 2764 2480 java.exe 34 PID 2480 wrote to memory of 2748 2480 java.exe 36 PID 2480 wrote to memory of 2748 2480 java.exe 36 PID 2480 wrote to memory of 2748 2480 java.exe 36 PID 2748 wrote to memory of 2288 2748 cmd.exe 38 PID 2748 wrote to memory of 2288 2748 cmd.exe 38 PID 2748 wrote to memory of 2288 2748 cmd.exe 38 PID 2748 wrote to memory of 2912 2748 cmd.exe 39 PID 2748 wrote to memory of 2912 2748 cmd.exe 39 PID 2748 wrote to memory of 2912 2748 cmd.exe 39 PID 2748 wrote to memory of 2760 2748 cmd.exe 40 PID 2748 wrote to memory of 2760 2748 cmd.exe 40 PID 2748 wrote to memory of 2760 2748 cmd.exe 40 PID 2760 wrote to memory of 2992 2760 java.exe 41 PID 2760 wrote to memory of 2992 2760 java.exe 41 PID 2760 wrote to memory of 2992 2760 java.exe 41 PID 2760 wrote to memory of 2672 2760 java.exe 43 PID 2760 wrote to memory of 2672 2760 java.exe 43 PID 2760 wrote to memory of 2672 2760 java.exe 43 PID 2672 wrote to memory of 1580 2672 cmd.exe 45 PID 2672 wrote to memory of 1580 2672 cmd.exe 45 PID 2672 wrote to memory of 1580 2672 cmd.exe 45 PID 2672 wrote to memory of 1468 2672 cmd.exe 46 PID 2672 wrote to memory of 1468 2672 cmd.exe 46 PID 2672 wrote to memory of 1468 2672 cmd.exe 46 PID 2672 wrote to memory of 3036 2672 cmd.exe 47 PID 2672 wrote to memory of 3036 2672 cmd.exe 47 PID 2672 wrote to memory of 3036 2672 cmd.exe 47 PID 3036 wrote to memory of 2840 3036 java.exe 48 PID 3036 wrote to memory of 2840 3036 java.exe 48 PID 3036 wrote to memory of 2840 3036 java.exe 48 PID 3036 wrote to memory of 2860 3036 java.exe 50 PID 3036 wrote to memory of 2860 3036 java.exe 50 PID 3036 wrote to memory of 2860 3036 java.exe 50 PID 2860 wrote to memory of 544 2860 cmd.exe 52 PID 2860 wrote to memory of 544 2860 cmd.exe 52 PID 2860 wrote to memory of 544 2860 cmd.exe 52 PID 2860 wrote to memory of 1584 2860 cmd.exe 53 PID 2860 wrote to memory of 1584 2860 cmd.exe 53 PID 2860 wrote to memory of 1584 2860 cmd.exe 53 PID 2860 wrote to memory of 1752 2860 cmd.exe 54 PID 2860 wrote to memory of 1752 2860 cmd.exe 54 PID 2860 wrote to memory of 1752 2860 cmd.exe 54 PID 1752 wrote to memory of 816 1752 java.exe 55 PID 1752 wrote to memory of 816 1752 java.exe 55 PID 1752 wrote to memory of 816 1752 java.exe 55 PID 1752 wrote to memory of 2376 1752 java.exe 57 PID 1752 wrote to memory of 2376 1752 java.exe 57 PID 1752 wrote to memory of 2376 1752 java.exe 57 PID 2376 wrote to memory of 2420 2376 cmd.exe 59 PID 2376 wrote to memory of 2420 2376 cmd.exe 59 PID 2376 wrote to memory of 2420 2376 cmd.exe 59 PID 2376 wrote to memory of 624 2376 cmd.exe 60 PID 2376 wrote to memory of 624 2376 cmd.exe 60 PID 2376 wrote to memory of 624 2376 cmd.exe 60 PID 2376 wrote to memory of 996 2376 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Java.exe"C:\Users\Admin\AppData\Local\Temp\Java.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1972
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2764
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\c661uhWmvl9z.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2288
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2912
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2992
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qe83tMqLmBmN.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1580
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1468
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2840
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ba7hl8GI8K5Z.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1584
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:816
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MOytDlX9NHrW.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2420
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:624
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:996 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1356
