Analysis
-
max time kernel
1049s -
max time network
425s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 07:47
Behavioral task
behavioral1
Sample
setup casino.exe
Resource
win10v2004-20240709-en
General
-
Target
setup casino.exe
-
Size
2.1MB
-
MD5
84ab6181a31b1e3fa12b4f02232d7d76
-
SHA1
b1e00a7042b549dd6a2d33f6fceec203319032f6
-
SHA256
46f147b5b85dc612ec84ee8374442a90c6ab1c4ad9633a79e2c0c06693f6acc5
-
SHA512
0a78f96bc38a7bc8c2f5a654d53917e0ad5ffa97e87a6c8186083ba964bcc906f760a89fe1f87e18401ec97a1a6ef13d1d28960c201c99c37b96f906c31d48b2
-
SSDEEP
24576:U2G/nvxW3Ww0t3/zc4VamhOsJ5RnPQfV8N8cqKuAsqh9k9sUn5yYr8XLFNBxN8yq:UbA303/zc4jhoiSnqkxYYr8XLV8yr9TA
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 244 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 512 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 4088 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 4088 schtasks.exe -
Processes:
resource yara_rule C:\surrogatemonitor\HyperBlocksession.exe dcrat behavioral1/memory/3376-17-0x0000000000960000-0x0000000000B38000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lsass.exeRuntimeBroker.exebackgroundTaskHost.exeWmiPrvSE.exesppsvc.exeRuntimeBroker.exeRuntimeBroker.exeWmiPrvSE.exeRuntimeBroker.exebackgroundTaskHost.exeWmiPrvSE.exeWmiPrvSE.exeRuntimeBroker.exebackgroundTaskHost.exeWmiPrvSE.exelsass.exelsass.exebackgroundTaskHost.exeRuntimeBroker.exebackgroundTaskHost.exeRuntimeBroker.exesetup casino.exebackgroundTaskHost.exeWmiPrvSE.exelsass.exelsass.exelsass.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exelsass.exeWmiPrvSE.exeRuntimeBroker.exeRuntimeBroker.exelsass.exelsass.exebackgroundTaskHost.exesppsvc.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exebackgroundTaskHost.exebackgroundTaskHost.exelsass.exeRuntimeBroker.exebackgroundTaskHost.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exebackgroundTaskHost.exelsass.exelsass.exebackgroundTaskHost.exelsass.exelsass.exelsass.exeRuntimeBroker.exebackgroundTaskHost.exeWmiPrvSE.exesppsvc.exeRuntimeBroker.exeWmiPrvSE.exeWmiPrvSE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation setup casino.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe -
Executes dropped EXE 64 IoCs
Processes:
HyperBlocksession.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exepid process 3376 HyperBlocksession.exe 2624 lsass.exe 924 lsass.exe 1096 lsass.exe 3908 lsass.exe 2272 lsass.exe 4528 lsass.exe 672 lsass.exe 2608 lsass.exe 3220 lsass.exe 5084 lsass.exe 5100 lsass.exe 2764 lsass.exe 2696 lsass.exe 4360 lsass.exe 776 lsass.exe 1700 lsass.exe 2484 lsass.exe 2248 lsass.exe 4640 lsass.exe 392 lsass.exe 640 lsass.exe 3636 lsass.exe 2100 lsass.exe 1260 lsass.exe 1344 lsass.exe 2108 lsass.exe 2104 lsass.exe 3420 lsass.exe 2268 lsass.exe 1572 lsass.exe 4108 lsass.exe 2540 lsass.exe 432 lsass.exe 3316 lsass.exe 2948 lsass.exe 2296 lsass.exe 1208 lsass.exe 3904 lsass.exe 3840 lsass.exe 2224 lsass.exe 1572 lsass.exe 3204 lsass.exe 2540 lsass.exe 1388 lsass.exe 1088 RuntimeBroker.exe 3108 lsass.exe 3604 RuntimeBroker.exe 4680 lsass.exe 380 RuntimeBroker.exe 4652 lsass.exe 3840 RuntimeBroker.exe 4236 lsass.exe 5068 RuntimeBroker.exe 3244 lsass.exe 2308 RuntimeBroker.exe 3640 lsass.exe 4720 RuntimeBroker.exe 672 lsass.exe 2152 RuntimeBroker.exe 2696 lsass.exe 4468 backgroundTaskHost.exe 764 backgroundTaskHost.exe 2104 backgroundTaskHost.exe -
Drops file in Program Files directory 14 IoCs
Processes:
HyperBlocksession.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe HyperBlocksession.exe File created C:\Program Files\7-Zip\Lang\817c8c8ec737a7 HyperBlocksession.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\c82b8037eab33d HyperBlocksession.exe File created C:\Program Files (x86)\Google\Temp\55b276f4edf653 HyperBlocksession.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe HyperBlocksession.exe File created C:\Program Files\7-Zip\Lang\wscript.exe HyperBlocksession.exe File created C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9 HyperBlocksession.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe HyperBlocksession.exe File created C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe HyperBlocksession.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\24dbde2999530e HyperBlocksession.exe File created C:\Program Files (x86)\Windows Photo Viewer\wininit.exe HyperBlocksession.exe File created C:\Program Files (x86)\Windows Photo Viewer\56085415360792 HyperBlocksession.exe File created C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe HyperBlocksession.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\55b276f4edf653 HyperBlocksession.exe -
Drops file in Windows directory 4 IoCs
Processes:
HyperBlocksession.exedescription ioc process File created C:\Windows\Speech\Engines\TTS\System.exe HyperBlocksession.exe File created C:\Windows\Speech\Engines\TTS\27d1bcfc3c54e0 HyperBlocksession.exe File created C:\Windows\it-IT\lsass.exe HyperBlocksession.exe File created C:\Windows\it-IT\6203df4a6bafc7 HyperBlocksession.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
Processes:
RuntimeBroker.exelsass.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exeRuntimeBroker.exeRuntimeBroker.exeWmiPrvSE.exelsass.exebackgroundTaskHost.exeWmiPrvSE.exesppsvc.exeRuntimeBroker.exelsass.exelsass.exeRuntimeBroker.exebackgroundTaskHost.exebackgroundTaskHost.exelsass.exesppsvc.exeWmiPrvSE.exeRuntimeBroker.exelsass.exelsass.exebackgroundTaskHost.exebackgroundTaskHost.exelsass.exelsass.exelsass.exebackgroundTaskHost.exebackgroundTaskHost.exeWmiPrvSE.exeWmiPrvSE.exelsass.exesppsvc.exeRuntimeBroker.exeWmiPrvSE.exelsass.exeWmiPrvSE.exeRuntimeBroker.exelsass.exeWmiPrvSE.exebackgroundTaskHost.exeWmiPrvSE.exebackgroundTaskHost.exeRuntimeBroker.exeRuntimeBroker.exebackgroundTaskHost.exesppsvc.exesppsvc.exelsass.exebackgroundTaskHost.exebackgroundTaskHost.exeRuntimeBroker.exeWmiPrvSE.exeWmiPrvSE.exelsass.exelsass.exeRuntimeBroker.exeRuntimeBroker.exeWmiPrvSE.exebackgroundTaskHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings backgroundTaskHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4668 schtasks.exe 2064 schtasks.exe 868 schtasks.exe 1716 schtasks.exe 5092 schtasks.exe 4384 schtasks.exe 1604 schtasks.exe 4672 schtasks.exe 4992 schtasks.exe 2436 schtasks.exe 2092 schtasks.exe 4544 schtasks.exe 1360 schtasks.exe 4324 schtasks.exe 512 schtasks.exe 1808 schtasks.exe 5076 schtasks.exe 1260 schtasks.exe 4916 schtasks.exe 1644 schtasks.exe 4924 schtasks.exe 2480 schtasks.exe 5088 schtasks.exe 4364 schtasks.exe 3900 schtasks.exe 244 schtasks.exe 3496 schtasks.exe 1568 schtasks.exe 3752 schtasks.exe 3636 schtasks.exe 3444 schtasks.exe 1508 schtasks.exe 3352 schtasks.exe 776 schtasks.exe 3572 schtasks.exe 4168 schtasks.exe 2580 schtasks.exe 1884 schtasks.exe 1220 schtasks.exe 2456 schtasks.exe 3408 schtasks.exe 2660 schtasks.exe 432 schtasks.exe 4840 schtasks.exe 3060 schtasks.exe 2604 schtasks.exe 4848 schtasks.exe 4656 schtasks.exe 4376 schtasks.exe 4956 schtasks.exe 2984 schtasks.exe 3088 schtasks.exe 408 schtasks.exe 1572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
HyperBlocksession.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exepid process 3376 HyperBlocksession.exe 3376 HyperBlocksession.exe 3376 HyperBlocksession.exe 2624 lsass.exe 924 lsass.exe 1096 lsass.exe 3908 lsass.exe 2272 lsass.exe 4528 lsass.exe 672 lsass.exe 2608 lsass.exe 3220 lsass.exe 5084 lsass.exe 5100 lsass.exe 2764 lsass.exe 2696 lsass.exe 4360 lsass.exe 776 lsass.exe 1700 lsass.exe 2484 lsass.exe 2248 lsass.exe 4640 lsass.exe 392 lsass.exe 640 lsass.exe 3636 lsass.exe 2100 lsass.exe 1260 lsass.exe 1344 lsass.exe 2108 lsass.exe 2104 lsass.exe 3420 lsass.exe 2268 lsass.exe 1572 lsass.exe 4108 lsass.exe 2540 lsass.exe 432 lsass.exe 3316 lsass.exe 2948 lsass.exe 2296 lsass.exe 1208 lsass.exe 3904 lsass.exe 3840 lsass.exe 2224 lsass.exe 1572 lsass.exe 3204 lsass.exe 2540 lsass.exe 1388 lsass.exe 1088 RuntimeBroker.exe 3108 lsass.exe 3604 RuntimeBroker.exe 4680 lsass.exe 380 RuntimeBroker.exe 4652 lsass.exe 3840 RuntimeBroker.exe 4236 lsass.exe 5068 RuntimeBroker.exe 3244 lsass.exe 2308 RuntimeBroker.exe 3640 lsass.exe 4720 RuntimeBroker.exe 672 lsass.exe 4468 backgroundTaskHost.exe 764 backgroundTaskHost.exe 2104 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
