Malware Analysis Report

2024-11-13 13:46

Sample ID 240718-jmmktaselb
Target setup casino.msi
SHA256 46f147b5b85dc612ec84ee8374442a90c6ab1c4ad9633a79e2c0c06693f6acc5
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46f147b5b85dc612ec84ee8374442a90c6ab1c4ad9633a79e2c0c06693f6acc5

Threat Level: Known bad

The file setup casino.msi was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 07:47

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 07:47

Reported

2024-07-18 08:05

Platform

win10v2004-20240709-en

Max time kernel

1049s

Max time network

425s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup casino.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup casino.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\it-IT\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\surrogatemonitor\HyperBlocksession.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A
N/A N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A
N/A N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files\7-Zip\Lang\817c8c8ec737a7 C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\c82b8037eab33d C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Google\Temp\55b276f4edf653 C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files\7-Zip\Lang\wscript.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9 C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\24dbde2999530e C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\wininit.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\56085415360792 C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\55b276f4edf653 C:\surrogatemonitor\HyperBlocksession.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Speech\Engines\TTS\System.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Windows\Speech\Engines\TTS\27d1bcfc3c54e0 C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Windows\it-IT\lsass.exe C:\surrogatemonitor\HyperBlocksession.exe N/A
File created C:\Windows\it-IT\6203df4a6bafc7 C:\surrogatemonitor\HyperBlocksession.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\it-IT\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\surrogatemonitor\backgroundTaskHost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\surrogatemonitor\HyperBlocksession.exe N/A
N/A N/A C:\surrogatemonitor\HyperBlocksession.exe N/A
N/A N/A C:\surrogatemonitor\HyperBlocksession.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
N/A N/A C:\Windows\it-IT\lsass.exe N/A
N/A N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A
N/A N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A
N/A N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\surrogatemonitor\HyperBlocksession.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\surrogatemonitor\backgroundTaskHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\setup casino.exe C:\Windows\SysWOW64\WScript.exe
PID 3592 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\setup casino.exe C:\Windows\SysWOW64\WScript.exe
PID 3592 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\setup casino.exe C:\Windows\SysWOW64\WScript.exe
PID 3592 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\setup casino.exe C:\Windows\SysWOW64\WScript.exe
PID 3592 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\setup casino.exe C:\Windows\SysWOW64\WScript.exe
PID 3592 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\setup casino.exe C:\Windows\SysWOW64\WScript.exe
PID 1848 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatemonitor\HyperBlocksession.exe
PID 2464 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatemonitor\HyperBlocksession.exe
PID 3376 wrote to memory of 2624 N/A C:\surrogatemonitor\HyperBlocksession.exe C:\Windows\it-IT\lsass.exe
PID 3376 wrote to memory of 2624 N/A C:\surrogatemonitor\HyperBlocksession.exe C:\Windows\it-IT\lsass.exe
PID 2624 wrote to memory of 2696 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 2624 wrote to memory of 2696 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 2696 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2696 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2696 wrote to memory of 924 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 2696 wrote to memory of 924 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 924 wrote to memory of 2960 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 924 wrote to memory of 2960 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2960 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2960 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 2960 wrote to memory of 1096 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 1096 wrote to memory of 4556 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 1096 wrote to memory of 4556 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 4556 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4556 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4556 wrote to memory of 3908 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 4556 wrote to memory of 3908 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 3908 wrote to memory of 2436 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 2436 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 2436 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2436 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2436 wrote to memory of 2272 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 2436 wrote to memory of 2272 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 2272 wrote to memory of 2228 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 2272 wrote to memory of 2228 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 2228 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2228 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2228 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 2228 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 4528 wrote to memory of 2472 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 4528 wrote to memory of 2472 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 2472 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2472 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2472 wrote to memory of 672 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 2472 wrote to memory of 672 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 672 wrote to memory of 3056 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 672 wrote to memory of 3056 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 3056 wrote to memory of 3364 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3056 wrote to memory of 3364 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3056 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 3056 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 2608 wrote to memory of 3304 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 2608 wrote to memory of 3304 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 3304 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3304 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3304 wrote to memory of 3220 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 3304 wrote to memory of 3220 N/A C:\Windows\System32\cmd.exe C:\Windows\it-IT\lsass.exe
PID 3220 wrote to memory of 4384 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 3220 wrote to memory of 4384 N/A C:\Windows\it-IT\lsass.exe C:\Windows\System32\cmd.exe
PID 4384 wrote to memory of 3548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup casino.exe

