Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:39
Behavioral task
behavioral1
Sample
Java.exe
Resource
win7-20240903-en
General
-
Target
Java.exe
-
Size
3.3MB
-
MD5
f29f701e76e3a435acdd474a41fa60ba
-
SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478
-
SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
-
SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9
-
SSDEEP
49152:gvmI22SsaNYfdPBldt698dBcjHinQ1CGarv2oGdUBTHHB72eh2NT:gvr22SsaNYfdPBldt6+dBcjH6yCO
Malware Config
Extracted
quasar
1.4.1
Java
dez3452-33187.portmap.host:33187
f0e53bcd-851e-44af-8fd5-07d8ab5ed968
-
encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java ©
-
subdirectory
Programfiles
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3160-1-0x0000000000160000-0x00000000004AE000-memory.dmp family_quasar behavioral2/files/0x000b000000023b72-7.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation java.exe -
Executes dropped EXE 15 IoCs
pid Process 4176 java.exe 3920 java.exe 5052 java.exe 1240 java.exe 4724 java.exe 3444 java.exe 1184 java.exe 4316 java.exe 4568 java.exe 3080 java.exe 1480 java.exe 1828 java.exe 3740 java.exe 2508 java.exe 3556 java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4984 PING.EXE 3620 PING.EXE 1656 PING.EXE 3164 PING.EXE 1000 PING.EXE 4740 PING.EXE 628 PING.EXE 5008 PING.EXE 4156 PING.EXE 4412 PING.EXE 2940 PING.EXE 5008 PING.EXE 3908 PING.EXE 3368 PING.EXE 1860 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1000 PING.EXE 5008 PING.EXE 3620 PING.EXE 3368 PING.EXE 1860 PING.EXE 3164 PING.EXE 5008 PING.EXE 3908 PING.EXE 4984 PING.EXE 628 PING.EXE 4156 PING.EXE 1656 PING.EXE 4740 PING.EXE 4412 PING.EXE 2940 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2944 schtasks.exe 2948 schtasks.exe 4760 schtasks.exe 1252 schtasks.exe 836 schtasks.exe 640 schtasks.exe 3596 schtasks.exe 964 schtasks.exe 4324 schtasks.exe 3132 schtasks.exe 2772 schtasks.exe 3500 schtasks.exe 1624 schtasks.exe 4988 schtasks.exe 4632 schtasks.exe 3408 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3160 Java.exe Token: SeDebugPrivilege 4176 java.exe Token: SeDebugPrivilege 3920 java.exe Token: SeDebugPrivilege 5052 java.exe Token: SeDebugPrivilege 1240 java.exe Token: SeDebugPrivilege 4724 java.exe Token: SeDebugPrivilege 3444 java.exe Token: SeDebugPrivilege 1184 java.exe Token: SeDebugPrivilege 4316 java.exe Token: SeDebugPrivilege 4568 java.exe Token: SeDebugPrivilege 3080 java.exe Token: SeDebugPrivilege 1480 java.exe Token: SeDebugPrivilege 1828 java.exe Token: SeDebugPrivilege 3740 java.exe Token: SeDebugPrivilege 2508 java.exe Token: SeDebugPrivilege 3556 java.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 4176 java.exe 3920 java.exe 5052 java.exe 1240 java.exe 4724 java.exe 3444 java.exe 1184 java.exe 4316 java.exe 4568 java.exe 3080 java.exe 1480 java.exe 1828 java.exe 3740 java.exe 2508 java.exe 3556 java.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 4176 java.exe 3920 java.exe 5052 java.exe 1240 java.exe 4724 java.exe 3444 java.exe 1184 java.exe 4316 java.exe 4568 java.exe 3080 java.exe 1480 java.exe 1828 java.exe 3740 java.exe 2508 java.exe 3556 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3160 wrote to memory of 2944 3160 Java.exe 83 PID 3160 wrote to memory of 2944 3160 Java.exe 83 PID 3160 wrote to memory of 4176 3160 Java.exe 85 PID 3160 wrote to memory of 4176 3160 Java.exe 85 PID 4176 wrote to memory of 4324 4176 java.exe 86 PID 4176 wrote to memory of 4324 4176 java.exe 86 PID 4176 wrote to memory of 2196 4176 java.exe 88 PID 4176 