HyperBlocksession.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exeRuntimeBroker.exelsass.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 3376 HyperBlocksession.exe Token: SeDebugPrivilege 2624 lsass.exe Token: SeDebugPrivilege 924 lsass.exe Token: SeDebugPrivilege 1096 lsass.exe Token: SeDebugPrivilege 3908 lsass.exe Token: SeDebugPrivilege 2272 lsass.exe Token: SeDebugPrivilege 4528 lsass.exe Token: SeDebugPrivilege 672 lsass.exe Token: SeDebugPrivilege 2608 lsass.exe Token: SeDebugPrivilege 3220 lsass.exe Token: SeDebugPrivilege 5084 lsass.exe Token: SeDebugPrivilege 5100 lsass.exe Token: SeDebugPrivilege 2764 lsass.exe Token: SeDebugPrivilege 2696 lsass.exe Token: SeDebugPrivilege 4360 lsass.exe Token: SeDebugPrivilege 776 lsass.exe Token: SeDebugPrivilege 1700 lsass.exe Token: SeDebugPrivilege 2484 lsass.exe Token: SeDebugPrivilege 2248 lsass.exe Token: SeDebugPrivilege 4640 lsass.exe Token: SeDebugPrivilege 392 lsass.exe Token: SeDebugPrivilege 640 lsass.exe Token: SeDebugPrivilege 3636 lsass.exe Token: SeDebugPrivilege 2100 lsass.exe Token: SeDebugPrivilege 1260 lsass.exe Token: SeDebugPrivilege 1344 lsass.exe Token: SeDebugPrivilege 2108 lsass.exe Token: SeDebugPrivilege 2104 lsass.exe Token: SeDebugPrivilege 3420 lsass.exe Token: SeDebugPrivilege 2268 lsass.exe Token: SeDebugPrivilege 1572 lsass.exe Token: SeDebugPrivilege 4108 lsass.exe Token: SeDebugPrivilege 2540 lsass.exe Token: SeDebugPrivilege 432 lsass.exe Token: SeDebugPrivilege 3316 lsass.exe Token: SeDebugPrivilege 2948 lsass.exe Token: SeDebugPrivilege 2296 lsass.exe Token: SeDebugPrivilege 1208 lsass.exe Token: SeDebugPrivilege 3904 lsass.exe Token: SeDebugPrivilege 3840 lsass.exe Token: SeDebugPrivilege 2224 lsass.exe Token: SeDebugPrivilege 1572 lsass.exe Token: SeDebugPrivilege 3204 lsass.exe Token: SeDebugPrivilege 2540 lsass.exe Token: SeDebugPrivilege 1388 lsass.exe Token: SeDebugPrivilege 1088 RuntimeBroker.exe Token: SeDebugPrivilege 3108 lsass.exe Token: SeDebugPrivilege 3604 RuntimeBroker.exe Token: SeDebugPrivilege 4680 lsass.exe Token: SeDebugPrivilege 380 RuntimeBroker.exe Token: SeDebugPrivilege 4652 lsass.exe Token: SeDebugPrivilege 3840 RuntimeBroker.exe Token: SeDebugPrivilege 4236 lsass.exe Token: SeDebugPrivilege 5068 RuntimeBroker.exe Token: SeDebugPrivilege 3244 lsass.exe Token: SeDebugPrivilege 2308 RuntimeBroker.exe Token: SeDebugPrivilege 3640 lsass.exe Token: SeDebugPrivilege 4720 RuntimeBroker.exe Token: SeDebugPrivilege 672 lsass.exe Token: SeDebugPrivilege 2152 RuntimeBroker.exe Token: SeDebugPrivilege 2696 lsass.exe Token: SeDebugPrivilege 4468 backgroundTaskHost.exe Token: SeDebugPrivilege 764 backgroundTaskHost.exe Token: SeDebugPrivilege 2104 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup casino.exeWScript.execmd.exeHyperBlocksession.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exedescription pid process target process PID 3592 wrote to memory of 1848 3592 setup casino.exe WScript.exe PID 3592 wrote to memory of 1848 3592 setup casino.exe WScript.exe PID 3592 wrote to memory of 1848 3592 setup casino.exe WScript.exe PID 3592 wrote to memory of 2928 3592 setup casino.exe WScript.exe PID 3592 wrote to memory of 2928 3592 setup casino.exe WScript.exe PID 3592 wrote to memory of 2928 3592 setup casino.exe WScript.exe PID 1848 wrote to memory of 2464 1848 WScript.exe cmd.exe PID 1848 wrote to memory of 2464 1848 WScript.exe cmd.exe PID 1848 wrote to memory of 2464 1848 WScript.exe cmd.exe PID 2464 wrote to memory of 3376 2464 cmd.exe HyperBlocksession.exe PID 2464 wrote to memory of 3376 2464 cmd.exe HyperBlocksession.exe PID 3376 wrote to memory of 2624 3376 HyperBlocksession.exe lsass.exe PID 3376 wrote to memory of 2624 3376 HyperBlocksession.exe lsass.exe PID 2624 wrote to memory of 2696 2624 lsass.exe cmd.exe PID 2624 wrote to memory of 2696 2624 lsass.exe cmd.exe PID 2696 wrote to memory of 4536 2696 cmd.exe w32tm.exe PID 2696 wrote to memory of 4536 2696 cmd.exe w32tm.exe PID 2696 wrote to memory of 924 2696 cmd.exe lsass.exe PID 2696 wrote to memory of 924 2696 cmd.exe lsass.exe PID 924 wrote to memory of 2960 924 lsass.exe cmd.exe PID 924 wrote to memory of 2960 924 lsass.exe cmd.exe PID 2960 wrote to memory of 4944 2960 cmd.exe w32tm.exe PID 2960 wrote to memory of 4944 2960 cmd.exe w32tm.exe PID 2960 wrote to memory of 1096 2960 cmd.exe lsass.exe PID 2960 wrote to memory of 1096 2960 cmd.exe lsass.exe PID 1096 wrote to memory of 4556 1096 lsass.exe cmd.exe PID 1096 wrote to memory of 4556 1096 lsass.exe cmd.exe PID 4556 wrote to memory of 4488 4556 cmd.exe w32tm.exe PID 4556 wrote to memory of 4488 4556 cmd.exe w32tm.exe PID 4556 wrote to memory of 3908 4556 cmd.exe lsass.exe PID 4556 wrote to memory of 3908 4556 cmd.exe lsass.exe PID 3908 wrote to memory of 2436 3908 lsass.exe cmd.exe PID 3908 wrote to memory of 2436 3908 lsass.exe cmd.exe PID 2436 wrote to memory of 4500 2436 cmd.exe w32tm.exe PID 2436 wrote to memory of 4500 2436 cmd.exe w32tm.exe PID 2436 wrote to memory of 2272 2436 cmd.exe lsass.exe PID 2436 wrote to memory of 2272 2436 cmd.exe lsass.exe PID 2272 wrote to memory of 2228 2272 lsass.exe cmd.exe PID 2272 wrote to memory of 2228 2272 lsass.exe cmd.exe PID 2228 wrote to memory of 2376 2228 cmd.exe w32tm.exe PID 2228 wrote to memory of 2376 2228 cmd.exe w32tm.exe PID 2228 wrote to memory of 4528 2228 cmd.exe lsass.exe PID 2228 wrote to memory of 4528 2228 cmd.exe lsass.exe PID 4528 wrote to memory of 2472 4528 lsass.exe cmd.exe PID 4528 wrote to memory of 2472 4528 lsass.exe cmd.exe PID 2472 wrote to memory of 4332 2472 cmd.exe w32tm.exe PID 2472 wrote to memory of 4332 2472 cmd.exe w32tm.exe PID 2472 wrote to memory of 672 2472 cmd.exe lsass.exe PID 2472 wrote to memory of 672 2472 cmd.exe lsass.exe PID 672 wrote to memory of 3056 672 lsass.exe cmd.exe PID 672 wrote to memory of 3056 672 lsass.exe cmd.exe PID 3056 wrote to memory of 3364 3056 cmd.exe w32tm.exe PID 3056 wrote to memory of 3364 3056 cmd.exe w32tm.exe PID 3056 wrote to memory of 2608 3056 cmd.exe lsass.exe PID 3056 wrote to memory of 2608 3056 cmd.exe lsass.exe PID 2608 wrote to memory of 3304 2608 lsass.exe cmd.exe PID 2608 wrote to memory of 3304 2608 lsass.exe cmd.exe PID 3304 wrote to memory of 2456 3304 cmd.exe w32tm.exe PID 3304 wrote to memory of 2456 3304 cmd.exe w32tm.exe PID 3304 wrote to memory of 3220 3304 cmd.exe lsass.exe PID 3304 wrote to memory of 3220 3304 cmd.exe lsass.exe PID 3220 wrote to memory of 4384 3220 lsass.exe cmd.exe PID 3220 wrote to memory of 4384 3220 lsass.exe cmd.exe PID 4384 wrote to memory of 3548 4384 cmd.exe w32tm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup casino.exe"C:\Users\Admin\AppData\Local\Temp\setup casino.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatemonitor\gAYqfto.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\surrogatemonitor\Db3DeF2UEd.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\surrogatemonitor\HyperBlocksession.exe"C:\surrogatemonitor\HyperBlocksession.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4536
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4944
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4488
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4500
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2376
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4332
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3364
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"20⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2456
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"22⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3548
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"24⤵PID:2740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2432
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"26⤵PID:1848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1260
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"28⤵PID:5088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1352
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"30⤵PID:660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:3168
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"32⤵PID:2608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:3304
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"33⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"34⤵PID:3956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:4428
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"36⤵PID:3848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:3244
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"38⤵PID:2748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:1264
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"40⤵PID:864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:660
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"42⤵PID:4596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:4396
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"44⤵PID:1248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:245⤵PID:3956
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"46⤵PID:3396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:247⤵PID:656