"C:\Users\Admin\AppData\Local\Temp\setup casino.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\surrogatemonitor\gAYqfto.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\surrogatemonitor\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\surrogatemonitor\Db3DeF2UEd.bat" "

C:\surrogatemonitor\HyperBlocksession.exe

"C:\surrogatemonitor\HyperBlocksession.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\TTS\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\Engines\TTS\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\surrogatemonitor\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\surrogatemonitor\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\surrogatemonitor\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\surrogatemonitor\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\surrogatemonitor\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\surrogatemonitor\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\surrogatemonitor\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\surrogatemonitor\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\surrogatemonitor\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\surrogatemonitor\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\surrogatemonitor\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\surrogatemonitor\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\it-IT\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\it-IT\lsass.exe

"C:\Windows\it-IT\lsass.exe"

C:\surrogatemonitor\backgroundTaskHost.exe

C:\surrogatemonitor\backgroundTaskHost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Recovery\WindowsRE\cmd.exe

C:\Recovery\WindowsRE\cmd.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Program Files (x86)\Windows Photo Viewer\wininit.exe

"C:\Program Files (x86)\Windows Photo Viewer\wininit.exe"

C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe

"C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"

C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe

"C:\Program Files (x86)\Microsoft.NET\RedistList\WaaSMedicAgent.exe"

C:\Windows\it-IT\lsass.exe

C:\Windows\it-IT\lsass.exe

C:\Program Files\7-Zip\Lang\wscript.exe

"C:\Program Files\7-Zip\Lang\wscript.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Photo Viewer\wininit.exe

"C:\Program Files (x86)\Windows Photo Viewer\wininit.exe"

C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe

"C:\Program Files (x86)\Google\Temp\StartMenuExperienceHost.exe"

C:\surrogatemonitor\backgroundTaskHost.exe

C:\surrogatemonitor\backgroundTaskHost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Speech\Engines\TTS\System.exe

C:\Windows\Speech\Engines\TTS\System.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Recovery\WindowsRE\fontdrvhost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\Speech\Engines\TTS\System.exe

"C:\Windows\Speech\Engines\TTS\System.exe"

C:\Recovery\WindowsRE\sppsvc.exe

C:\Recovery\WindowsRE\sppsvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\dllhost.exe

C:\surrogatemonitor\dllhost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\dllhost.exe

"C:\surrogatemonitor\dllhost.exe"

C:\Recovery\WindowsRE\sppsvc.exe

"C:\Recovery\WindowsRE\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\dllhost.exe

"C:\surrogatemonitor\dllhost.exe"

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

C:\surrogatemonitor\backgroundTaskHost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatemonitor\backgroundTaskHost.exe

"C:\surrogatemonitor\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\surrogatemonitor\gAYqfto.vbe

MD5 0b51e2e7d4ee30eb52cd0ce9c27b637d
SHA1 5be564d5855f6436c2e997f0d41a2ccc9c4dfa06
SHA256 8abdb130dcd7135c2e6c9a7cce8871cecd527ba282f9ee30dd8d055238813123
SHA512 e3b62d1187c867a90c98be443ab39bf993d3a879ff76621f0f157b1ddc9fa5f5f0fc26bf4d3332d8dd1d626939da6950f6bd9619fe4e9ccfaca4499c9a9487ee

C:\surrogatemonitor\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\surrogatemonitor\Db3DeF2UEd.bat

MD5 fafd04061c236ee00b6cff31f07636fb
SHA1 770f5086a9c5e00ef6adb67add11066df82ac6df
SHA256 34723412b611d2391a46fc56b10a02bda04b084e23bcc7d3155643e057d3d4fd
SHA512 170a3594177bbfa74a037adf074abaec1d20454282bf330ec0e38fe2f47d51054ec08c61bb6566593489d1043054187427e805d5e0fb45b00f1b0c4e8186269c

C:\surrogatemonitor\HyperBlocksession.exe

MD5 3e9fa612d1f2f6a1ea2c58978e62d6f8
SHA1 17c90368d06b4877db03e8efceacb75ee437c4fc
SHA256 7a34998548e022af1ae738503ff45790f19036de60311cc5c6b6212666be17e5
SHA512 29f1e51c6027950d263adc2e80567aff45265bab8382d2497678c29b930e9d6316ab593fbdced08ec795625e57ff318f595707f38d779042178ac9398560e0cd

memory/3376-17-0x0000000000960000-0x0000000000B38000-memory.dmp

memory/3376-18-0x000000001B680000-0x000000001B6D6000-memory.dmp

memory/3376-19-0x0000000001410000-0x0000000001418000-memory.dmp

memory/3376-20-0x0000000002D20000-0x0000000002D28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