wrote to memory of 2196 4176 java.exe 88 PID 2196 wrote to memory of 1684 2196 cmd.exe 90 PID 2196 wrote to memory of 1684 2196 cmd.exe 90 PID 2196 wrote to memory of 5008 2196 cmd.exe 91 PID 2196 wrote to memory of 5008 2196 cmd.exe 91 PID 2196 wrote to memory of 3920 2196 cmd.exe 102 PID 2196 wrote to memory of 3920 2196 cmd.exe 102 PID 3920 wrote to memory of 1252 3920 java.exe 103 PID 3920 wrote to memory of 1252 3920 java.exe 103 PID 3920 wrote to memory of 2308 3920 java.exe 106 PID 3920 wrote to memory of 2308 3920 java.exe 106 PID 2308 wrote to memory of 1716 2308 cmd.exe 108 PID 2308 wrote to memory of 1716 2308 cmd.exe 108 PID 2308 wrote to memory of 3908 2308 cmd.exe 109 PID 2308 wrote to memory of 3908 2308 cmd.exe 109 PID 2308 wrote to memory of 5052 2308 cmd.exe 114 PID 2308 wrote to memory of 5052 2308 cmd.exe 114 PID 5052 wrote to memory of 3132 5052 java.exe 115 PID 5052 wrote to memory of 3132 5052 java.exe 115 PID 5052 wrote to memory of 3484 5052 java.exe 118 PID 5052 wrote to memory of 3484 5052 java.exe 118 PID 3484 wrote to memory of 3500 3484 cmd.exe 120 PID 3484 wrote to memory of 3500 3484 cmd.exe 120 PID 3484 wrote to memory of 4984 3484 cmd.exe 121 PID 3484 wrote to memory of 4984 3484 cmd.exe 121 PID 3484 wrote to memory of 1240 3484 cmd.exe 125 PID 3484 wrote to memory of 1240 3484 cmd.exe 125 PID 1240 wrote to memory of 1624 1240 java.exe 126 PID 1240 wrote to memory of 1624 1240 java.exe 126 PID 1240 wrote to memory of 3764 1240 java.exe 129 PID 1240 wrote to memory of 3764 1240 java.exe 129 PID 3764 wrote to memory of 3996 3764 cmd.exe 131 PID 3764 wrote to memory of 3996 3764 cmd.exe 131 PID 3764 wrote to memory of 3620 3764 cmd.exe 132 PID 3764 wrote to memory of 3620 3764 cmd.exe 132 PID 3764 wrote to memory of 4724 3764 cmd.exe 134 PID 3764 wrote to memory of 4724 3764 cmd.exe 134 PID 4724 wrote to memory of 2772 4724 java.exe 135 PID 4724 wrote to memory of 2772 4724 java.exe 135 PID 4724 wrote to memory of 920 4724 java.exe 138 PID 4724 wrote to memory of 920 4724 java.exe 138 PID 920 wrote to memory of 1864 920 cmd.exe 140 PID 920 wrote to memory of 1864 920 cmd.exe 140 PID 920 wrote to memory of 628 920 cmd.exe 141 PID 920 wrote to memory of 628 920 cmd.exe 141 PID 920 wrote to memory of 3444 920 cmd.exe 142 PID 920 wrote to memory of 3444 920 cmd.exe 142 PID 3444 wrote to memory of 836 3444 java.exe 143 PID 3444 wrote to memory of 836 3444 java.exe 143 PID 3444 wrote to memory of 4784 3444 java.exe 146 PID 3444 wrote to memory of 4784 3444 java.exe 146 PID 4784 wrote to memory of 2920 4784 cmd.exe 148 PID 4784 wrote to memory of 2920 4784 cmd.exe 148 PID 4784 wrote to memory of 1656 4784 cmd.exe 149 PID 4784 wrote to memory of 1656 4784 cmd.exe 149 PID 4784 wrote to memory of 1184 4784 cmd.exe 150 PID 4784 wrote to memory of 1184 4784 cmd.exe 150 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Java.exe"C:\Users\Admin\AppData\Local\Temp\Java.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W7Efdp8pGzc7.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1684
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5008
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NjJN995TQWlw.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1716
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3908
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O1YOLLJRf79q.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3500
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4984
