Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:06
Behavioral task
behavioral1
Sample
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Resource
win7-20240903-en
General
-
Target
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
-
Size
3.1MB
-
MD5
c2281b1740f2acd02e9e19f83441b033
-
SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c
-
SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
-
SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
-
SSDEEP
49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo
Malware Config
Extracted
quasar
1.4.0
Office04
connectdadad.ddns.net:4782
e862a94f-5f45-4b8c-89de-f84dadb095d0
-
encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
-
install_name
PerfWatson1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
KDOT
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/5080-1-0x00000000002D0000-0x00000000005F4000-memory.dmp family_quasar behavioral2/files/0x0007000000023c71-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe -
Executes dropped EXE 15 IoCs
pid Process 1424 PerfWatson1.exe 4532 PerfWatson1.exe 3420 PerfWatson1.exe 388 PerfWatson1.exe 1648 PerfWatson1.exe 4404 PerfWatson1.exe 4064 PerfWatson1.exe 4376 PerfWatson1.exe 2268 PerfWatson1.exe 2160 PerfWatson1.exe 1096 PerfWatson1.exe 1040 PerfWatson1.exe 4460 PerfWatson1.exe 2704 PerfWatson1.exe 1372 PerfWatson1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4412 PING.EXE 2868 PING.EXE 5096 PING.EXE 640 PING.EXE 3300 PING.EXE 640 PING.EXE 1844 PING.EXE 1564 PING.EXE 3464 PING.EXE 3392 PING.EXE 3536 PING.EXE 3560 PING.EXE 3564 PING.EXE 4696 PING.EXE 1612 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 640 PING.EXE 1564 PING.EXE 3392 PING.EXE 4696 PING.EXE 5096 PING.EXE 640 PING.EXE 3564 PING.EXE 1612 PING.EXE 3536 PING.EXE 3300 PING.EXE 2868 PING.EXE 1844 PING.EXE 3560 PING.EXE 3464 PING.EXE 4412 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2100 schtasks.exe 3412 schtasks.exe 2440 schtasks.exe 4036 schtasks.exe 3040 schtasks.exe 1360 schtasks.exe 1112 schtasks.exe 1968 schtasks.exe 3064 schtasks.exe 2676 schtasks.exe 2136 schtasks.exe 3408 schtasks.exe 3008 schtasks.exe 4024 schtasks.exe 3980 schtasks.exe 3504 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 5080 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe Token: SeDebugPrivilege 1424 PerfWatson1.exe Token: SeDebugPrivilege 4532 PerfWatson1.exe Token: SeDebugPrivilege 3420 PerfWatson1.exe Token: SeDebugPrivilege 388 PerfWatson1.exe Token: SeDebugPrivilege 1648 PerfWatson1.exe Token: SeDebugPrivilege 4404 PerfWatson1.exe Token: SeDebugPrivilege 4064 PerfWatson1.exe Token: SeDebugPrivilege 4376 PerfWatson1.exe Token: SeDebugPrivilege 2268 PerfWatson1.exe Token: SeDebugPrivilege 2160 PerfWatson1.exe Token: SeDebugPrivilege 1096 PerfWatson1.exe Token: SeDebugPrivilege 1040 PerfWatson1.exe Token: SeDebugPrivilege 4460 PerfWatson1.exe Token: SeDebugPrivilege 2704 PerfWatson1.exe Token: SeDebugPrivilege 1372 PerfWatson1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4404 PerfWatson1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 3408 5080 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 84 PID 5080 wrote to memory of 3408 5080 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 84 PID 5080 wrote to memory of 1424 5080 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 86 PID 5080 wrote to memory of 1424 5080 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 86 PID 1424 wrote to memory of 