MD5 46dbfda3ea8526ac5e7e6728a559ffda
SHA1 66cf699a0f5d66fd9b28ab5ebeb6f90425de6bc6
SHA256 ca737f764713697c6568fa28f4653d76b242fc2935a2a71660530a3b0413f78c
SHA512 c00faebfe0166ced074616de745345016e66158d2471bcbd157b3274f075ae562b96f944dc443b556501af666422912e27eb9945ff02ce554a5b3077187ae350

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

MD5 a806c1049bdfeb045b6dce3f4dcf0620
SHA1 1e325e0338a134fb6e0b0f882faeb1173979a7ea
SHA256 e498a99e9585e802d7ca76df1cec20cc5e81603806e1a681a3125067c523589a
SHA512 04de06711e0bf6be67e9edc2c0f698bab03f81b86ea665084401ea1b5c52ef6bccfb3d67421ee8496561e2f849e069286b2d49b19175c7a42de32827f2db785c

C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

MD5 f01ddb91cf901e84e4cc5b7c00453623
SHA1 d13723739a4a32cf2e4f2a1a125fcf55ec1e39c9
SHA256 0da2fb180597500325dd0de0c30ac1770d18a982c1eb10d8082f11e4370e302b
SHA512 94b03fccf2074d3b637ca54067133ae7f44261529faa7dca154371c306756506be21fdf697c0879e348a5ce9fbcd925e321d5fc128138320f3e8ea87530ff7ca

C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

MD5 16feafabec151b73ce4ab34e14658a86
SHA1 f58438c9bd465cb5109fac85d01ff3f95f421fc3
SHA256 f689f47edba3dd9a09da9006692534fc2b217bdec0dc73d2490a0416cce0d116
SHA512 eb5a63cfa846ff8843fdf63bbe3fab00f665aaaa75e7b449e3a008fec2a897a414d5c5d9aedeb1bf70d4c9172d424b8a1c728f2e0e84667f597ebf7a5c10d149

C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat

MD5 7f7c4b783f95130948f7ac8d3bc3142e
SHA1 da7060a987156dfc4569b1e64cc78f34e8a51244
SHA256 ee993f9449bdaa2035ca55bf72d3e8c9f4727d809713c2266cff070ca8db2089
SHA512 539e062b38a7e07eb8d9605c7438229c60570f27bc1b85546029b4e422c37797db14232eab6680e7a475e358a068d776d7a9038f03a4ffc93afb6a3bfed54940

memory/4528-100-0x000000001ADB0000-0x000000001AE06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat

MD5 413b0d1f32708c47721c123508a99f41
SHA1 d9842806b73f7d2082e2d599e5182f382c17684a
SHA256 73f827a4f9d919dbe3259c050879ee22052d27ab8be60ce247ec54e157192b1d
SHA512 68df48ab02d77b355ce177a7b88d328c4ac5032473d0acf6b7d5e07990be4fec1fef1c3bc206c8c4ca6802b3b46ae961fa57473e5e7ddfbd6c4d823930cdc7b1

C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

MD5 8bce5fb0636992d5fa5a3758e2dc42cb
SHA1 1aed42ec2ccd40b6aa916971a29008f21edca67a
SHA256 0df907d50c4239285e333abfc42d297482376cdddc8f595141f5a0739d023a8f
SHA512 80de1e90d4b60a91bef31ea651fc05ff01c4366b7a3f360e0233d8f8b6cffa4f1fc169a0fee8c35a92c8aad41d63aa1d386e85eb74c6dd2d57fd862b6ab4ae77

C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

MD5 abcf320d08c00232e2f2a82baa25b7d3
SHA1 2742d5e559dfc192afa5fc79ee47e0bb31efc61b
SHA256 246fdf71c76efe22ac53c7c44c69dfb25a42005181c6fd01e9bbe9ff8f0fc41c
SHA512 0b4559312c4fa7db043ebab730e1ae2969f4a3eb892f443bd6d65330abbc17d07cdb75d3dbae41e9c614d066774afa48f8b25a2c993beadaff6ca52cf39a4ef1

