Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:06
Behavioral task
behavioral1
Sample
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Resource
win7-20240903-en
General
-
Target
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
-
Size
3.1MB
-
MD5
c2281b1740f2acd02e9e19f83441b033
-
SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c
-
SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
-
SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
-
SSDEEP
49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo
Malware Config
Extracted
quasar
1.4.0
Office04
connectdadad.ddns.net:4782
e862a94f-5f45-4b8c-89de-f84dadb095d0
-
encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
-
install_name
PerfWatson1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
KDOT
Signatures
-
Quasar family
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/memory/2260-1-0x0000000001130000-0x0000000001454000-memory.dmp family_quasar behavioral1/files/0x0033000000015db1-5.dat family_quasar behavioral1/memory/2656-9-0x00000000008D0000-0x0000000000BF4000-memory.dmp family_quasar behavioral1/memory/2864-32-0x0000000000DB0000-0x00000000010D4000-memory.dmp family_quasar behavioral1/memory/1744-44-0x00000000013E0000-0x0000000001704000-memory.dmp family_quasar behavioral1/memory/2208-55-0x0000000000250000-0x0000000000574000-memory.dmp family_quasar behavioral1/memory/1716-66-0x00000000008B0000-0x0000000000BD4000-memory.dmp family_quasar behavioral1/memory/1440-78-0x0000000000040000-0x0000000000364000-memory.dmp family_quasar behavioral1/memory/1732-129-0x00000000002E0000-0x0000000000604000-memory.dmp family_quasar behavioral1/memory/1316-141-0x0000000000A30000-0x0000000000D54000-memory.dmp family_quasar behavioral1/memory/2540-162-0x0000000000C50000-0x0000000000F74000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2656 PerfWatson1.exe 1032 PerfWatson1.exe 2864 PerfWatson1.exe 1744 PerfWatson1.exe 2208 PerfWatson1.exe 1716 PerfWatson1.exe 1440 PerfWatson1.exe 2712 PerfWatson1.exe 2096 PerfWatson1.exe 2876 PerfWatson1.exe 2332 PerfWatson1.exe 1732 PerfWatson1.exe 1316 PerfWatson1.exe 2952 PerfWatson1.exe 2540 PerfWatson1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 292 PING.EXE 2396 PING.EXE 2100 PING.EXE 1712 PING.EXE 772 PING.EXE 576 PING.EXE 2268 PING.EXE 1988 PING.EXE 1056 PING.EXE 3040 PING.EXE 2872 PING.EXE 1092 PING.EXE 3044 PING.EXE 2592 PING.EXE 2056 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1712 PING.EXE 2872 PING.EXE 2396 PING.EXE 2592 PING.EXE 292 PING.EXE 1988 PING.EXE 2056 PING.EXE 772 PING.EXE 3040 PING.EXE 576 PING.EXE 3044 PING.EXE 2268 PING.EXE 2100 PING.EXE 1092 PING.EXE 1056 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2692 schtasks.exe 2456 schtasks.exe 2752 schtasks.exe 2840 schtasks.exe 648 schtasks.exe 2420 schtasks.exe 1780 schtasks.exe 1628 schtasks.exe 604 schtasks.exe 2300 schtasks.exe 448 schtasks.exe 2796 schtasks.exe 2912 schtasks.exe 2248 schtasks.exe 1372 schtasks.exe 1848 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2260 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe Token: SeDebugPrivilege 2656 PerfWatson1.exe Token: SeDebugPrivilege 1032 PerfWatson1.exe Token: SeDebugPrivilege 2864 PerfWatson1.exe Token: SeDebugPrivilege 1744 PerfWatson1.exe Token: SeDebugPrivilege 2208 PerfWatson1.exe Token: SeDebugPrivilege 1716 PerfWatson1.exe Token: SeDebugPrivilege 1440 PerfWatson1.exe Token: SeDebugPrivilege 2712 PerfWatson1.exe Token: SeDebugPrivilege 2096 PerfWatson1.exe Token: SeDebugPrivilege 2876 PerfWatson1.exe Token: SeDebugPrivilege 2332 PerfWatson1.exe Token: SeDebugPrivilege 1732 PerfWatson1.exe Token: SeDebugPrivilege 1316 PerfWatson1.exe Token: SeDebugPrivilege 2952 PerfWatson1.exe Token: SeDebugPrivilege 2540 PerfWatson1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2796 