Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:37
Behavioral task
behavioral1
Sample
14495_Client-built.exe
Resource
win7-20240903-en
General
-
Target
14495_Client-built.exe
-
Size
3.1MB
-
MD5
c2281b1740f2acd02e9e19f83441b033
-
SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c
-
SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
-
SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
-
SSDEEP
49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo
Malware Config
Extracted
quasar
1.4.0
Office04
connectdadad.ddns.net:4782
e862a94f-5f45-4b8c-89de-f84dadb095d0
-
encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
-
install_name
PerfWatson1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
KDOT
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4528-1-0x00000000002C0000-0x00000000005E4000-memory.dmp family_quasar behavioral2/files/0x0032000000023b75-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation PerfWatson1.exe -
Executes dropped EXE 15 IoCs
pid Process 4840 PerfWatson1.exe 1708 PerfWatson1.exe 4708 PerfWatson1.exe 4540 PerfWatson1.exe 3964 PerfWatson1.exe 2380 PerfWatson1.exe 2780 PerfWatson1.exe 4432 PerfWatson1.exe 2436 PerfWatson1.exe 4220 PerfWatson1.exe 2944 PerfWatson1.exe 4400 PerfWatson1.exe 4124 PerfWatson1.exe 3756 PerfWatson1.exe 4028 PerfWatson1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4664 PING.EXE 544 PING.EXE 744 PING.EXE 1164 PING.EXE 2872 PING.EXE 3128 PING.EXE 4164 PING.EXE 1968 PING.EXE 2460 PING.EXE 4064 PING.EXE 4512 PING.EXE 4860 PING.EXE 4912 PING.EXE 1992 PING.EXE 4740 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1164 PING.EXE 2872 PING.EXE 4912 PING.EXE 1992 PING.EXE 1968 PING.EXE 2460 PING.EXE 4512 PING.EXE 4664 PING.EXE 544 PING.EXE 3128 PING.EXE 4860 PING.EXE 4740 PING.EXE 4064 PING.EXE 4164 PING.EXE 744 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4168 schtasks.exe 404 schtasks.exe 4432 schtasks.exe 4952 schtasks.exe 3040 schtasks.exe 3032 schtasks.exe 2780 schtasks.exe 2436 schtasks.exe 4624 schtasks.exe 1868 schtasks.exe 3176 schtasks.exe 3200 schtasks.exe 3628 schtasks.exe 3324 schtasks.exe 5100 schtasks.exe 428 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4528 14495_Client-built.exe Token: SeDebugPrivilege 4840 PerfWatson1.exe Token: SeDebugPrivilege 1708 PerfWatson1.exe Token: SeDebugPrivilege 4708 PerfWatson1.exe Token: SeDebugPrivilege 4540 PerfWatson1.exe Token: SeDebugPrivilege 3964 PerfWatson1.exe Token: SeDebugPrivilege 2380 PerfWatson1.exe Token: SeDebugPrivilege 2780 PerfWatson1.exe Token: SeDebugPrivilege 4432 PerfWatson1.exe Token: SeDebugPrivilege 2436 PerfWatson1.exe Token: SeDebugPrivilege 4220 PerfWatson1.exe Token: SeDebugPrivilege 2944 PerfWatson1.exe Token: SeDebugPrivilege 4400 PerfWatson1.exe Token: SeDebugPrivilege 4124 PerfWatson1.exe Token: SeDebugPrivilege 3756 PerfWatson1.exe Token: SeDebugPrivilege 4028 PerfWatson1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4432 PerfWatson1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4528 wrote to memory of 4432 4528 14495_Client-built.exe 83 PID 4528 wrote to memory of 4432 4528 14495_Client-built.exe 83 PID 4528 wrote to memory of 4840 4528 14495_Client-built.exe 85 PID 4528 wrote to memory of 4840 4528 14495_Client-built.exe 85 PID 4840 wrote to memory of 2436 4840 PerfWatson1.exe 86 PID 4840 wrote to memory of 2436 4840 PerfWatson1.exe 86 PID 4840 wrote to memory of 2052 4840 PerfWatson1.exe 88 PID 4840 wrote to memory of 2052 4840 PerfWatson1.exe 88 PID 2052 wrote