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gNuOrJ5yD07D.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3620
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rHGvnYjbyN7a.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1864
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:628
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xdZS7zliRLHO.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2920
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1656
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1184 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vJHxuaZVzSxJ.bat" "15⤵PID:3908
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4528
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3368
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4316 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kzZXMi4Nbgu6.bat" "17⤵PID:3688
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4568 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\739DQepbKvrZ.bat" "19⤵PID:2784
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2288
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3164
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3080 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F58NeBExjQzo.bat" "21⤵PID:3056
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:428
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5008
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1480 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RlXs6VBdIift.bat" "23⤵PID:4924
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1000
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1828 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tVibWsu9TzTM.bat" "25⤵PID:2760
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4740
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukNE8bFT5H7L.bat" "27⤵PID:2736
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4412
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lHvGDEbj2d6b.bat" "29⤵PID:2576
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2384
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4156
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3556 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xC0WoUUwxsIn.bat" "31⤵PID:2716
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2708
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
211B
MD544a95ad1b83b7d73635e9ff7f6f76c72
SHA16b16a0014d93cb3b4e20ce931998b94306299acc
SHA2567c5e2e89377c736f0a3abef94097e78433dd1ba6bbcd332a17e74cdd94cb18f7
SHA512a7b0353b60a32c64c7c5ebe58e25ce97fb2d0c59495e93242271d6fe8eed2340eee14979fb8ed03472072e5cf062a782984937cb5fb471ea9e2239cdb850ce1f
-
Filesize
211B
MD58e911b72bdeb6661213916b2f2316fac
SHA145c328c9c15680462cdab7021012e0ba45e9a4ef
SHA256433d5a1e5fc6333dae8c7d85c8aaeeacb0c7e0e3e5ed367b58266f6ff3e3d41a
SHA51284de9a63a8b496d13c875742e1aa0ab85ed4f3660dac6ed46f1b8d66161434c81591f9112ce1f730797c331dcff5d3d89567461c32181a99679485ecd491e6de
-
Filesize
211B
MD53436fa495e00f3669a5fa8fbd0c840aa
SHA1767f31d8e5b9f9dfb02a134a2bd446a5a91b19e9
SHA256d91b72aa26a3bc59a48395a0079303b8f6646fcf66f0e4f38af449f38c5b896f
SHA5122927730d394a65e57a46242b851e7f245f825a3fd4ec45dcc0a957848f719259c5b73a1f2ffbc31eb04c73a088d76793f1a978407af62c9b0265660fa3a453a0
-
Filesize
211B
MD51b8440456398550582674fc8ce23f74c
SHA13706907890f5ff27d1dde142eb043c71e8b6e19b
SHA256af8310b1fb7ac9995481c30bf3c443f15528c275bd2523a1d623e77748cc1390
SHA512c5f1c6992a4044c8fefce9c2b9abd5144f776f49eee328177ba1ce925be8480d4a12310f6fa91d0c4cc8a9e82ffbc6b77483ba2e48e43176a8e77a17e7d8ac64
-
