Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:19
Behavioral task
behavioral1
Sample
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
Resource
win7-20240729-en
General
-
Target
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
-
Size
3.1MB
-
MD5
a813f565b05ee9df7e5db8dbbcc0fa43
-
SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1
-
SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
-
SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e
-
SSDEEP
98304:aydj2yMy5en93hlLLzJjVrv3zs9Yv+Wcvy:pLYvzs9Yv+Wcv
Malware Config
Extracted
quasar
1.4.0
Office04
microsoftsys.ddns.net:4782
67e0653d-eedf-4888-88ab-78e97eb2df27
-
encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
-
install_name
PerfWatson1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
KDOT
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/392-1-0x0000000000EC0000-0x00000000011E4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cb2-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PerfWatson1.exe -
Executes dropped EXE 15 IoCs
pid Process 2060 PerfWatson1.exe 5084 PerfWatson1.exe 3652 PerfWatson1.exe 2352 PerfWatson1.exe 3404 PerfWatson1.exe 3732 PerfWatson1.exe 2760 PerfWatson1.exe 2788 PerfWatson1.exe 4860 PerfWatson1.exe 1516 PerfWatson1.exe 4628 PerfWatson1.exe 4640 PerfWatson1.exe 5016 PerfWatson1.exe 2816 PerfWatson1.exe 4828 PerfWatson1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2896 PING.EXE 1428 PING.EXE 2064 PING.EXE 3480 PING.EXE 3672 PING.EXE 2052 PING.EXE 2804 PING.EXE 1248 PING.EXE 4844 PING.EXE 2464 PING.EXE 8 PING.EXE 2876 PING.EXE 2384 PING.EXE 2264 PING.EXE 3696 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2064 PING.EXE 2264 PING.EXE 3672 PING.EXE 1248 PING.EXE 4844 PING.EXE 8 PING.EXE 2052 PING.EXE 1428 PING.EXE 2876 PING.EXE 2896 PING.EXE 2464 PING.EXE 2384 PING.EXE 3480 PING.EXE 2804 PING.EXE 3696 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4400 schtasks.exe 336 schtasks.exe 3744 schtasks.exe 2672 schtasks.exe 4356 schtasks.exe 4928 schtasks.exe 4448 schtasks.exe 1140 schtasks.exe 4024 schtasks.exe 3336 schtasks.exe 2244 schtasks.exe 848 schtasks.exe 2264 schtasks.exe 1212 schtasks.exe 3104 schtasks.exe 3676 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 392 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe Token: SeDebugPrivilege 2060 PerfWatson1.exe Token: SeDebugPrivilege 5084 PerfWatson1.exe Token: SeDebugPrivilege 3652 PerfWatson1.exe Token: SeDebugPrivilege 2352 PerfWatson1.exe Token: SeDebugPrivilege 3404 PerfWatson1.exe Token: SeDebugPrivilege 3732 PerfWatson1.exe Token: SeDebugPrivilege 2760 PerfWatson1.exe Token: SeDebugPrivilege 2788 PerfWatson1.exe Token: SeDebugPrivilege 4860 PerfWatson1.exe Token: SeDebugPrivilege 1516 PerfWatson1.exe Token: SeDebugPrivilege 4628 PerfWatson1.exe Token: SeDebugPrivilege 4640 PerfWatson1.exe Token: SeDebugPrivilege 5016 PerfWatson1.exe Token: SeDebugPrivilege 2816 PerfWatson1.exe Token: SeDebugPrivilege 4828 PerfWatson1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2060 PerfWatson1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 392 wrote to memory of 2264 392 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 83 PID 392 wrote to memory of 2264 392 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 83 PID 392 wrote to memory of 2060 392 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 85 PID 392 wrote to memory of 2060 392 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 85 PID 2060 wrote to memory