to memory of 4748 2052 cmd.exe 90 PID 2052 wrote to memory of 4748 2052 cmd.exe 90 PID 2052 wrote to memory of 1164 2052 cmd.exe 91 PID 2052 wrote to memory of 1164 2052 cmd.exe 91 PID 2052 wrote to memory of 1708 2052 cmd.exe 92 PID 2052 wrote to memory of 1708 2052 cmd.exe 92 PID 1708 wrote to memory of 4952 1708 PerfWatson1.exe 93 PID 1708 wrote to memory of 4952 1708 PerfWatson1.exe 93 PID 1708 wrote to memory of 920 1708 PerfWatson1.exe 95 PID 1708 wrote to memory of 920 1708 PerfWatson1.exe 95 PID 920 wrote to memory of 2596 920 cmd.exe 98 PID 920 wrote to memory of 2596 920 cmd.exe 98 PID 920 wrote to memory of 2460 920 cmd.exe 99 PID 920 wrote to memory of 2460 920 cmd.exe 99 PID 920 wrote to memory of 4708 920 cmd.exe 113 PID 920 wrote to memory of 4708 920 cmd.exe 113 PID 4708 wrote to memory of 3040 4708 PerfWatson1.exe 114 PID 4708 wrote to memory of 3040 4708 PerfWatson1.exe 114 PID 4708 wrote to memory of 4328 4708 PerfWatson1.exe 117 PID 4708 wrote to memory of 4328 4708 PerfWatson1.exe 117 PID 4328 wrote to memory of 3808 4328 cmd.exe 119 PID 4328 wrote to memory of 3808 4328 cmd.exe 119 PID 4328 wrote to memory of 4064 4328 cmd.exe 120 PID 4328 wrote to memory of 4064 4328 cmd.exe 120 PID 4328 wrote to memory of 4540 4328 cmd.exe 123 PID 4328 wrote to memory of 4540 4328 cmd.exe 123 PID 4540 wrote to memory of 4624 4540 PerfWatson1.exe 124 PID 4540 wrote to memory of 4624 4540 PerfWatson1.exe 124 PID 4540 wrote to memory of 3012 4540 PerfWatson1.exe 126 PID 4540 wrote to memory of 3012 4540 PerfWatson1.exe 126 PID 3012 wrote to memory of 3284 3012 cmd.exe 129 PID 3012 wrote to memory of 3284 3012 cmd.exe 129 PID 3012 wrote to memory of 4512 3012 cmd.exe 130 PID 3012 wrote to memory of 4512 3012 cmd.exe 130 PID 3012 wrote to memory of 3964 3012 cmd.exe 132 PID 3012 wrote to memory of 3964 3012 cmd.exe 132 PID 3964 wrote to memory of 3032 3964 PerfWatson1.exe 133 PID 3964 wrote to memory of 3032 3964 PerfWatson1.exe 133 PID 3964 wrote to memory of 1952 3964 PerfWatson1.exe 136 PID 3964 wrote to memory of 1952 3964 PerfWatson1.exe 136 PID 1952 wrote to memory of 712 1952 cmd.exe 138 PID 1952 wrote to memory of 712 1952 cmd.exe 138 PID 1952 wrote to memory of 4860 1952 cmd.exe 139 PID 1952 wrote to memory of 4860 1952 cmd.exe 139 PID 1952 wrote to memory of 2380 1952 cmd.exe 140 PID 1952 wrote to memory of 2380 1952 cmd.exe 140 PID 2380 wrote to memory of 4168 2380 PerfWatson1.exe 141 PID 2380 wrote to memory of 4168 2380 PerfWatson1.exe 141 PID 2380 wrote to memory of 3548 2380 PerfWatson1.exe 144 PID 2380 wrote to memory of 3548 2380 PerfWatson1.exe 144 PID 3548 wrote to memory of 3144 3548 cmd.exe 146 PID 3548 wrote to memory of 3144 3548 cmd.exe 146 PID 3548 wrote to memory of 2872 3548 cmd.exe 147 PID 3548 wrote to memory of 2872 3548 cmd.exe 147 PID 3548 wrote to memory of 2780 3548 cmd.exe 149 PID 3548 wrote to memory of 2780 3548 cmd.exe 149 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\14495_Client-built.exe"C:\Users\Admin\AppData\Local\Temp\14495_Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\14495_Client-built.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4432
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMvo6BHCslVL.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1164
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sji2Z18gAb6S.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2460
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CHy4J0BpgYtX.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3808