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"48⤵PID:2144
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:249⤵PID:4876
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"50⤵PID:2744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:251⤵PID:1508
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"51⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"52⤵PID:4228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:253⤵PID:1696
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"54⤵PID:4360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:255⤵PID:4548
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"56⤵PID:776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:257⤵PID:4984
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"58⤵PID:1672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:259⤵PID:5072
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"59⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"60⤵PID:4648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:261⤵PID:216
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"62⤵PID:5084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:263⤵PID:3748
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"64⤵PID:2740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:265⤵PID:4708
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"66⤵PID:4864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:267⤵PID:644
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"67⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"68⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:269⤵PID:2748
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"69⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"70⤵PID:3600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:271⤵PID:2728
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"71⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"72⤵PID:3108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:273⤵PID:3336
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"73⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"74⤵PID:2332
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:275⤵PID:392
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"75⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"76⤵PID:4716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:277⤵PID:4680
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"77⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"78⤵PID:2628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:279⤵PID:1748
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"79⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"80⤵PID:3420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:281⤵PID:4004
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"81⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"82⤵PID:4932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:283⤵PID:2268
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"83⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"84⤵PID:3500
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:285⤵PID:728
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"85⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"86⤵PID:2464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:287⤵PID:5100
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"87⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"88⤵PID:556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:289⤵PID:3380
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"89⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"90⤵PID:4720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:291⤵PID:708
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"91⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"92⤵PID:4228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:293⤵PID:212
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"93⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"94⤵PID:2456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:295⤵PID:2412
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"95⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"96⤵PID:2104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:297⤵PID:3456
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"97⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"98⤵PID:1804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:299⤵PID:2604
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"99⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"100⤵PID:3688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2101⤵PID:4388
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"101⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"102⤵PID:4364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2103⤵PID:3960
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"103⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"104⤵PID:4336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2105⤵PID:2968
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"105⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"106⤵PID:4056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2107⤵PID:1360
-
C:\Windows\it-IT\lsass.exe"C:\Windows\it-IT\lsass.exe"107⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatemonitor\file.vbs"2⤵PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\TTS\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\Engines\TTS\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\surrogatemonitor\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\surrogatemonitor\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\surrogatemonitor\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\surrogatemonitor\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\surrogatemonitor\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\surrogatemonitor\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\surrogatemonitor\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\surrogatemonitor\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\surrogatemonitor\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\surrogatemonitor\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\surrogatemonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\surrogatemonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"2⤵PID:3364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3304
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"4⤵PID:764
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:4464
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"6⤵PID:4384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2148
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"8⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4544
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"10⤵PID:1616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2428
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"12⤵PID:5012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4964
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"14⤵PID:3680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:660
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\surrogatemonitor\backgroundTaskHost.exeC:\surrogatemonitor\backgroundTaskHost.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"2⤵PID:4268
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2296
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"4⤵PID:3792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:1208
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"6⤵PID:3412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1348
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"7⤵
- Checks computer location settings
PID:2652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"8⤵PID:1256
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:400
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"9⤵PID:1804
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"10⤵PID:3180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1676
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"11⤵PID:4828
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"12⤵PID:896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5024
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"13⤵
- Checks computer location settings
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"14⤵PID:2472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2280
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"15⤵PID:2132
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"16⤵PID:1232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:456