of 4400 2060 PerfWatson1.exe 86 PID 2060 wrote to memory of 4400 2060 PerfWatson1.exe 86 PID 2060 wrote to memory of 3740 2060 PerfWatson1.exe 88 PID 2060 wrote to memory of 3740 2060 PerfWatson1.exe 88 PID 3740 wrote to memory of 1960 3740 cmd.exe 90 PID 3740 wrote to memory of 1960 3740 cmd.exe 90 PID 3740 wrote to memory of 1248 3740 cmd.exe 91 PID 3740 wrote to memory of 1248 3740 cmd.exe 91 PID 3740 wrote to memory of 5084 3740 cmd.exe 101 PID 3740 wrote to memory of 5084 3740 cmd.exe 101 PID 5084 wrote to memory of 2672 5084 PerfWatson1.exe 102 PID 5084 wrote to memory of 2672 5084 PerfWatson1.exe 102 PID 5084 wrote to memory of 1836 5084 PerfWatson1.exe 104 PID 5084 wrote to memory of 1836 5084 PerfWatson1.exe 104 PID 1836 wrote to memory of 1160 1836 cmd.exe 107 PID 1836 wrote to memory of 1160 1836 cmd.exe 107 PID 1836 wrote to memory of 2876 1836 cmd.exe 108 PID 1836 wrote to memory of 2876 1836 cmd.exe 108 PID 1836 wrote to memory of 3652 1836 cmd.exe 114 PID 1836 wrote to memory of 3652 1836 cmd.exe 114 PID 3652 wrote to memory of 4024 3652 PerfWatson1.exe 115 PID 3652 wrote to memory of 4024 3652 PerfWatson1.exe 115 PID 3652 wrote to memory of 4532 3652 PerfWatson1.exe 118 PID 3652 wrote to memory of 4532 3652 PerfWatson1.exe 118 PID 4532 wrote to memory of 2904 4532 cmd.exe 120 PID 4532 wrote to memory of 2904 4532 cmd.exe 120 PID 4532 wrote to memory of 2896 4532 cmd.exe 121 PID 4532 wrote to memory of 2896 4532 cmd.exe 121 PID 4532 wrote to memory of 2352 4532 cmd.exe 125 PID 4532 wrote to memory of 2352 4532 cmd.exe 125 PID 2352 wrote to memory of 3336 2352 PerfWatson1.exe 126 PID 2352 wrote to memory of 3336 2352 PerfWatson1.exe 126 PID 2352 wrote to memory of 3428 2352 PerfWatson1.exe 128 PID 2352 wrote to memory of 3428 2352 PerfWatson1.exe 128 PID 3428 wrote to memory of 3076 3428 cmd.exe 131 PID 3428 wrote to memory of 3076 3428 cmd.exe 131 PID 3428 wrote to memory of 2052 3428 cmd.exe 132 PID 3428 wrote to memory of 2052 3428 cmd.exe 132 PID 3428 wrote to memory of 3404 3428 cmd.exe 134 PID 3428 wrote to memory of 3404 3428 cmd.exe 134 PID 3404 wrote to memory of 1212 3404 PerfWatson1.exe 135 PID 3404 wrote to memory of 1212 3404 PerfWatson1.exe 135 PID 3404 wrote to memory of 3180 3404 PerfWatson1.exe 138 PID 3404 wrote to memory of 3180 3404 PerfWatson1.exe 138 PID 3180 wrote to memory of 1928 3180 cmd.exe 140 PID 3180 wrote to memory of 1928 3180 cmd.exe 140 PID 3180 wrote to memory of 4844 3180 cmd.exe 141 PID 3180 wrote to memory of 4844 3180 cmd.exe 141 PID 3180 wrote to memory of 3732 3180 cmd.exe 143 PID 3180 wrote to memory of 3732 3180 cmd.exe 143 PID 3732 wrote to memory of 336 3732 PerfWatson1.exe 144 PID 3732 wrote to memory of 336 3732 PerfWatson1.exe 144 PID 3732 wrote to memory of 2444 3732 PerfWatson1.exe 147 PID 3732 wrote to memory of 2444 3732 PerfWatson1.exe 147 PID 2444 wrote to memory of 2280 2444 cmd.exe 149 PID 2444 wrote to memory of 2280 2444 cmd.exe 149 PID 2444 wrote to memory of 1428 2444 cmd.exe 150 PID 2444 wrote to memory of 1428 2444 cmd.exe 150 PID 2444 wrote to memory of 2760 2444 cmd.exe 153 PID 2444 wrote to memory of 2760 2444 cmd.exe 153 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe"C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2264
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U7Rbw0LSIL4S.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1960
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1248