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4064
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jVkDcy694Xpr.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3284
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4512
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4HdPInRjA4q8.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4860
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YRnG075vYbce.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3144
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2872
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zhMFpbweeddI.bat" "15⤵PID:2700
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4912
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4432 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N4IbymHXy2Jy.bat" "17⤵PID:1948
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4328
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1992
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YjJ5AUt21gTN.bat" "19⤵PID:4772
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4164
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wT5VYiISZPC1.bat" "21⤵PID:3992
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3676
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4664
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doaYVZQOFp4N.bat" "23⤵PID:1340
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1716
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1968
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6MWKIVJAmgH2.bat" "25⤵PID:5064
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:544
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\57oQtdTf8lbC.bat" "27⤵PID:2956
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4496
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:744
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:3200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nr1RkZM4J0SI.bat" "29⤵PID:3576
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:4816
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3128
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7AcMItwR6lbr.bat" "31⤵PID:4176
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
210B
MD5d8065f4aa5d99d934d99586ff071f510
SHA190ff5e4729b22280ff64c668a54077dbaad802ea
SHA256a9002ff52c3143b5939fa9ec57491dfc0eb21a5be3b359fff607957fcf50267d
SHA51226bdb9493891bbcecaaf874fcca15ebed3012dd87cea2b7ffd9c5a0f3fd52b803ce04dc15c2bbde0b8636220bde09b042a0e8b966738bc375eb65cb8d59a18fb
-
Filesize
210B
MD598d40a926b399b2a436dceceaed9fb05
SHA1560cd1fbe98f120a22c5df7121f103059dcc9633
SHA2568450f31fc79040bc1b1193112fbc4fe74198aea7ed941f9c452bfa3fe4462665
SHA5121d51e080471a0e71a7b034b0f3d489a59675aef93160ac7178640b2afd1ba5679198282d27505f202419ecb74647601315db22771cddd3a66e9248508fea9583
-
Filesize
210B
MD5e958ca722a1a379450dcbef5321967dd
SHA14de6cb388e3bc2f7040c9234a112ccec008fbbbb
SHA25643efc6c737fb99928c40204f530eee55dacc8625126015c52f6f9f39a8fb6534
SHA51220a4c09d06c5bdfa9c4a064983ffc2953afc599df3eb61217e1949ddd798217073245e7a29e267c81b0e0141329272599067d652058edb1288e71274b010f82a
-
Filesize
210B
MD5aa23ebf68438bfb0b4ed5ca0a7b61326
SHA1c551a2b5604c060950e7e2cc1f71e52f2abdbc8c
SHA256f4f8a390538c91a8bc06d979d7e70667ba5a1d0a39d2cbaf89263f530d17db5a
SHA512443a55cd50e50e43f13d703bbe1881a734b4a2da2673ece030788aaa0e278d953afb5f39163db7804902d0db2cb982e9626d23ae364ef159d47911f35d48208d
-
Filesize
210B
MD539063e0017ade18d77e77b9d6942cdda