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"17⤵
- Checks computer location settings
PID:1916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"18⤵PID:3024
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3052
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"19⤵
- Checks computer location settings
PID:4840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"20⤵PID:4420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1924
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"21⤵
- Checks computer location settings
PID:4880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"22⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4328
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"23⤵
- Modifies registry class
PID:2756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"24⤵PID:212
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3932
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"25⤵
- Checks computer location settings
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"26⤵PID:2740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2932
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"27⤵
- Checks computer location settings
PID:3220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"28⤵PID:1648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2920
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"29⤵
- Modifies registry class
PID:2388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"30⤵PID:5072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:3944
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"31⤵
- Modifies registry class
PID:1124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"32⤵PID:3956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:4384
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"33⤵
- Modifies registry class
PID:4652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"34⤵PID:3372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:3424
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"35⤵PID:1256
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"36⤵PID:4544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:4236
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"37⤵PID:3180
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"38⤵PID:1632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:4388
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"39⤵PID:2940
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"40⤵PID:1588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:64
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"41⤵
- Modifies registry class
PID:512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"42⤵PID:704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:5052
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"43⤵PID:872
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"44⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:245⤵PID:3888
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"45⤵PID:4728
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"46⤵PID:4228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:247⤵PID:1264
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"47⤵
- Modifies registry class
PID:1620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"48⤵PID:2232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:249⤵PID:3964
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"49⤵
- Modifies registry class
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"50⤵PID:1700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:251⤵PID:3576
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"51⤵
- Checks computer location settings
PID:728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"52⤵PID:2224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:253⤵PID:680
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"53⤵
- Checks computer location settings
- Modifies registry class
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"54⤵PID:1084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:255⤵PID:4340
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"55⤵
- Checks computer location settings
PID:4624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"56⤵PID:4672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:257⤵PID:2072
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"57⤵
- Modifies registry class
PID:1688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"58⤵PID:2112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:259⤵PID:3168
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"59⤵
- Modifies registry class
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"60⤵PID:1440
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:261⤵PID:4476
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"61⤵PID:3076
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"62⤵PID:3636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:263⤵PID:744
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"63⤵
- Checks computer location settings
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"64⤵PID:3624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:265⤵PID:5084
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"65⤵PID:1932
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"66⤵PID:4080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:267⤵PID:3408
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"67⤵
- Modifies registry class
PID:512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"68⤵PID:4604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:269⤵PID:412
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"69⤵
- Checks computer location settings
- Modifies registry class
PID:2968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"70⤵PID:4284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:271⤵PID:2648
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"71⤵
- Modifies registry class
PID:4092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"72⤵PID:1088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:273⤵PID:2388
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"73⤵
- Checks computer location settings
PID:432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"74⤵PID:4436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:275⤵PID:1156
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"75⤵
- Modifies registry class
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"76⤵PID:1140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:277⤵PID:1700
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"77⤵PID:2704
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"78⤵PID:1920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:279⤵PID:2044
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"1⤵PID:4616
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"2⤵PID:4636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:660
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"3⤵PID:1344
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"4⤵PID:1360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:3272
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"5⤵
- Checks computer location settings
- Modifies registry class
PID:3564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"6⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4232
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"7⤵
- Modifies registry class
PID:4872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"8⤵PID:860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2636
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"9⤵PID:3608
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"10⤵PID:556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1884
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"11⤵PID:4372
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"12⤵PID:1036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2584
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"13⤵PID:4492
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"14⤵PID:4948
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3936
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"15⤵
- Checks computer location settings
PID:3876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"16⤵PID:180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2364
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"17⤵PID:1500
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"18⤵PID:2868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2012
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"19⤵PID:2096
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"20⤵PID:3644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3500