C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

MD5 0382f7de8280fc49388a23c53c2ffe65
SHA1 6eecfac59b011222be19d421e228acd67851c8f3
SHA256 9b684281e89ccee22680e07f383eaee1a9e1fb730bcbb90b3a6990ec2c5d98c6
SHA512 eaf1e99bad27f919a9d72b9494469ca403b0d10fa68f6fe7d201638b11b8946342ff0aa78e68366dcc6608832eec84bd19bbbe05ceaccb19cab5d9bfd6684311

C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

MD5 6a9c124fbf2fb69f874ce3f0f4c1dd92
SHA1 71cba6a9419aeb82609a1ce07740b7849b56497e
SHA256 0ed97e61e4bc1a278927c55d4a3bd059c2a571fdcbb665defab2f3d31ed21ca0
SHA512 3ed7fb3d4ff6cd8b404958a8d2cf65840513b5d48fcf07f8ed54046cb7f8d9c63472c7d46ce079fc901a83431048a0ebdb3d0020017bf25eb27c4590c8573b1b

C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

MD5 68aa1d21471ec3427c616a5a679bba32
SHA1 39ce4f2a7b2d26bfc5b9a26bb819d4e111631c32
SHA256 7c5ca2eeda7f9c33f95a4720bfe83d41a94bb3b4f8a6b4483370e4ec7ebc7337
SHA512 4b55c3f29984ffaf928e5c664a25d3a37df13e6c39aef2770338eea2580b40d6ef1c7ee4ca9f1d50ee9577899375dbc7e1c235daf820abde632a7dd1cfe4d72c

C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

MD5 6a94d46115b0b5e4f9e01026241091c5
SHA1 cffa9a4715a617bc7f6a577bf3b2113011ac59fa
SHA256 598bed1ee17c3553d0a49535cf316787c56129595fdab3ee7598a4b139e25a57
SHA512 02a704fe9dc176177e68c86156971301baf2bd99b417405b65648b391afba5bf36d26bd72bc6c71a690b90fce3dce6e52527c9b74906f2d52b1c471177af5eb2

C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

MD5 c2a17eb8155781985aa4a8fa0989e9bd
SHA1 8bb3677e552c79021f0ef1c6323ddcdb62cade6f
SHA256 b10da69d95dd3888f419edfa80b7e80f9ec4cb404a2654c4bdac6f88d6e5b498
SHA512 175cb04fa5424fb1bec7d8f6cf42cea5fa747e0a12385458cccca6edc6529e032a0fa5bac6aa79c0bc389e3c520a5527bf9220dc816e800807026c63d2ba664f

C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

MD5 00242a2d01c28af4bec6fdf085bf559c
SHA1 36e1efd294197d13054e8f9049928b3c420bc0e3
SHA256 2d946c04808efaba463f42b49a453889d9f588cfedeea8c320c1f08348bc5a9e
SHA512 723e2e3363d141ce11a7a9c93a8b403600d4d728f71929f451f3bc2b5aeb274d014fcb4ce8e981a1af0642b13382d31cc1dd537542ec6967f372a8ba00ac6af3

C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

MD5 1e2deaa386931a2fc4cfa40741ff8b23
SHA1 c6902d77eb6a9b4d0b822f01f20fed9f8cf12c78
SHA256 c125db338b43ada0238451c020d78cb084e8e34a2d8c74dc3d4325118c77dccb
SHA512 a5bb937820e6fd4fe16976023ffcf31f4624cd8fa35749c981e9949169af8e140ce5e08981d9771696f8331d94daefb2528e9f401044d096d2223434a69ccc1c

C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

MD5 1223381b95b3fac63f713b011cf927e2
SHA1 7c263a7a0bd054421e0279cd4bf78832937db7d7
SHA256 ecb0343b64b1aa1add6561b6dc7561bbf47e4542b05399e8745f44c192adccf5
SHA512 8f377ef546d7af19b53718cc280a4587886f474c848ce66f01295fd1cc0e5155249d43e91086ed143eb887bfd0a849e940038dc1368409538863cd37bf652ba6

C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

MD5 2e9030db2ddfe4ee2197f428fc4a0c75
SHA1 88ab6fd496040db46aa5617b121c03d781e30404
SHA256 88f26491f2ae7f404993e78c70bea57341218dbc6600e09c8ef7393d2a7c414a
SHA512 5fcad1a1217eee85b983dc25d9c00b5a66b5347208c8244f7bc95652525da74e7f3ee01fbbee8d2c0e0bd05292ecbd779b8322237f73b5be08d2c2a7c01fd575