SHA18f22f203ff03363c2660f00ad6fd6daf974e51d2
SHA2561d1ce46da1f0e86d763acfff16ca35116e8853701cdb389c86ce8cab196d751f
SHA512c5576e41e58176069b97008ddd7bef03ee8b42c2ba824896f3e7528e5e4db95026e84ecce3fae40b812f999f7c1a7178fe3a0273332fe68aba99eaac9a570036
-
Filesize
210B
MD53f2bd24735a1ea1dc53fdbe9809b1a5e
SHA155f31c3310b5341369d6971b5f226b050dd95a68
SHA25610990f50841c342f15ab95983a40aac7a4ae477dda6e6b1cc88bd8a5b4f1508a
SHA512834c5c2969c3fd7e5556022bf36a5aa4b28a2ab4c32f1114371390c9348cfe72d3fc5188922f6f3b343e10b7be69b013e53223059fe94ca2331cb0185b03d076
-
Filesize
210B
MD537aa913dff93b9565628c0a8d1be25ef
SHA1f2cf9e1e029f6d5bce5be1643717aec33082fb8e
SHA256ddf6b52d895a7a1ac678aaf2b39ab4a169f46f9f4eaf57c8b1983d49584ec319
SHA5120c9d0f8b9b02341e21afdc5c229981dbb94af6555a9c7283af4e17a75c6ca35515f7096126045dda4e77d1e70f8d7dc4b4174e683bdca502b3ff431cb0e5c2a8
-
Filesize
210B
MD51a2e748aefaed5521cc0a439adb5f70f
SHA105c7027dc36369e56d98ea8d1c676a4be89e59bd
SHA2567fca7cde3e05a317ee205b402bbe672022b646a2a97e22b7337a94a7713cc896
SHA51284b46e6701956f4ad32d1ecaca8e4747c32ea89f3d60379644ebe912efb3e6f67bdc44acee510aca5a5510d2590da3aa3112c9bc0541c94b4ffbae6a01937989
-
Filesize
210B
MD5082e390c012f44fcef97913ace90884d
SHA14b5aa8965688b730f5add5aaee69b17f8ac79dba
SHA25634dca82bf200b34ccb933f04a5f78efcf22b0e9698aa30792dae59a6cb830855
SHA512ed1c967add2e4a7962952c9c081e1b82ed6292e07b83a3c2af3d41b2d3532d0cb6b0401f4ce7376bdd11ba4d1b5196f98ad542b676d71399307ce9e9aad3bbdd
-
Filesize
210B
MD55834bc2482b778e34b83c29dac81fd7f
SHA168f31de4fe943db5bad0482e731264403839cccb
SHA2563f1e41c3c1b7fd4d0de5c37abc822fe7a66dbee9ab0fb22a231cf4c973eeda0f
SHA512eb5089de00ab4bef274acef232985089693e5760c42744a8c2e5e3d80f38402e9436822fa9477c8d55b4503512845670820c4de6787d79ded8c73a2d45955373
-
Filesize
210B
MD58fff4940d5f4be4a1fd3455252e8e47c
SHA151372abd4f77b38ad57f1746ad6375a52b7dd6dc
SHA2569109653b6f2fe5e404d63befb8c14c001192e9c4a880267f91edbe3f4a64dcdb
SHA512355657ae518e75c99d316a1d26b7d5d9f8e48e8fcb20ac1b37222ffdbc0046204d6ea388178225053f104cb0c974c544f0a93060164f92a25cb88a7c1cf70d46
-
Filesize
210B
MD54d3a6412a00371c682b3731fdbe06d3c
SHA15b0d1e62b61d6a9c3be3907ff840e0fb091c0785
SHA25688511e4c119d9cd0157078b0c86607cf92105b0ca92048433dd6bc24708702b7
SHA512ddaa7e2033eeda4cdb93aa2836ad21cc2340eafc1f3df6794b9278850b07076a81490d08fc1effb3f0a598b8b23a2175624b2dcc99ea228b0f99ef73c6f5843d
-
Filesize
210B
MD545c91ece7fc155dce7eb76a9910ceb81
SHA14fd34cf4f8e8e898e0005c135c8c2910b12397fa
SHA2561876304d0a7230eb38605abd878503b29c79341a62ba77e948e7dce174e2ed1b
SHA51276c0c4b3d9aa8e7ce680a5d94087313e1d787ee676ff8b0e8540162ce4c494cf453e9436fc237d8a3dd2a4bcfa555a703d3573eef6f528f2ccc532b29242cc3b
-
Filesize
210B
MD51b327ba183885821d42c854c9fc02612
SHA1507aa610ccd1489f01c61f1850db7aa58fc8ba3c
SHA25675745c2d5921b201a6f9901fb184e2fcc08f5d1b438b9970c7469f5d8b596ccb
SHA512305d0043f4b42be93a803c2fe1b767cbf470104d5bfc713fe2edbd850015135e2dadcc30fc28d90af1aaec83566741e8d6d091215915c22ae7a9c6d7743493fd
-
Filesize
210B
MD56867af5980233021b6ac08b3406c694f
SHA1ee658b7a50d66e296b9646915a68fc4b19915778
SHA256aaf2888b3cb7e37ffa4051e4061615d165c1bc67f37ceaaea3b17ea86d4dedc4
SHA512de63cefcbf842a30ecd8f9cb874d917af108bf596cc055cdcc8f7c38d32ddebf338205264866f89b3142c579f8133548fd6de064432661cde36c3d63f795c575
-
Filesize
3.1MB
MD5c2281b1740f2acd02e9e19f83441b033
SHA1bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA2568fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA5120c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027