Filesize
211B
MD5b8e4c70b2c096c3b65656bf1555d1cf5
SHA16529ca7fa2caa326f422af326f594ae718f4b92b
SHA2568e23e77e143803df792e9fe4b74f98a72249ef8fd772ee8143f16bb6089f172c
SHA5125aecd2d96730b165c11d48b1ec69c30eef2db96de33852b65f8216c20b8b3446b584eef03b2c26cc7ac64409e048b51cdde83ee2fbe1b208c17e37b4873d846c
-
Filesize
211B
MD592a8057b70e086725fedcd7283cb7bd1
SHA15708445e915f4a629eef14cc117759c708fb4171
SHA25692c5c325262c0c9d024b9613f12b0ac188068646debe7a8e8792018b4c1b50e0
SHA512ab60d14bd8f6ce497acda2cc1337bd3ac3cfbd44801dedf923c10e208a3b64bee4003986a30c67273805435ff1a086f7883f3745fb75f4a148996349db677a5a
-
Filesize
211B
MD587b4555e2e474d61e2eb6b1bd4023d4d
SHA1abcafcf8c78a4ff0b996ebd1fe50afcef0a46ab0
SHA256d2cd3507806cc77776c4d220aabb0e1bb75512e7392096a08181fd31c78875c4
SHA512fdb601b061848526554c282e2a42cd8cc1d99ecae895b00fe25345a6fdbb8ff116a74e3e27f2898d72cbe5ecbc685571bf6fb8b82363a9908856732e48734599
-
Filesize
211B
MD54ec7cf110dcb1cdf6e1af982c220d0a1
SHA1cbaad2771e64b758fce8852e74f7e6812efaf9b3
SHA2560cd7cca7ace7e25690c69248a7436a0a55527ab71113f341db4d264659b50b17
SHA5126aa6ddd69ae1ac99e965594bd22366c29f28455a3d6bf48f9ed18c203bf48637dee64dee62e3733f1d31bb1b0c55a017c5c31cd662d8ca82647fdccdc69ae410
-
Filesize
211B
MD58cdf5016eacea5461ff4e313f4567517
SHA1be121600f81a0f0b327e04b62cffc80114350ead
SHA2564f39337e212194d5b82a0610ab0ae550795c874e0b2220fac130f04c65060cb5
SHA5127fed0435a559714d5b7094d1e40c74d8c2ffab370335a6b5f1c580056a0f817c1367e7ba3937899ea6d048c4f534d0130ff615991f33dc10ae73ea842f3a7f32
-
Filesize
211B
MD59a06c9885e9ddb80a7733cfe38fca5d5
SHA10864a76cc7dd084a33d22bb7765220c07298fa2e
SHA256c63cace2d9f07998cb2211d3f99208f8939c6e6da51b94265f53fb26035dd5f9
SHA512f3eee6187e7faa8de312e6e6d618fc2a6e5616f4697092f5f57f1c4f25674a9d7959d3c3be48836032e451f0f0c9437332f5663e8816290dc7a82ab9e1575496
-
Filesize
211B
MD5644afa54283976e12d1a40664c6e644d
SHA19bfa3022e804a052a1e8cf51882505e069fdb758
SHA2566ceb89e3b3a48222f335c9075be4efdb79dcc332f86cc75110df0f415b648db8
SHA512a5576db02aaebadd579c7055134a553222ece56f1a195a000ceb306d99131d077f004f6109a3a33b1030a6e21722e5e900090aecbb62da621d79bdb9fd696383
-
Filesize
211B
MD534a049c25974c954a8fb9435b4839ec6
SHA1be8c9c6f7f419993c06471504db81ffa87d9a008
SHA256a27b9d934dd4f3afc464aecee724cb2ef6313fc801a0d4f74f6c2b5e4f576c66
SHA512ddc5d2b6d7fa68f0f6d553b7fa2ad823e0a7e7715f416ba5f7d946c8f46ca2eed04443db6a45599e02fdc91861590ace69747281764db35df0b84c302e12fd1f
-
Filesize
211B
MD54cf929ece7ccf027ebd42b7e0451e452
SHA1ef48051b72af9ac94454bf8fdbc7cd821ef16b24
SHA2567939912ca168d0b41497ef6a59f9eb133c0b16abdbc92826ee7543dedac3f6a9
SHA5122909d145d4fe261a5de44d2ac44e212de26b717d4dc3ecfe9bfc3a1a444e07b12d84cdb96a48f884f15072ff7abdb0e75c3f6302c40f4a843dcb7769a6b83cd2
-
Filesize
211B
MD553d16abbcbb3f1b649782ad2c667700d
SHA10cca5c6500d33d8dec752efc8525c93a049ce6cd
SHA256117bb91d222fd6b99886fb598d7cf97b4611a9af5833acaed1b423d3b54fadbf
SHA512aec1081bc1c7c544cddac31a0d1de1e95a62a8adcbda04c389019a83933070090b4825df18772c2d517b0c3fd7ed95f233c8286e27686451ab7ab62e3be3b8a6
-
Filesize
211B
MD55a213f20cebdd7b24bb972c2db0040ac
SHA10fec3e8de344d3ea22560677e33498cadf321d8a
SHA256807bb7933120087a7a6b4c8ba4f76836ee659605685cf73b897b86449794ff53
SHA5121e9240d1ec85f2d617dc6f15161514c1921648800721aca1ef3313b50c3a370d597b1970edabd37ea65330b5de0e86be535cc638a6439737d15f8a3cc4a6aa84
-
Filesize
3.3MB
MD5f29f701e76e3a435acdd474a41fa60ba
SHA110f06b6fc259131d8b6a5423972a1e55b62ce478
SHA2569cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA5120d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9