3008 1424 PerfWatson1.exe 87 PID 1424 wrote to memory of 3008 1424 PerfWatson1.exe 87 PID 1424 wrote to memory of 1700 1424 PerfWatson1.exe 89 PID 1424 wrote to memory of 1700 1424 PerfWatson1.exe 89 PID 1700 wrote to memory of 244 1700 cmd.exe 91 PID 1700 wrote to memory of 244 1700 cmd.exe 91 PID 1700 wrote to memory of 640 1700 cmd.exe 92 PID 1700 wrote to memory of 640 1700 cmd.exe 92 PID 1700 wrote to memory of 4532 1700 cmd.exe 97 PID 1700 wrote to memory of 4532 1700 cmd.exe 97 PID 4532 wrote to memory of 2100 4532 PerfWatson1.exe 99 PID 4532 wrote to memory of 2100 4532 PerfWatson1.exe 99 PID 4532 wrote to memory of 4504 4532 PerfWatson1.exe 101 PID 4532 wrote to memory of 4504 4532 PerfWatson1.exe 101 PID 4504 wrote to memory of 4552 4504 cmd.exe 103 PID 4504 wrote to memory of 4552 4504 cmd.exe 103 PID 4504 wrote to memory of 1844 4504 cmd.exe 104 PID 4504 wrote to memory of 1844 4504 cmd.exe 104 PID 4504 wrote to memory of 3420 4504 cmd.exe 107 PID 4504 wrote to memory of 3420 4504 cmd.exe 107 PID 3420 wrote to memory of 3040 3420 PerfWatson1.exe 108 PID 3420 wrote to memory of 3040 3420 PerfWatson1.exe 108 PID 3420 wrote to memory of 4584 3420 PerfWatson1.exe 110 PID 3420 wrote to memory of 4584 3420 PerfWatson1.exe 110 PID 4584 wrote to memory of 3252 4584 cmd.exe 112 PID 4584 wrote to memory of 3252 4584 cmd.exe 112 PID 4584 wrote to memory of 1564 4584 cmd.exe 113 PID 4584 wrote to memory of 1564 4584 cmd.exe 113 PID 4584 wrote to memory of 388 4584 cmd.exe 115 PID 4584 wrote to memory of 388 4584 cmd.exe 115 PID 388 wrote to memory of 4024 388 PerfWatson1.exe 116 PID 388 wrote to memory of 4024 388 PerfWatson1.exe 116 PID 388 wrote to memory of 1560 388 PerfWatson1.exe 118 PID 388 wrote to memory of 1560 388 PerfWatson1.exe 118 PID 1560 wrote to memory of 2160 1560 cmd.exe 120 PID 1560 wrote to memory of 2160 1560 cmd.exe 120 PID 1560 wrote to memory of 3392 1560 cmd.exe 121 PID 1560 wrote to memory of 3392 1560 cmd.exe 121 PID 1560 wrote to memory of 1648 1560 cmd.exe 123 PID 1560 wrote to memory of 1648 1560 cmd.exe 123 PID 1648 wrote to memory of 1360 1648 PerfWatson1.exe 124 PID 1648 wrote to memory of 1360 1648 PerfWatson1.exe 124 PID 1648 wrote to memory of 916 1648 PerfWatson1.exe 126 PID 1648 wrote to memory of 916 1648 PerfWatson1.exe 126 PID 916 wrote to memory of 4452 916 cmd.exe 128 PID 916 wrote to memory of 4452 916 cmd.exe 128 PID 916 wrote to memory of 3560 916 cmd.exe 129 PID 916 wrote to memory of 3560 916 cmd.exe 129 PID 916 wrote to memory of 4404 916 cmd.exe 130 PID 916 wrote to memory of 4404 916 cmd.exe 130 PID 4404 wrote to memory of 3412 4404 PerfWatson1.exe 131 PID 4404 wrote to memory of 3412 4404 PerfWatson1.exe 131 PID 4404 wrote to memory of 5056 4404 PerfWatson1.exe 133 PID 4404 wrote to memory of 5056 4404 PerfWatson1.exe 133 PID 5056 wrote to memory of 4304 5056 cmd.exe 135 PID 5056 wrote to memory of 4304 5056 cmd.exe 135 PID 5056 wrote to memory of 3464 5056 cmd.exe 136 PID 5056 wrote to memory of 3464 5056 cmd.exe 136 PID 5056 wrote to memory of 4064 5056 cmd.exe 137 PID 5056 wrote to memory of 4064 5056 cmd.exe 137 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3408
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hXapDOCgbm8Y.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:640
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z8uPENftteXc.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1844