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"21⤵PID:4816
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"22⤵PID:2684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1956
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"23⤵
- Checks computer location settings
- Modifies registry class
PID:4908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"24⤵PID:3172
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4796
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"25⤵
- Checks computer location settings
- Modifies registry class
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"26⤵PID:3060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3824
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"27⤵PID:3932
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"28⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4812
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"29⤵PID:4300
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"30⤵PID:2364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1360
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"31⤵PID:2728
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"32⤵PID:1644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:3444
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"33⤵
- Checks computer location settings
- Modifies registry class
PID:1852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"34⤵PID:1504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:3588
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"35⤵
- Checks computer location settings
- Modifies registry class
PID:1296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"36⤵PID:3136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:3744
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"37⤵
- Modifies registry class
PID:4828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"38⤵PID:1884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:1420
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"39⤵
- Modifies registry class
PID:4912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"40⤵PID:3432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:3888
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"41⤵
- Checks computer location settings
PID:3600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"42⤵PID:1080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:2928
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"43⤵
- Modifies registry class
PID:4396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"44⤵PID:4284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:245⤵PID:4508
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"45⤵PID:4012
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"46⤵PID:1464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:247⤵PID:2740
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"47⤵PID:4984
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"1⤵
- Checks computer location settings
PID:1848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"2⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2544
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"3⤵PID:212
-
C:\Recovery\WindowsRE\cmd.exeC:\Recovery\WindowsRE\cmd.exe1⤵PID:1648
-
C:\Program Files (x86)\Windows Photo Viewer\wininit.exe"C:\Program Files (x86)\Windows Photo Viewer\wininit.exe"1⤵PID:2596
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"2⤵PID:3636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1592
-
C:\Program Files (x86)\Windows Photo Viewer\wininit.exe"C:\Program Files (x86)\Windows Photo Viewer\wininit.exe"3⤵PID:640
-
C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe"C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe"1⤵PID:2140
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"2⤵PID:3572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3576
-
C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe"C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe"3⤵PID:2268
-
C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe"1⤵PID:2664
-
C:\Windows\it-IT\lsass.exeC:\Windows\it-IT\lsass.exe1⤵PID:828
-
C:\Program Files\7-Zip\Lang\wscript.exe"C:\Program Files\7-Zip\Lang\wscript.exe"1⤵PID:3456
-
C:\surrogatemonitor\backgroundTaskHost.exeC:\surrogatemonitor\backgroundTaskHost.exe1⤵
- Checks computer location settings
PID:4148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"2⤵PID:2224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3848
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"3⤵PID:5024
-
C:\Windows\Speech\Engines\TTS\System.exeC:\Windows\Speech\Engines\TTS\System.exe1⤵PID:60
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"2⤵PID:4264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4108
-
C:\Windows\Speech\Engines\TTS\System.exe"C:\Windows\Speech\Engines\TTS\System.exe"3⤵PID:3620
-
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe1⤵PID:5084
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe1⤵
- Modifies registry class
PID:4912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"2⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4732
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"3⤵
- Modifies registry class
PID:4556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"4⤵PID:1476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:1336
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"5⤵PID:1072
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"6⤵PID:4820
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2276
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"7⤵
- Modifies registry class
PID:4088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"8⤵PID:4924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2920
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"9⤵
- Modifies registry class
PID:432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"10⤵PID:1248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4412
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"11⤵
- Checks computer location settings
PID:4324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"12⤵PID:512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3748
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"13⤵
- Modifies registry class
PID:3968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"14⤵PID:3544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3924
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"15⤵
- Checks computer location settings
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"16⤵PID:2732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1616
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"17⤵PID:3108
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"18⤵PID:3220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:5092
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"19⤵PID:2664
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"20⤵PID:2756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:640
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"21⤵
- Checks computer location settings
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"22⤵PID:3032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5108
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"23⤵PID:3928
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"24⤵PID:912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:404
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"25⤵PID:3164
-
C:\surrogatemonitor\dllhost.exeC:\surrogatemonitor\dllhost.exe1⤵PID:1504
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"2⤵PID:448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5008
-
C:\surrogatemonitor\dllhost.exe"C:\surrogatemonitor\dllhost.exe"3⤵PID:2472
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"4⤵PID:4588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:3568
-
C:\surrogatemonitor\dllhost.exe"C:\surrogatemonitor\dllhost.exe"5⤵PID:3640
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"1⤵
- Modifies registry class
PID:5080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"2⤵PID:660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4556
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"3⤵PID:3932
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"4⤵PID:4728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:2960
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"5⤵
- Checks computer location settings
PID:4284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"6⤵PID:4724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1424
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"7⤵
- Modifies registry class