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nrcYx68HcXES.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1160
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2876
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\04VQGaYppXx0.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2904
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CNrUivEnknAN.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3076
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2052
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cvRQzsMhyXaU.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4844
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8JTE4i1Vz1Sp.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2280
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1428
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyRMy8woi9VL.bat" "15⤵PID:548
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4128
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2064
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BjqGABfFGKiC.bat" "17⤵PID:3380
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3676
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2464
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMKif49ASBHB.bat" "19⤵PID:112
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2384
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KnMNkPGrO3JY.bat" "21⤵PID:1360
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3480
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vp89OTUj08P6.bat" "23⤵PID:1900
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2356
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2264
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZnOx0P7soLyf.bat" "25⤵PID:2036
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3672
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r65tuA7I4yeU.bat" "27⤵PID:264
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3680
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2804
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwGnFHEYUlSZ.bat" "29⤵PID:1616
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2072
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqdWqV6G7Mdy.bat" "31⤵PID:2300
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2784
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
210B
MD515ba766691c5ea84e5750af2560f273e
SHA15f5f2176302c5c68ec9b2b26698227e742070ed9
SHA2567ab9fef89609adbf0e4e2bfcac2fecdc3afd5f1c2b4a14117ed1d445358391bb
SHA51274aed15ef12f95298ea1a657516e356b89ac55fada411bca88332d56093af0136b35086f1155946de6a728d6f8164fd10d4960d331b072ebfa53f20655328bdb
-
Filesize
210B
MD5bba9dc0b0fb6750fb9ff22eda26d789a
SHA194845f61abd77ecdac85df424f00833c9891c388
SHA256f836db63ff8e9268f35259e6da4587f0125202015308c74804232213d8321ee0
SHA5126bc6f1c4bdf09758f14ed34b4ca451c8cd3d88f20b1283cd1d3ff796610a187cb7085970dd1082105c82d3791cbf0b0f1a2c5921804afa8cd43343fa1ac696a4
-
Filesize
210B
MD5d75afe60666d8b013414199911876556
SHA1668c5fb132722081d1a11cd3863f7253205f63ed
SHA256cec188525c51ced6bc9166b5530c9c1d46a875e9dce7627945326922ec82b8f8
SHA5125f1e1c0b3638e43fa7995e4d4f3038120b1c7e18d16f4fb1a311d8b06d5896d119c726ebf73b89992c7034e276d3948d2413d1f2053a11799336d3a9fd737776
-
Filesize
210B
MD592fe17e0a9b06187358498e47b98ef5c
SHA105e2f2228f2a3a2c6611b42baee02b94567a95a9
SHA2565ba69998c2720e9334a3d3da484338becac6cc819a275130af865519b24e85c5
SHA51276b33fdf7a301d5e41b9730d5e0a9e200d7b06bca469302a4e5fe328ff23e9463af06e5b2a54d3f314ea85f4b874cbbc4689735dfde4c46fd300187019071ddb