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zL5vNQCFyE29.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3252
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1564
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbs2NoRuztNO.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2160
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3392
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZruSsNFAEu2M.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4452
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3560
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x1e42oGGWk8Y.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3464
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTmuh0KukOhj.bat" "15⤵PID:4532
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3564
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIsITm3X7Qoi.bat" "17⤵PID:1900
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4696
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWVKi0OTN3rl.bat" "19⤵PID:4356
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3068
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5096
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaxZQstDCyRt.bat" "21⤵PID:3456
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3576
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4412
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f1WhqVtXd3mi.bat" "23⤵PID:436
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3460
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1612
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D150gwn3jFi.bat" "25⤵PID:664
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2208
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:640
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7MaXXPJuOtxV.bat" "27⤵PID:4548
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3536
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFD5HFdM99B9.bat" "29⤵PID:820
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:4588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3300
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\THwkzRID0D9e.bat" "31⤵PID:4712
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
210B
MD575afa3c834574d173e6f93864528c9ae
SHA17951e26931ebd77ed34c14ac9968ccd854ca868b
SHA256dfa19053e098012b5cdea7ab33f9c46d37a8838a0dd348f4c812c05bf989fabd
SHA51276b4d663857baa852d3dfed2bd1ff4a54390ecd07ef839583df4b06f2ed314926986695f36e9be69b7a021646bf60db4a078a0bda65e7b2617da590b608c36c1
-
Filesize
210B
MD5a03580ab868573fa13c1744a7115fdbd
SHA19d3e1286449a5e6a854d5bd87a7d1e5e1617da4e
SHA256bb4f288351dc2f5fa19cb527196ffbd7bac28e0b0e19a12cc7dab01216c9a0fc
SHA5123f21142ace3a021dba0e47c487851d9433755148d8dd4e6859ee88cb6a1dc0152115287e6045ff23faa5e6cbc9b3433810f73514ac03ea62f93b22c164751e17
-
Filesize
210B
MD52a5bbefa529f5f7f46e04bbe562d683a
SHA1544f3994f3718d7cc86bac0e5fd65a787a3a6c30
SHA25654516c0697fc3a76b8492fbc06b155ffd31d86ba9b6ba4b331eb49b787062014
SHA512c0cdfbc410068117b7e8fa8dfffb30c944ba24955aa801a8e97b4a8689e230d89f4884012ea5e52b514018634022966d5c7be4124a62d885d927d7af784e0747
-
Filesize
210B
MD5bd3dbaa844a8da231c100ea2d78a4d69
SHA10db65bff3611f40e32e42bfe3ff0e1eaaaaa77ad
SHA256f565ff0cf9a32f4b8452cdc1644fd83c5ac0e558035ac94f2b82a02bff91d41a
SHA512418de43f658f56f656fe79645da2d26a2b00efc02e9bc44f8bd765ff451bf7bb2e902863086e806d9a15e5f2b0a7ab65bca5d709198ca4a8399aba51ab98b094
-
Filesize
210B
MD51e04d176c7c6c9b295bf0a6ed8f0344b
SHA1a28e5c5161cc2300491009578b3122948c603e93