PID:2296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"8⤵PID:1464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1904
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"9⤵
- Modifies registry class
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"10⤵PID:4868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3960
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"11⤵
- Modifies registry class
PID:2076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"12⤵PID:2232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2012
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"13⤵
- Checks computer location settings
PID:3944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"14⤵PID:1196
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3504
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"15⤵PID:2624
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"16⤵PID:3576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2972
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"17⤵PID:3740
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"18⤵PID:828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2428
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"19⤵
- Modifies registry class
PID:3860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"20⤵PID:2108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4844
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"21⤵
- Checks computer location settings
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"22⤵PID:4112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4628
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"23⤵
- Modifies registry class
PID:556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"24⤵PID:220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4936
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"25⤵
- Checks computer location settings
PID:912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"26⤵PID:4236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:5072
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"27⤵
- Checks computer location settings
PID:4972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"28⤵PID:2064
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4732
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"29⤵
- Modifies registry class
PID:1264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"30⤵PID:808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:3364
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"31⤵
- Checks computer location settings
PID:1608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"32⤵PID:1904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:2364
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"33⤵
- Modifies registry class
PID:5032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"34⤵PID:2012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:2096
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"35⤵
- Modifies registry class
PID:4692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"36⤵PID:1540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:3816
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"37⤵PID:4872
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"38⤵PID:4604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:1852
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"39⤵
- Checks computer location settings
PID:4148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"40⤵PID:2464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:64
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"41⤵
- Checks computer location settings
PID:1588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"42⤵PID:3040
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:708
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"43⤵PID:4492
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"44⤵PID:3640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:245⤵PID:1604
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"45⤵PID:3056
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"46⤵PID:2928
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:247⤵PID:3676
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"47⤵PID:380
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"48⤵PID:4088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:249⤵PID:1104
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"49⤵
- Checks computer location settings
PID:4664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"50⤵PID:452
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:251⤵PID:4384
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"51⤵PID:1748
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"52⤵PID:3368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:253⤵PID:3456
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"53⤵
- Checks computer location settings
PID:3400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"54⤵PID:3328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:255⤵PID:2268
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"55⤵
- Modifies registry class
PID:4600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"56⤵PID:4112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:257⤵PID:5056
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"57⤵PID:3164
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"58⤵PID:3528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:259⤵PID:3568
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"59⤵PID:4344
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"60⤵PID:2768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:261⤵PID:3680
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"61⤵PID:4360
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"62⤵PID:4736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:263⤵PID:1992
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"63⤵PID:2740
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"64⤵PID:2244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:265⤵PID:1868
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"65⤵
- Checks computer location settings
PID:3116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"66⤵PID:1700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:267⤵PID:4716
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"67⤵
- Modifies registry class
PID:3636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"68⤵PID:1156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:269⤵PID:3108
-
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"69⤵PID:1928
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"70⤵PID:3912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:271⤵PID:4628
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"71⤵
- Checks computer location settings
PID:2100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"72⤵PID:2236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:273⤵PID:4828
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"1⤵PID:2224
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"2⤵PID:3136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2540
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"3⤵
- Checks computer location settings
PID:2968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"4⤵PID:868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:5000
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"5⤵PID:1388
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"6⤵PID:3436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1428
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"7⤵
- Checks computer location settings
PID:4988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"8⤵PID:1812
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2116
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"9⤵PID:4968
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"10⤵PID:3960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3116
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"11⤵PID:2596
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"12⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2932
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"13⤵
- Modifies registry class
PID:896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"14⤵PID:3916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1120
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"15⤵PID:2144
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"16⤵PID:3000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2636
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"17⤵PID:4708
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"18⤵PID:1200
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1420
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"19⤵