2260 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 30 PID 2260 wrote to memory of 2796 2260 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 30 PID 2260 wrote to memory of 2796 2260 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 30 PID 2260 wrote to memory of 2656 2260 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 32 PID 2260 wrote to memory of 2656 2260 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 32 PID 2260 wrote to memory of 2656 2260 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 32 PID 2656 wrote to memory of 2692 2656 PerfWatson1.exe 33 PID 2656 wrote to memory of 2692 2656 PerfWatson1.exe 33 PID 2656 wrote to memory of 2692 2656 PerfWatson1.exe 33 PID 2656 wrote to memory of 2536 2656 PerfWatson1.exe 35 PID 2656 wrote to memory of 2536 2656 PerfWatson1.exe 35 PID 2656 wrote to memory of 2536 2656 PerfWatson1.exe 35 PID 2536 wrote to memory of 2652 2536 cmd.exe 37 PID 2536 wrote to memory of 2652 2536 cmd.exe 37 PID 2536 wrote to memory of 2652 2536 cmd.exe 37 PID 2536 wrote to memory of 3040 2536 cmd.exe 38 PID 2536 wrote to memory of 3040 2536 cmd.exe 38 PID 2536 wrote to memory of 3040 2536 cmd.exe 38 PID 2536 wrote to memory of 1032 2536 cmd.exe 39 PID 2536 wrote to memory of 1032 2536 cmd.exe 39 PID 2536 wrote to memory of 1032 2536 cmd.exe 39 PID 1032 wrote to memory of 2912 1032 PerfWatson1.exe 40 PID 1032 wrote to memory of 2912 1032 PerfWatson1.exe 40 PID 1032 wrote to memory of 2912 1032 PerfWatson1.exe 40 PID 1032 wrote to memory of 2008 1032 PerfWatson1.exe 42 PID 1032 wrote to memory of 2008 1032 PerfWatson1.exe 42 PID 1032 wrote to memory of 2008 1032 PerfWatson1.exe 42 PID 2008 wrote to memory of 2888 2008 cmd.exe 44 PID 2008 wrote to memory of 2888 2008 cmd.exe 44 PID 2008 wrote to memory of 2888 2008 cmd.exe 44 PID 2008 wrote to memory of 576 2008 cmd.exe 45 PID 2008 wrote to memory of 576 2008 cmd.exe 45 PID 2008 wrote to memory of 576 2008 cmd.exe 45 PID 2008 wrote to memory of 2864 2008 cmd.exe 46 PID 2008 wrote to memory of 2864 2008 cmd.exe 46 PID 2008 wrote to memory of 2864 2008 cmd.exe 46 PID 2864 wrote to memory of 2248 2864 PerfWatson1.exe 47 PID 2864 wrote to memory of 2248 2864 PerfWatson1.exe 47 PID 2864 wrote to memory of 2248 2864 PerfWatson1.exe 47 PID 2864 wrote to memory of 2776 2864 PerfWatson1.exe 49 PID 2864 wrote to memory of 2776 2864 PerfWatson1.exe 49 PID 2864 wrote to memory of 2776 2864 PerfWatson1.exe 49 PID 2776 wrote to memory of 1332 2776 cmd.exe 51 PID 2776 wrote to memory of 1332 2776 cmd.exe 51 PID 2776 wrote to memory of 1332 2776 cmd.exe 51 PID 2776 wrote to memory of 292 2776 cmd.exe 52 PID 2776 wrote to memory of 292 2776 cmd.exe 52 PID 2776 wrote to memory of 292 2776 cmd.exe 52 PID 2776 wrote to memory of 1744 2776 cmd.exe 53 PID 2776 wrote to memory of 1744 2776 cmd.exe 53 PID 2776 wrote to memory of 1744 2776 cmd.exe 53 PID 1744 wrote to memory of 1780 1744 PerfWatson1.exe 54 PID 1744 wrote to memory of 1780 1744 PerfWatson1.exe 54 PID 1744 wrote to memory of 1780 1744 PerfWatson1.exe 54 PID 1744 wrote to memory of 2344 1744 PerfWatson1.exe 56 PID 1744 wrote to memory of 2344 1744 PerfWatson1.exe 56 PID 1744 wrote to memory of 2344 1744 PerfWatson1.exe 56 PID 2344 wrote to memory of 2176 2344 cmd.exe 58 PID 2344 wrote to memory of 2176 2344 cmd.exe 58 PID 2344 wrote to memory of 2176 2344 cmd.exe 58 PID 2344 wrote to memory of 1092 2344 cmd.exe 59 PID 2344 wrote to memory of 1092 2344 cmd.exe 59 PID 2344 wrote to memory of 1092 2344 cmd.exe 59 PID 2344 wrote to memory of 2208 2344 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2796
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2692
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lqaz25Dby8tw.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2652