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cKHisqGh1Wrf.bat" "11⤵PID:1268
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2508
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2452 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2380
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rVKidoWALNXq.bat" "13⤵PID:1144
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:336
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1496 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1708
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Bgx0hRbEbCUE.bat" "15⤵PID:2092
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1800
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2708
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2812
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\isCTY7ltN1zj.bat" "17⤵PID:2828
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2228
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1740
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2360 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2024
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8b39RUCFVEGH.bat" "19⤵PID:1820
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1296
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mHdtMJYvXhen.bat" "21⤵PID:1536
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:328
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\URTLFb7gpqAx.bat" "23⤵PID:1076
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1236
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1248
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:532 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:932
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JMcIxBMARF59.bat" "25⤵PID:2144
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:300
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0xPDeOfU5nVd.bat" "27⤵PID:2284
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:592
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1708
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2528
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JrUwxpxHsizy.bat" "29⤵PID:1932
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2084
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2900 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2240
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WqEsmE7bRvkE.bat" "31⤵PID:2624
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1788
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
PID:2632
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vJsePNfG65Sn.bat" "33⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD59655aeb17a98a204a3aceba04e85882c
SHA124b5516bbb022ec81f40053b1b44c008c3491a9a
SHA25637496b72e13c7eace31d8a3d2fe4419ec6868ed19e1f2dce177b5825bac29368
SHA512006b97e39497f1abc959bc042e06dfe0234dd00b44eb9ed6ab7e36f6607b64c70e858dfcfcbd737ddd3e53ba71cdee02c9c3d271fbc01d0aa5347196a965b3bd
-
Filesize
211B
MD5d3840a4c45041ee09515070ccc1b6227
SHA12b1c0dc6b5b426a489333fbfee9fa8d516031f79
SHA256418260a83042169899001d1fbd01ec883ff55a6157dd5692b4d7fe1155e3a2df
SHA51244e5be88d378beec68917229614324fb4d5717c18185df037e9c7fb8c1a33707c3c1173d82d0e8730140d5dfb46da5c3f1f0e6633d2ce7fa199297d1d6a14ce7
-
Filesize
211B
MD5f06e7d35d3f487a846406fb65c452686
SHA18e7c4a620c29a01e4885f63d781bc6e910400f1d
SHA256d9df9f2f814db8343c198442fb02f933550a3d94a7df3b2a8c9800c5365bfd29
SHA512ab8fbeefbcef84bccd883a96982c2c828456636ef25d0609632a7f937102c76f25905981086a2bf01fb0215f71660b88a51b1b18bc6f481414ce8961bcf0db44
-
Filesize
211B
MD57731e4814b4772bdbab30b7e74df1069
SHA1e85870d99b5d3b397df767fc80cc63a6e6ed69f5
SHA2566f70453a55f618fca36edb495a5a010981f127d37f74172c8a12636185ad53ab
SHA512f5ba8860b660bf3ef657b85883b185d9144c46234aac6ad082c8c09b5d8f3096da467afed207f2b88da46316b37280b816e1144b016fbd0f03189f5ddc78c8d6