- Checks computer location settings
- Modifies registry class
PID:4596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"20⤵PID:2472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4612
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"21⤵
- Checks computer location settings
PID:4000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"22⤵PID:4732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3932
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"23⤵PID:2568
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"24⤵PID:1072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2388
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"25⤵PID:1780
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"26⤵PID:212
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2728
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"27⤵
- Checks computer location settings
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"28⤵PID:632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4288
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"29⤵
- Modifies registry class
PID:4932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"30⤵PID:5092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:3736
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"31⤵
- Checks computer location settings
PID:2412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"32⤵PID:4844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:680
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"33⤵PID:2684
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"34⤵PID:4848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:3920
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"35⤵
- Modifies registry class
PID:776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"36⤵PID:1084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:4608
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"37⤵
- Modifies registry class
PID:1676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"38⤵PID:2084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:760
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"39⤵
- Checks computer location settings
- Modifies registry class
PID:4820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"40⤵PID:2116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:4696
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"41⤵PID:3288
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"42⤵PID:3544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:3964
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"43⤵
- Modifies registry class
PID:1592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"44⤵PID:1988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:245⤵PID:2932
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"45⤵PID:1784
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"46⤵PID:3992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:247⤵PID:2504
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"47⤵PID:400
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"48⤵PID:2680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:249⤵PID:1932
-
C:\surrogatemonitor\backgroundTaskHost.exeC:\surrogatemonitor\backgroundTaskHost.exe1⤵PID:4640
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"2⤵PID:1584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:860
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"3⤵PID:3880
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"4⤵PID:220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:1580
-
C:\surrogatemonitor\backgroundTaskHost.exe"C:\surrogatemonitor\backgroundTaskHost.exe"5⤵PID:1048
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"6⤵PID:3620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
25B
MD5ade8ebca6e309c62627523f7df6c3b87
SHA12b2ed78eaadfab6470aeac668b5baebcf1502d81
SHA256aa9edb868a0c64c6d8d2fe5754cfe54606a11c6c6db6190f955d309a58fcbb97
SHA512d1840e07e8d9fc143c01a8367c80ee16dfe1a42093034d712d04219f1e2f5ee50b4164fd9b24fbb4cc4c1d9c6446f5c99aa46202cf1269da596e11d86436e490
-
Filesize
191B
MD5abcf320d08c00232e2f2a82baa25b7d3
SHA12742d5e559dfc192afa5fc79ee47e0bb31efc61b
SHA256246fdf71c76efe22ac53c7c44c69dfb25a42005181c6fd01e9bbe9ff8f0fc41c
SHA5120b4559312c4fa7db043ebab730e1ae2969f4a3eb892f443bd6d65330abbc17d07cdb75d3dbae41e9c614d066774afa48f8b25a2c993beadaff6ca52cf39a4ef1
-
Filesize
207B
MD5efc0003cd18211650f61ecd2d3a7e0a9
SHA1ab252ccef2138be3d130cf8f004417cf1a9f9364
SHA256e699a68c292ca5999de922c3dd0cbe3e38e3606bda078bdf81f18966d6848106
SHA512f72f54835134997383a3993f059aa75827006c6039e64196febc57948c67eef98501399f84f95dede0159ed027ae6bb4fb000045882d91dd89caf3d3a490e540
-
Filesize
25B
MD573ac4ac546422c81da7bc281ecf76e2a
SHA16a13ff120effdc5d7aa9b491c130f24ace19d6aa
SHA2561481f25cfb3beba6f9d73305eae6ea8c96fba6fc126b864980e7273a6e8ad4a1
SHA5129919238c3f36a0ec165e2278b392d028ff085db5f276f6abfc1acd9e00bd5366d6b11843a72a44559ac705b48630908adc832ef7b7b603e5a09a910bb8dbf782
-
Filesize
191B
MD50382f7de8280fc49388a23c53c2ffe65
SHA16eecfac59b011222be19d421e228acd67851c8f3
SHA2569b684281e89ccee22680e07f383eaee1a9e1fb730bcbb90b3a6990ec2c5d98c6
SHA512eaf1e99bad27f919a9d72b9494469ca403b0d10fa68f6fe7d201638b11b8946342ff0aa78e68366dcc6608832eec84bd19bbbe05ceaccb19cab5d9bfd6684311
-
Filesize
25B
MD5e5a8414ccb14bd86ac816001b63d2c4e
SHA1bb99da1c0fd3c5987af3d3ea6643071b0a641521
SHA256079cf274463c7da76df504fc0536184ac9ed5c28064ff42c1e4317c4a624f1de
SHA5123a03cede0c3c32a2866ea6b28e140f903e1a2c8cdf0bd84e5dcf06d5685148d9499805ba6dc4957e3002e4f184284b9449b6f2a17398473bc87b204f42092222
-
Filesize
25B
MD5c5a04c801843cbc476a1792b973bd0f9
SHA1db5b770d5c66868f95efbaa687a47ef6bf3a4fe5
SHA2569084eda76b91e832d9c4cb0f7547f3c25c3f151e948a187021d7d374ace71ce7
SHA5122f40d645145ef94e7c4067fc11905d6ef515d6e3825a2c8dbee21ae3bd81ebc4efbdb72e601873e9f62575c4bf5bb55d400e19717bc23a4ae24dad938830b682
-
Filesize
191B
MD52e0efc547a1db40f1b6869d50092e839
SHA1923ab59d3ff70a65932a45ef89263623ed549bc9
SHA256fb090fe8222dee84f77d31c1ea2088cbb6511c8e61041caaaa4bc7ea4ea930de
SHA51208dfc426416dbfd1fb48ed734120401b1b547e2f6904f7ac8240ddad48f7ae766db330ff61f48ada9c7543513272643f4c50315330da581647463e14836fbce4
-
Filesize
25B
MD5deece11eea7f763ebd0c7d592503c48e
SHA1c29b569657b046783840858fc7c4ee19aab62a84
SHA25698bc359d96183f7bb9c576b0b07a7fe15d466e55e3ba5ec7bda095fccd6651b2
SHA512114fcdd888fb63fd68907848c7bb627de9a901a2fdd20ff706cb84220b787e099f9b664db9a329521eb18e22299790cda94e76f10a93d58e2eb36a81e7d9abab
-
Filesize
25B
MD5623e1e3027dad669235a10804c0e14e1
SHA116f535e445020ef3261270f043b193f17ae9069b
SHA2568576f3f2cba07f1821e3dc8719dd90ca5b9bd957f83079941d318d9af850d179
SHA512f77c5e8ada6781e7c577c78018ee1195219035482492fa17046a5a177c5e1af4b42a109eb3c132d510fe22b921ddcd2cfe5f0ab0a58feaa293caccea0c76164a
-
Filesize
191B
MD58bce5fb0636992d5fa5a3758e2dc42cb
SHA11aed42ec2ccd40b6aa916971a29008f21edca67a
SHA2560df907d50c4239285e333abfc42d297482376cdddc8f595141f5a0739d023a8f
SHA51280de1e90d4b60a91bef31ea651fc05ff01c4366b7a3f360e0233d8f8b6cffa4f1fc169a0fee8c35a92c8aad41d63aa1d386e85eb74c6dd2d57fd862b6ab4ae77
-
Filesize
191B
MD56a9c124fbf2fb69f874ce3f0f4c1dd92
SHA171cba6a9419aeb82609a1ce07740b7849b56497e
SHA2560ed97e61e4bc1a278927c55d4a3bd059c2a571fdcbb665defab2f3d31ed21ca0
SHA5123ed7fb3d4ff6cd8b404958a8d2cf65840513b5d48fcf07f8ed54046cb7f8d9c63472c7d46ce079fc901a83431048a0ebdb3d0020017bf25eb27c4590c8573b1b
-
Filesize
191B
MD5c2a17eb8155781985aa4a8fa0989e9bd
SHA18bb3677e552c79021f0ef1c6323ddcdb62cade6f
SHA256b10da69d95dd3888f419edfa80b7e80f9ec4cb404a2654c4bdac6f88d6e5b498
SHA512175cb04fa5424fb1bec7d8f6cf42cea5fa747e0a12385458cccca6edc6529e032a0fa5bac6aa79c0bc389e3c520a5527bf9220dc816e800807026c63d2ba664f
-
Filesize
191B
MD546dbfda3ea8526ac5e7e6728a559ffda
SHA166cf699a0f5d66fd9b28ab5ebeb6f90425de6bc6
SHA256ca737f764713697c6568fa28f4653d76b242fc2935a2a71660530a3b0413f78c
SHA512c00faebfe0166ced074616de745345016e66158d2471bcbd157b3274f075ae562b96f944dc443b556501af666422912e27eb9945ff02ce554a5b3077187ae350
-
Filesize
25B
MD52f163505d488403e3ef306f45219cb7b
SHA190a167d6f06f0c08a9b490fd598e8a080f6ff476
SHA256bdc915d901f3042e9f64eb0d09713962037018bf2c8ca2b1d3497536cebf4f50
SHA512dd4d384d411788154c3cc663eec6b15fe9b1a1ff69a6a08d0599be7e5c32fc39f4fefc8a4bbb8d3d75ff6116a4800d995e7330950f63404c6b31fd84ace12ccf
-
Filesize
191B
MD568aa1d21471ec3427c616a5a679bba32
SHA139ce4f2a7b2d26bfc5b9a26bb819d4e111631c32
SHA2567c5ca2eeda7f9c33f95a4720bfe83d41a94bb3b4f8a6b4483370e4ec7ebc7337
SHA5124b55c3f29984ffaf928e5c664a25d3a37df13e6c39aef2770338eea2580b40d6ef1c7ee4ca9f1d50ee9577899375dbc7e1c235daf820abde632a7dd1cfe4d72c
-
Filesize
191B
MD516feafabec151b73ce4ab34e14658a86
SHA1f58438c9bd465cb5109fac85d01ff3f95f421fc3