SHA2561ef56ec553eac946b12484d7920ed0920c749110e9871454a24a66b8d28e8f9e
SHA5123354f5037cae5f785b7de901fafeee674c9a57b301b84883d3685f8ca820af11469162f47feb09f30b91325654039327f4ae59f7a6c6f06f16456b14eab3c517
-
Filesize
210B
MD5d69412b0456de713b5d9e7fad4c671a3
SHA100f3013219141bdaa0ae0ae48c0e18a1cb6149ed
SHA25684e3349f06248a3f65f30a21bf12dd91fff76ad976e4e24c5ea2a0e24f1061a2
SHA5120c725b28b23d54348f3e9704adfef9380e90ecc13cdeb0b37732b251181a9aeca0f9c485088098e230e2ca3e9c7c38fc92aa92814e49417fe902f0f7612765d4
-
Filesize
210B
MD55ec7353010b981e537b4334c46c41dce
SHA19a2b60533af0aeca159c35c217a1476601da24ba
SHA25695ba8250371516e5b1233acdaaf88ac8855b8e7432ea37c455f66d98ff45f8d6
SHA5129bff76230c89ba28ad6be8744a6d4759658f3624da2327585879c08d2b57b9f886391163b5bc952228626def0d399ea9c8286f5f4338d6b79831da9885699750
-
Filesize
210B
MD59e4914a8c9a450a2f848e4428724a2b9
SHA1c47efd1df200953b22ac3e2db91e7891bfc7ca91
SHA256d4555d1e2f78e79940dedd5a3e41d0ca799b7593dd4cf72d9918db45bf285020
SHA512206ab3de3cddc41bf83b7b655ad85c4a6f7d0ac22267df86b2fa7ba7e69604f3d3df6fe4d0d11247cc9818037d15effb1639a5090fada2975c308f3fbe338104
-
Filesize
210B
MD5422d67fe22da8a49c6d2867f8abb98af
SHA1c0c000391a308022a9880857f9253e589a58f432
SHA256f6038579c108e5f91fc0059d2abe75fbea6332f12fe4878b4e29174d5e76f6b0
SHA5123ce7608bc4f352ed7c93cf31f0eaaa4639e288e4c7280e0400f1f26b4ef80d0d994fd7a154e7a773b51afe8b25246de08fb3ece1b1c6e333b285359d74fc418b
-
Filesize
210B
MD5caff42b900a2575194a11a151dbfd483
SHA1f330c92ee7562b166edb91e71606a77ba24f20bb
SHA2565677907713abd45c80ed08d27f1a9cd89e6e10dd15789fcfcdc09507d057beac
SHA512bbd31cadc5bff6fe03321db64ea533e67ccab4dc63f658abdde6ea124982c8d24eda38c2c7d77d8d73a421dc7424d92a974520ea908b20a8542769fbb45b083b
-
Filesize
210B
MD5a6ebce934da39235b78e4205a78d7b6b
SHA170abb9ae1680c02aacd3768409afb9828371154c
SHA256e917b8b5726e9d562e63e5b7844672b14c6ff9a2fc7065cdda65845a6415441d
SHA5122c5772b1f0a79e739ea5a13afa898b7adc80cf5d52394f10c188841114e318d77777ff6ff2cc2c73df7571709abe22290f8d6745fcd2679e0301d68a1657d29d
-
Filesize
210B
MD5fd887cb1a14958cff57ccc1140d34c87
SHA183f0ebb7e2270ebd60091592d56ffaeecdd8ee37
SHA256cc42ea723578b199a015d0a18fe712680f0503fecd2ba7d5ae337aab32f8606b
SHA512665edd0ebb521535fae957a4cc8387717a542fff4a641af685cf27dff8cf2895b7f8e03c980c802e710f806f2d14c14d64b576ca1e1f0ea5930a022c880f28d7
-
Filesize
210B
MD5f29eaaaa365de0a42e7c3d2e52a3c1a0
SHA146fde6ad168300f45351bf67a225e7171ce3bb13
SHA25699f9b8ba3a27acb38d72723b60f98ba3a910855e45ad2b0a3786e451a18eccc5
SHA51202e9563b6f549ad48328e2b53cc0b7fe12727b5181375eb3dbbb54f74f65a83c98084087d3f1d8c763aa9acdd82fa416ed7ce5becfcf50251e38f6938c5c2f1c
-
Filesize
210B
MD584da01bb75803e4ff90bebdffffa2c3e
SHA1ee4c0c0d68b3e8ea69ce3e8ac45896798b049f39
SHA2560cac40db36589154af098d01ba3810bd6132ad7862af628dc041674d6c14563a
SHA512f74f1006c763981b64e30735e6817180303589d3a9d889767ee55b21464f4ca543e9b27553e9143019ed815da461917b8a10b69d418653d5fe2571c86d8ff003
-
Filesize
210B
MD5e59e65ad38bf6d0be710dcf433573eb5
SHA1acd4b14c51db73cfcaec6cc0ab2ed1f3f3d8b345
SHA256753cec8ffaf70fb3061fece736fe9b85eefadc3bb7ea1ad7f1eeaaddc8b7807f
SHA512beed3d797fde20b5485fb1b6b39e7a67b93de02650c4e14597eea21b3abf54fc6dd97235456ca8d677e4dadd4bef03ebbcc769dc45965c1ae37208bd33ea9735
-
Filesize
3.1MB
MD5c2281b1740f2acd02e9e19f83441b033
SHA1bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA2568fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA5120c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027