-
Filesize
211B
MD563953a276e4e41c69fa851b1b90ae315
SHA11200dafc9e0b0f3ee91e05a916f709e35647012e
SHA2569c0931d2cd01491c1c954baf593119ae5ed01c2bcb2e275c80c514a84e2877a6
SHA512027845a53b9aa3d792f2192fa61669816200e8c9e4e4923621161049e9f5c2231e102d08359d209b5aae985bdcf99e3481e5888a5c520bd2f21571a9489569bb
-
Filesize
211B
MD5502bf263f81327631844572247af2154
SHA14edc33d5da855232b771f5a5e255e9f5686ebbad
SHA256d6021ff187b18d771d8b0c5fb3ddda5cf613918c4ac62ec5b21c2b907fe60fe5
SHA5123351d78620402a9043ac77ea02a53af743184b0ad8cbf5ff95f40339d9a02b1be95e4e80038c0d521bf98539a7c4ff2530895ec9df93b204bc3e73db6367daa4
-
Filesize
211B
MD580764ed67f0a305e6f4fd4980ecea5c1
SHA1fc55d88a825e7c008a5482279a0c8885fd31951a
SHA2563696d76243fd3e7fd5c38baef6d9281107fa461feeb16d116686237a3a6e8f28
SHA512482738f98529f4070f8fa698c71dd1b39d157fbf701b0a8f3c571a9c5bf85e0a1013ad2c64fca427876e53f1e79618498ec0b4ad8fda0346dd52603d4c412ab9
-
Filesize
211B
MD5646142f6426664cddd418efa369a8496
SHA13760a94d7c1c1e95b772ee71d9f5adfe54199270
SHA256709ac1df3521c3f0b8baa5f7837add04ff866183a870e213a877c56cb80e5345
SHA512d325c6c14a86627d3266e529dc55b1ba55c916547ac6a1b77496dbe833dcb27520c938c1d1db66508d58ba1a94ad74f14b788a15b03690d4fac82a4d47f41a96
-
Filesize
211B
MD595d4a6dce3aff74ee2de47e8f5164acd
SHA19ddcdd836b38f5cee37659346b9d2cb7ce0bdbf8
SHA256bd3e00a345454788dad9384f40dc7b8178768eb2a77a1aac25801e7de13b61de
SHA51218ec475dbfdbf9c2fb896213a0a603fe8f3abb29a6155847d765e95c078af88aeca3674293abe0767f10741462da72df1b589cb2ba33c038e510dab9b145b2fc
-
Filesize
211B
MD554f585beb8c741fa4c8dacb322ab1db0
SHA182a9391f7b605a3898ce03d910c5f78033e6567f
SHA256ba3b63ca63bb019d8c051f6835a8e363171b4bd94cc35822197aa289487f8754
SHA512f3c6673bcc6ddbf2382128cc199a3763ae8f720f6839aa92f5f52e9a109a8502ece29fc5936c18de10c774255d8b23f5a6036f6a634c7f17acc76929d853c311
-
Filesize
211B
MD51f2f637cb8d619a8304bd81c0bdaa7cf
SHA10be4008d6695ed1a5275c2cd9c9cb0ee4d48c5df
SHA2568799b06702d10f4b319a245586c8092baacb30a4436987a57d835563e3e13eed
SHA512b393b8b47eda88f95548c5fa5f70476526eb3df0cd2ace288e25e14c0aa9ae55b76bbe47c2910a1e89bcc3b5f59483e1fd0f4e2a00877958061903036776477d
-
Filesize
211B
MD5272ebf763751894b3bd7c9ad0bb1c91d
SHA1e4b36cc5dcd82026be9e1887059d1d04ab53348d
SHA25648f7a7ff48fe20d571eb650db1173227a1d815e89bb08666f822778434f2686c
SHA512047eba31018ac695536e22df056860e32e7611ce3ad391f729bf9c01a574edd31356780629f06864b00ca143516c0434e13306318eedea01c8ba5d0ec9498e44
-
Filesize
211B
MD53cef9a2467871832204ed45a548732ee
SHA13a26bc343cbbeb7dba1133da6092700414f45024
SHA25648188636d6dae048502544f01c00e99029a3b269485731920690ac572cd2de13
SHA512b24f834491aa7905013154f515645033b4e4049bebbfdc1a578f046076c4c0e5c7e1366991810eacca881dbca750a4d8a6dc7a7e3031847b2a1473176038d1ac
-
Filesize
211B
MD59d84197f59356333615a8d452920cf64
SHA1c38c93eba7b0783ecb5097f0e18bca0e1ee2c3be
SHA256f3b1937900b2f5b7bfd202fced69a6ebe03a06b4466dd989cfdbac6e766854c7
SHA512f9f2646cf0ae607fd69a3d5eb63e568dd1e1a97ca9df7fcc052d29cc4a6d0af4f7c27422dd6ef6a9ccfe252c2959816e23b07cddd633e9967a33c36056e872cb
-
Filesize
211B
MD55e563a4ae4e1591c17479b6be312f4fb
SHA19e6149d353dad54c7907ce8b76d432a719e6bab8
SHA2564c2c553af75022c7a21a5ae1d4724b6480f177192b42709d74fdef2aa2033bd3
SHA5129ea4b1336a846e9f599b1492fa7d761319f6a1c9feefc3c17c1548b93ac2a39b4b6184a200bfb8f1f39aa2e36bbe909069bfada772d0a70fbd2ebbdedc208ba7
-
Filesize
211B
MD5aceec0b06bfb89cdf9f21290b5fa991e
SHA16d11405eb24b06fd5d5c821eb4649dd248eb3f7d
SHA256542e563947cfea147f8c9d35088e911381b52e7799a2c540bafeda5b9f65cdaa
SHA512bbaa158e587806622f7686b31c722f9f26516945469743e56fae075ecf5df822a190d4cde9caf3685b1ad32fc47e57331e8697bcde10e6810cdd62926b59915e
-
Filesize
3.3MB
MD5f29f701e76e3a435acdd474a41fa60ba
SHA110f06b6fc259131d8b6a5423972a1e55b62ce478
SHA2569cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA5120d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9