SHA256f689f47edba3dd9a09da9006692534fc2b217bdec0dc73d2490a0416cce0d116
SHA512eb5a63cfa846ff8843fdf63bbe3fab00f665aaaa75e7b449e3a008fec2a897a414d5c5d9aedeb1bf70d4c9172d424b8a1c728f2e0e84667f597ebf7a5c10d149
-
Filesize
191B
MD5b282e1dae415e34e931fb7e41bc95df0
SHA14e93397f71eb5f92b5be07ea56bda974222d623a
SHA2566d51fcbaf05e15e4743d8ab958cd2e4328531b5a5a2636f8a993bbe2aca8fe7b
SHA5126f8b062057619666b70b2fc18180b75fd73f767a68212cea0e137f64ebe9fd467bd7bb0dd8c1c865c1b4ef10f3b51d25d5d8dea9cd78552f60b6de72a07ac3c9
-
Filesize
25B
MD5e9e108190185c5423cc0d40f1729c507
SHA1e25556ffc3a71a593d025f9354aa6e41ac8ebdda
SHA2561b403b3b7aca34331ed4834cb7f5dab972ac1d572fa192748e6d94ec6fe930dd
SHA512b90f110247e80ac9df709cb6b0f847bfa9e7acdd04f78c9fed6cd800e1579fffe6934c1bdbfba140b1b644809691f86a428f1dac10a2e770047f2b036f46c1a2
-
Filesize
191B
MD500242a2d01c28af4bec6fdf085bf559c
SHA136e1efd294197d13054e8f9049928b3c420bc0e3
SHA2562d946c04808efaba463f42b49a453889d9f588cfedeea8c320c1f08348bc5a9e
SHA512723e2e3363d141ce11a7a9c93a8b403600d4d728f71929f451f3bc2b5aeb274d014fcb4ce8e981a1af0642b13382d31cc1dd537542ec6967f372a8ba00ac6af3
-
Filesize
191B
MD52e9030db2ddfe4ee2197f428fc4a0c75
SHA188ab6fd496040db46aa5617b121c03d781e30404
SHA25688f26491f2ae7f404993e78c70bea57341218dbc6600e09c8ef7393d2a7c414a
SHA5125fcad1a1217eee85b983dc25d9c00b5a66b5347208c8244f7bc95652525da74e7f3ee01fbbee8d2c0e0bd05292ecbd779b8322237f73b5be08d2c2a7c01fd575
-
Filesize
207B
MD5a5f16f138776de9794b3b0fcc48b0564
SHA10f55c93bcb4299d80c5f656c50be0cef72be044d
SHA2564be59bcff28c95734ab2e43b21fe6c0ca79487998f687833e9d6ccf1335fb679
SHA5120ea52c00f44570f337633fe0bc8be2739c7ea932544d68a9fcfec8bbf80eb49ec6f1612a5c29b2cad0983858699d8e78a9f2277da048babd2b918dff72d324a9
-
Filesize
249B
MD515456849895098a3add4a8233d024036
SHA1bc5090571f2764fe614eaa687f24caa30893806e
SHA25642b304ce76bdcbd7ea4b65cf38d66ecdfd8da277077f9776842e601f92292448
SHA512296332b730f66424d6e4c1255852238e4a06fab192c3b8a5252c536cc6de43319ceb39e37212d46ffab992d8a66ce953a1c26f4af1d2afba3ed67c1a170f2b92
-
Filesize
25B
MD5f7c426237ab5e4d7fa6a4b2b6c679a9b
SHA11e26f2241dac8cfd507a72b07f8e66796bfaf023
SHA25669353f1e3a8c559b9bdc0d1ae872f8838c7f0e674800bc10af759697f902a59c
SHA5122f0f06167b21b8e29f8c923098f3882475d00dcbe7b2c5813c0721e332c3bee1f9cda1214213b497de12f75fd477a86e864982c2a1bfbc4b508f37d4d38c1919
-
Filesize
229B
MD526452d221cf5e4060fd3c3d9a44a0375
SHA1c653e70b3f117cb2767088fa3a54d2da0874e04c
SHA2565691c66dfc69dead22f890dae6eedb4c17df68a9205856cd1cde6c531ac7879c
SHA512d31fdf041162205e9445e4f8c8267fbfad1b4344594da66813c3c08767e5185efbddeef98cd62562dbdd8f0bedfaebf7e78311f32acebf2681d80895e0138ae1
-
Filesize
191B
MD5413b0d1f32708c47721c123508a99f41
SHA1d9842806b73f7d2082e2d599e5182f382c17684a
SHA25673f827a4f9d919dbe3259c050879ee22052d27ab8be60ce247ec54e157192b1d
SHA51268df48ab02d77b355ce177a7b88d328c4ac5032473d0acf6b7d5e07990be4fec1fef1c3bc206c8c4ca6802b3b46ae961fa57473e5e7ddfbd6c4d823930cdc7b1
-
Filesize
25B
MD53a9e8c44f7814a439b00b2e5558bbf7b
SHA125f21b2b64e8971b234413d3ffea8c8ac9b12eaa
SHA256d9e0c74c93a06083cc22c88019dc99caa44b222471c4836bd6e72c018deb7e7b
SHA512173c0d027364f86513779eb704c71fe75195cd72b7a3fef58052635d2945d8f046d36b77071c5e3e7c47d398f08fb5ee78916275af026ba83e862d6584e509c0
-
Filesize
191B
MD50318765f63559822c6ea49ea956a5506
SHA167d79fd8ac12e6d0d925ed422fbe01cdf2692358
SHA2568ba6a0dd560da4066ce1a19a4cb73dccf8dd136d8d9e4c2471890b93ef87094d
SHA512eed06f25111bd238736f7365e4103ddb2595db688e97ea7c4678758d5cfa3bb401332c5c0909dc50d4634100064b9ed50f1a0c8eab60a3b1a6723c78d3fdefcb
-
Filesize
191B
MD5ca3925cb0eedae4122561addade85d87
SHA165e2591eb5808c114a0795798d7fbea5bcafb3e9
SHA256b451a90edd3702a01690fa692f3f05d48286dfadf1790a36ca7d1ad9c36522e6
SHA5121bb3e72230edb22b7952130fc35b06e1650e7aa7795583bca7177026cbd5ce4288840fe9584a8e1b1ac85f49f763f604eb6c3355224347fafa30c48c4673cc62
-
Filesize
229B
MD509d5e96a8231503c240f4388f8edbe58
SHA1accc856469d26005b5b17875ff3a8075a36f6e3c
SHA256195c5fe9498f89874443e55aa3523f403e7af27866cdffc15d480409e9d8e6cb
SHA5122080ca08a6f85643410d240f5be00a3872ecf554a3e71ee52cfcd6713e30e74002bbaf40c102b6d2ae2b9926c68b5a0a0a849392ac8e34c7d9b9a150f6e65473
-
Filesize
191B
MD51a17c692580fbf247ff5021e64746fc6
SHA1c5fa043c7c810598da61c4a8ac9b06e5c51eb527
SHA256134b189bd91338cd14afe31a70b7a5694ad4ea9eb2e4690fbc4a18d441a05431
SHA5122d70a9405852b98141ab7dd3e7aa18664869df828cd7381e394d7d4dfd938f823cdf1029cfa89c086f857d90f9582425d72b572e2ca86e4827e7b1bd2e585a4c
-
Filesize
191B
MD5a806c1049bdfeb045b6dce3f4dcf0620
SHA11e325e0338a134fb6e0b0f882faeb1173979a7ea
SHA256e498a99e9585e802d7ca76df1cec20cc5e81603806e1a681a3125067c523589a
SHA51204de06711e0bf6be67e9edc2c0f698bab03f81b86ea665084401ea1b5c52ef6bccfb3d67421ee8496561e2f849e069286b2d49b19175c7a42de32827f2db785c
-
Filesize
191B
MD51223381b95b3fac63f713b011cf927e2
SHA17c263a7a0bd054421e0279cd4bf78832937db7d7
SHA256ecb0343b64b1aa1add6561b6dc7561bbf47e4542b05399e8745f44c192adccf5
SHA5128f377ef546d7af19b53718cc280a4587886f474c848ce66f01295fd1cc0e5155249d43e91086ed143eb887bfd0a849e940038dc1368409538863cd37bf652ba6
-
Filesize
191B
MD576b13e3412719e459d23a5fb7bfcc774
SHA1ab74515b6a803622d885df2c0e48f9d55cdaceda
SHA256197059b7b16a2c54b4c50a492872a13b96b068d7817ebd716a3c0ac28b7d7d42
SHA512ee290315ad5b5b71120ccde7d7c372662b190594ebed6f14e41cab6615743e70358b6a451ad76dde7bc82a732b166d57a0241a5cd88dd41c2e1df0097698e51e
-
Filesize
25B
MD510b0d9332648fb59b1f67b248b1428c0
SHA1bfde3f1cde2a43dc163ec6068b5c5833eaf3c68d
SHA2560db594e38f028f890011862757b43a178321ee4323bc0a544de8bb16c001d7eb
SHA5129e422e34da03395410aa6e1a7045e496398f257ff1560eebb7ead86ab2125f09b16783b58b6b25f2868fc562b71638ff4899f64816b9609ed8de7057b6222d22
-
Filesize
25B
MD563c60822e5ee292d2bd2505aca48145a
SHA15e6077bdc94d2eaa99e678564d4b1d1ede69401d
SHA2562ac654d5272e9f41c008fdb9fe9b2e4222d5732ba70c49f9d4e5d55d49938826
SHA512f2406a1275ba12aaec0e528736ad6e39d656267458948042875ec3ad3eeafdad27e592636a34c0cdf2d99d446ec1d1b540797e038a4619985b861eb993d70c8f
-
Filesize
191B
MD57f7c4b783f95130948f7ac8d3bc3142e
SHA1da7060a987156dfc4569b1e64cc78f34e8a51244
SHA256ee993f9449bdaa2035ca55bf72d3e8c9f4727d809713c2266cff070ca8db2089
SHA512539e062b38a7e07eb8d9605c7438229c60570f27bc1b85546029b4e422c37797db14232eab6680e7a475e358a068d776d7a9038f03a4ffc93afb6a3bfed54940
-
Filesize
191B
MD5f01ddb91cf901e84e4cc5b7c00453623
SHA1d13723739a4a32cf2e4f2a1a125fcf55ec1e39c9
SHA2560da2fb180597500325dd0de0c30ac1770d18a982c1eb10d8082f11e4370e302b
SHA51294b03fccf2074d3b637ca54067133ae7f44261529faa7dca154371c306756506be21fdf697c0879e348a5ce9fbcd925e321d5fc128138320f3e8ea87530ff7ca
-
Filesize
25B
MD58189d8837600fa3c2d2b88e972568c24
SHA198562da0aa45ed1cd95cad18e133351af799abe7
SHA25625810e68a82f16ed0cc5c5004396fbed468303fb5300bb8a581087f3e62e3d1e
SHA51263804bd95a3965152850faa5c4ca85e02a71eef506738692e062d193d5ee05ff216ef5030f45cab44891b70568183c1f889a87f44bca244efc742682d8404638
-
Filesize
191B
MD51e2deaa386931a2fc4cfa40741ff8b23
SHA1c6902d77eb6a9b4d0b822f01f20fed9f8cf12c78
SHA256c125db338b43ada0238451c020d78cb084e8e34a2d8c74dc3d4325118c77dccb
SHA512a5bb937820e6fd4fe16976023ffcf31f4624cd8fa35749c981e9949169af8e140ce5e08981d9771696f8331d94daefb2528e9f401044d096d2223434a69ccc1c
-
Filesize
191B
MD56a94d46115b0b5e4f9e01026241091c5
SHA1cffa9a4715a617bc7f6a577bf3b2113011ac59fa
SHA256598bed1ee17c3553d0a49535cf316787c56129595fdab3ee7598a4b139e25a57
SHA51202a704fe9dc176177e68c86156971301baf2bd99b417405b65648b391afba5bf36d26bd72bc6c71a690b90fce3dce6e52527c9b74906f2d52b1c471177af5eb2
-
Filesize
25B
MD52df100961e75be2a60ba0ac0062e599f
SHA172135b04d505cb01999b1701450a3ef40520f198
SHA25684681384fb3dd131d2799dc3ae13f67651546caf272019c298940cd2821448f8
SHA51270f47c47223bdcf9203ff64f5d6caabdd440f19b315c105ac42274e686e5a2d5fb5622399e406bcc0132a1e6936021b8829e00af97709dc1795355dcbe49a764
-
Filesize
43B
MD5fafd04061c236ee00b6cff31f07636fb
SHA1770f5086a9c5e00ef6adb67add11066df82ac6df
SHA25634723412b611d2391a46fc56b10a02bda04b084e23bcc7d3155643e057d3d4fd
SHA512170a3594177bbfa74a037adf074abaec1d20454282bf330ec0e38fe2f47d51054ec08c61bb6566593489d1043054187427e805d5e0fb45b00f1b0c4e8186269c
-
Filesize
1.8MB
MD53e9fa612d1f2f6a1ea2c58978e62d6f8
SHA117c90368d06b4877db03e8efceacb75ee437c4fc
SHA2567a34998548e022af1ae738503ff45790f19036de60311cc5c6b6212666be17e5
SHA51229f1e51c6027950d263adc2e80567aff45265bab8382d2497678c29b930e9d6316ab593fbdced08ec795625e57ff318f595707f38d779042178ac9398560e0cd
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
203B
MD50b51e2e7d4ee30eb52cd0ce9c27b637d
SHA15be564d5855f6436c2e997f0d41a2ccc9c4dfa06
SHA2568abdb130dcd7135c2e6c9a7cce8871cecd527ba282f9ee30dd8d055238813123
SHA512e3b62d1187c867a90c98be443ab39bf993d3a879ff76621f0f157b1ddc9fa5f5f0fc26bf4d3332d8dd1d626939da6950f6bd9619fe4e9ccfaca4499c9a9487ee