-
Filesize
210B
MD518b1fa0be014e147d677807431cd7305
SHA178d7ab5901348c56694cc0666e1a23f1d4d4e403
SHA25632abd6cb743a90ac4463e58a39f89f05081ebe323b8ca7ab088613f680fa376f
SHA512d12cf990a0b7388d31aafbdb7a6a4954c9ddffdfa0eadab4cd4621b529f9034ff88269e2f3a87af941be0cf2eb7be80b4979a69af41bdcb1d1c8176e28d8edc2
-
Filesize
210B
MD57a8e0434c4c3ba6c5294af4c0e55bdbd
SHA1472ff0562083af7aa0f329c7ee08e388b232e123
SHA256525e8b85ccb5fe06dec2e310d5de24735cbe08d66172b3f99f333e3fbe4533ff
SHA512606e4c5ad3bea303f9ae097557c3cd6167d0b15ace76330273b1a38e366d670c2c27e1abb92e7f613b8fd1920f6c13518d8471eef6bf0db14857ac835400c9ac
-
Filesize
210B
MD58ef97432b35f826cae9b590e02102243
SHA137e5d06af575469549b5e561c9e12a38ca0335ab
SHA256b7ac4161e67fb94e9e73524ec7e7e4e954f87be14659b0d337b3466e495e8848
SHA512492f174b304e47115ae4b1721eb00be37984dfa8e5faa714c1505d9df4268bc4b4bec1dfa7a76242ae1c7713c4bee6d82d4d1f85213c989b44bf3a08889b0553
-
Filesize
210B
MD5a3e9d5728ee4392973da057f1e8dac8a
SHA1ebbc3a37620d1e7e03ce19a780f892b86fda872e
SHA2566c6e63e1e651b0463216430682b50d8122a63ed7b159c20f4abdb4fc520ce885
SHA512535aac4d1896f2b5dcabda02e06354d5a457b9eb042c2cce183df3173ab84506d050b0f01dec8ec850da3f1a0fd26db32ff90b0b319bb6f9e059a30d33fbd329
-
Filesize
210B
MD519c9d1cfbb584b19de928c5a3ce6d113
SHA1037d29c74c011e386ea6aa674dd2bc872cbcd09c
SHA25690c425a92dd055b737167d4710cd5259b6c2b05a234505a7c8532e944fdc7bb8
SHA51229a7b32d8e4114a87548d36a5596255df01be8776742bd2ad8dd154d6a3c27e7d1dc3bb48252d78983ccf47c5a98d01db0e9c85e1021aaccd12a3c9e4c92ee2a
-
Filesize
210B
MD5f7c67e36504edae6334dfc9910ccade9
SHA10ce0a76b2bf30f4b509b5c5f71a855da7830ec81
SHA256e9b56760c8cf56cb4bc10e1efabddf9e6480a7a3db30bccebb748fb230b55100
SHA512cedf2071d73c6330b09534250826b1d06e74df2f48525470ec9bfd52de7b416820c195f94ba24fd712a535dec0ce00780f34031ae0bbb7b115d10c69053adf7c
-
Filesize
210B
MD5fc594db0f13b538ab5f72202dfe39726
SHA13ab3106a16aa6d8ed76131cc4ed1606f7564ab88
SHA256a57bac690f10d210dda085d78d05dbd43212b30ce35f2dacb31118bfa2d37ac5
SHA5128c9714c6eba89aeb04e40951a7762bd5ba6b4cbd7c728fb29fd7b220eb4b7b90d4e68d65accc157f12205a61ce28716ceffee9a85fcbe397fb1c93a00fe0d338
-
Filesize
210B
MD5b3ae839cd84809bfe8a16205701b84af
SHA18a90d022cb063578773f1a9187830d93c23bb072
SHA256c5038051792fbc28e78049a669b448a0e076c49854b2479e579529db9b4b57d6
SHA5123a0c3a16588e75ad745272b0737ce543e0798f7f599ad06857e8c7978ce17d165f51dfbd613df7f05f528d4e6354004dc2d63f7460f6e476f52327a6d5cf684b
-
Filesize
210B
MD51e2638f202eb9e7a4648185ffe8c8a5a
SHA1fc5bd62124753732bbeb9a30c7ed5e29f8c5d284
SHA256d9bd60d258700a9461a2b7d89936fe7cbf42ef5e236ed32a92485438113d83de
SHA5125d3a02c91fdd6b69a4f852f070a8eafa67f612a7c3029a139493ab551136768ad226345703bc53e1267ed23c4f8ab4d285c9964856c67c98ec6ab8355f69b9f0
-
Filesize
210B
MD51f65693c0a7617a9d4dc778f5beb4708
SHA15cb31975d5e9d405c2c2aa1dfbc99ac3526c7f3e
SHA256bea06df0f1a92177232a334ff517be97da4995639950073dfa1e1e452c51f9d4
SHA5129d23bb18806d87ed4bde52b1df53c9328c3cec7c08096becfd8254e5af2f411a54cddfa87435c356dc05c3d2c6e1e0fc5f3cde4d5b61e3ac4de390417b4753db
-
Filesize
210B
MD5da4d434ecb21ed78e78bfb92605bd114
SHA12e2564bac4cf30b9342588c76c779c2dba88e1b6
SHA256143c78787123e9fa2bf4fd213980ebcaed92d054ba4326bdc463ab23c49ba1af
SHA512d594e6cabc5a8e1fe1311a3c186250ef2d6b1efd62a7c1fcea2083cdb532167c156eae1d5cdd7093ff4b70941fc3c3cdda9a12f79d2038b495affc328d85c4c0
-
Filesize
3.1MB
MD5a813f565b05ee9df7e5db8dbbcc0fa43
SHA1f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e