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2912
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\O22Gll6K6l0S.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:576
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2248
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\THOuI3GxjslG.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:292
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1780
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xaMqsbzA1iSS.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1092
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1088ZImIrn2c.bat" "11⤵PID:1508
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2396
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:604
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yaJyUAKPeoyF.bat" "13⤵PID:3012
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2300
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9Vol0xjKgKlT.bat" "15⤵PID:1576
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2792
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2100
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2840
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HH4KbPuL08zV.bat" "17⤵PID:2620
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2104
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3044
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:648
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gR9QKGMyopwF.bat" "19⤵PID:1684
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1988
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2420
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\USuF3TGpRyC2.bat" "21⤵PID:1660
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2592
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:448
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YjADNl5pHr0v.bat" "23⤵PID:976
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2344
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2056
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1372
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3Afb08g2x8dA.bat" "25⤵PID:892
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1712
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2456
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Nm30qdhTLDNE.bat" "27⤵PID:2960
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1796
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:772
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1848
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zXyDDATMW0dc.bat" "29⤵PID:2616
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2676
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1056
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GPVexyhmkGqq.bat" "31⤵PID:1584
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD532422620f97823d28ec42f08a2d91c25
SHA1782f34dae84699bff745a55872904a3966d455b5
SHA2560c87bd2042a2209ff59e671a299ebe1c661b8175dd231aca4c80a43d901c2bc5
SHA51247fc2b730238c02638e6bfbfdc797e2e8360e35fff6b331b021a22aa40f63392e90057e2dd0a1281672731aff3d7b9127aef91f8cc6bfde2b11ac917d70639b9
-
Filesize
210B
MD51c78fb46365c835cc263372e9d051dc9
SHA146c802aaf748ec36215343d294f4f24765f116ca
SHA256a161f3a4aabea6d02e7757f7ccfbda5ecb5390ebfb22da99f52c088dd6cf11a4
SHA512a530ea9b9a56e6aa677ce7bac27cc96767fd0554d3afe1cfa3432dcb7a7028d3bcff73adaffd68403b0d59819a83d64972286cb88484a49bff5045ad73032a3a
-
Filesize
210B
MD50f30cfbe12c4349764e3c51043e37fdf
SHA15ed377084a91896185ab9f9e4b17fd5fcac4b401
SHA256ea0bbdea7e6ad649b1ca1d61faefe41c35196abce0b70f3f43f8cae670f90889
SHA512079f6d4b8d08d77c0e1138f9083ef0a3f568f596f25d8e533c62a68003f94fdbd179968fe43a58be6a225f106548932976accace474f890307bf566d6f4ef60d
-
Filesize
210B
MD562689bd9d14234fde16545ec3e80f7fc
SHA13efab6233ac0068d4e80ec5ddfb18570c6ee72bf
SHA256c71bab93ce4ed30f24badc52ffd0d9644b0d38670b273436ea74547cfd72dfdc
SHA512ac63e6cbb7b275ad39d2afdda5d542dd16b7c445e20c37aa3c0e7c639f2d65d15baaf1e719ddbab21264551087fa2e7965c2443a9d3f4ea7369fa30bb0b2bdc6
-
Filesize
210B
MD59c424590c09ef0158a7ea284ae16867a
SHA12197963603482a387bbe32bc9a1e19d96ab89148
SHA256b74f7a7d3dca984f1408ee80fea3683b683c7f099e85d560e251586fd025b634
SHA512d5de291af4e37e78b5849c2d6176e871b9fd0676a86b12e9d289ea525b80f03c5b9397f72f25e3b6b08edd12f3e77c393eef26d6a00bbe68e8e4c2241869f1d5
-
Filesize
210B
MD5d0e77897f9e0f5a3392604eed8bbc867
SHA13b6ec31b8df6bdd19d05199f1538f626d31d1b99
SHA2564f85f5f764fdecfab535f26b169a7f1a0c6ceba188cc6af4a53ce1a81f927a75
SHA512ad7688a0fdeda87d978a68c5465ee5bb4f9d05d009b27fccc3dda1eca3b60edc8fb60e0715b1ded785d7f7a3cd0fdeca9351e72ea63a2c7ecef461992ce1198d
-
Filesize
210B
MD5ff60f5fc057f777c79d481f52521bf0b
SHA15fab14422ef3238583f108707f68b0d68a9c4660
SHA2563dd59bd2fa7a286007db2dc3bdf94554b9e0daf369ef1c32a2caf57dd53f62ea
SHA512ed3c8cdaed04a8992273b1d3fc8cefc27e89dec3deb4c347f5e73347ccfa409573ca2d39f677db645dffb7fa2e9ac96f008c5c23131f5e0bb194149f11f460f3
-
Filesize
210B
MD51ca5c928bd37c273ec6026c8b0ebfb68
SHA1bae6c329725723f7a04774a1ac2c15bad9f067c3
SHA25679568eddd3e0eaec1717afe687976eb21966a11363442e30ec3077f861df2883
SHA512bb14ce95a4dc5ace89ba23da9e5b56f31848a87b4a81ead34ef63add807bb865c48565e9a4335ec05d47689fd86bb4e485c59c5e0c5a078cc2f312613aa99cf8
-
Filesize
210B
MD515de0b00a3dceb9566968d1df5664cf0
SHA16771edfb8497a0547caedcdee79e59f59bf10a03
SHA25693660e441f63a6daea31214283ef7d9958b086b90573ecd632d3fa6c2bddfa58
SHA512b3ccc642922f2eb90afa4ac21ccfaaa4c24c92420cf8de36757ed7f75fe0d71d69c868d657755dfb8272018fdcca5783b781df20c131f3afa8655df3de11370a
-
Filesize
210B
MD5666fe438f72e82a940d0532db13837c0
SHA1b15206cf6685474249810a27659017a35077bf3d
SHA256051513f468b386834381ad97b267e75db55e2cb886271c19a99e5dd0393b9d7e
SHA512cf2108336a64fe66879595e4405cc159a573798376a2e884dff5af0dfc57f584e5e4598a69137f58d50a00782547db0af12423be895ff7ffa2deb2fb1e4db81e
-
Filesize
210B
MD5a770e5e5f223709d4ef9fe66734e1608
SHA10ed9156c1f0be7f51512f8a82e129a9ba942f271
SHA2565635bd4510ab4a4d9472870c4e1f08924287e68b9787c05de8dd0311e6726d8b
SHA5126c2243ebe8dbe12a01fdbf3458904100797c15a29285bc989b1081bd4c3db7666a94498ad8b75500cb6489992ad2dc032eb72f271a82aa7de21f026c99fa5096
-
Filesize
210B
MD53dacf9897686ec6248948b4c3cf121a0
SHA12a35603753dfb67929b498dbca03369bc0b2b9d3
SHA2560147ab42440bee4a00299dee1ab8950dbbc336df2ed999d34a52a85d09f8becf
SHA5124f71f823d23658870cf85d355ed87d421e8b2a5f6cbbdb596864247d1618000c27c9cef551e7b8162113cf11cdebba904484d9f39acc84ffadbd820244cb7678
-
Filesize
210B
MD55f5253d8440274fb0e1ee857921f83ef
SHA1b1998a467d2f94514a4507eab488a9da61eea8df
SHA256b03380285c30bd8dc0a99ff65347f1b27e887d4555089528e97ad2a8a268570d
SHA512b909a6bb349d797b3065eea2c566a9b6521713ed60d78c554cd98d068043fed15b8959706c29682faa5911ded8647b391a8522186f7bcf8d072f906adfc65314
-
Filesize
210B
MD50ac1195de42edfe199d783be88a5eb3d
SHA1bf3bd68e4e5da40cd83fef690af2f83081f00550
SHA256713548e9336aa850ff9de7d56c263aa7f312563fbdb61bd2bc32a53625a1947d
SHA5125629e292713d30ec0789fd88df65e7d00cbfbad2a3f06cf4d2e1c6a5176cf080c8e912b7af76e74b5eb387ed87cc9f8f205c28d05fc58aae35508f9bb4f4dc26
-
Filesize
210B
MD5fee383244696c7e737a81957db7a3ef7
SHA102104f0278c54c39c240632a99f843723a95b375
SHA256204b3b3654348b0f538c21733cc01b9708084f84f5cda6034a5629d5ff6c1281
SHA512c0981fe64e95ecb32b59c5033a89153dc05c3bb5df1cf9ed0655e371ee5526ca3b2d3a0b4ba8b2b0492d16d128491d8538fab11b328cdcf9d195a093f27a87ed
-
Filesize
3.1MB
MD5c2281b1740f2acd02e9e19f83441b033
SHA1bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA2568fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA5120c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027