C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

MD5 0318765f63559822c6ea49ea956a5506
SHA1 67d79fd8ac12e6d0d925ed422fbe01cdf2692358
SHA256 8ba6a0dd560da4066ce1a19a4cb73dccf8dd136d8d9e4c2471890b93ef87094d
SHA512 eed06f25111bd238736f7365e4103ddb2595db688e97ea7c4678758d5cfa3bb401332c5c0909dc50d4634100064b9ed50f1a0c8eab60a3b1a6723c78d3fdefcb

C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

MD5 2e0efc547a1db40f1b6869d50092e839
SHA1 923ab59d3ff70a65932a45ef89263623ed549bc9
SHA256 fb090fe8222dee84f77d31c1ea2088cbb6511c8e61041caaaa4bc7ea4ea930de
SHA512 08dfc426416dbfd1fb48ed734120401b1b547e2f6904f7ac8240ddad48f7ae766db330ff61f48ada9c7543513272643f4c50315330da581647463e14836fbce4

C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

MD5 76b13e3412719e459d23a5fb7bfcc774
SHA1 ab74515b6a803622d885df2c0e48f9d55cdaceda
SHA256 197059b7b16a2c54b4c50a492872a13b96b068d7817ebd716a3c0ac28b7d7d42
SHA512 ee290315ad5b5b71120ccde7d7c372662b190594ebed6f14e41cab6615743e70358b6a451ad76dde7bc82a732b166d57a0241a5cd88dd41c2e1df0097698e51e

C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

MD5 1a17c692580fbf247ff5021e64746fc6
SHA1 c5fa043c7c810598da61c4a8ac9b06e5c51eb527
SHA256 134b189bd91338cd14afe31a70b7a5694ad4ea9eb2e4690fbc4a18d441a05431
SHA512 2d70a9405852b98141ab7dd3e7aa18664869df828cd7381e394d7d4dfd938f823cdf1029cfa89c086f857d90f9582425d72b572e2ca86e4827e7b1bd2e585a4c

C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

MD5 b282e1dae415e34e931fb7e41bc95df0
SHA1 4e93397f71eb5f92b5be07ea56bda974222d623a
SHA256 6d51fcbaf05e15e4743d8ab958cd2e4328531b5a5a2636f8a993bbe2aca8fe7b
SHA512 6f8b062057619666b70b2fc18180b75fd73f767a68212cea0e137f64ebe9fd467bd7bb0dd8c1c865c1b4ef10f3b51d25d5d8dea9cd78552f60b6de72a07ac3c9

C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

MD5 ca3925cb0eedae4122561addade85d87
SHA1 65e2591eb5808c114a0795798d7fbea5bcafb3e9
SHA256 b451a90edd3702a01690fa692f3f05d48286dfadf1790a36ca7d1ad9c36522e6
SHA512 1bb3e72230edb22b7952130fc35b06e1650e7aa7795583bca7177026cbd5ce4288840fe9584a8e1b1ac85f49f763f604eb6c3355224347fafa30c48c4673cc62

memory/3108-308-0x000000001AFB0000-0x000000001B006000-memory.dmp

memory/2132-390-0x0000000002DC0000-0x0000000002E16000-memory.dmp

memory/3220-415-0x0000000002600000-0x0000000002656000-memory.dmp

memory/1124-424-0x000000001B930000-0x000000001B986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

MD5 a5f16f138776de9794b3b0fcc48b0564
SHA1 0f55c93bcb4299d80c5f656c50be0cef72be044d
SHA256 4be59bcff28c95734ab2e43b21fe6c0ca79487998f687833e9d6ccf1335fb679
SHA512 0ea52c00f44570f337633fe0bc8be2739c7ea932544d68a9fcfec8bbf80eb49ec6f1612a5c29b2cad0983858699d8e78a9f2277da048babd2b918dff72d324a9

memory/4624-498-0x000000001BB70000-0x000000001BBC6000-memory.dmp

memory/2096-527-0x000000001B240000-0x000000001B296000-memory.dmp

memory/4816-536-0x00000000016B0000-0x0000000001706000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CbICIGBzKl

MD5 623e1e3027dad669235a10804c0e14e1
SHA1 16f535e445020ef3261270f043b193f17ae9069b
SHA256 8576f3f2cba07f1821e3dc8719dd90ca5b9bd957f83079941d318d9af850d179
SHA512 f77c5e8ada6781e7c577c78018ee1195219035482492fa17046a5a177c5e1af4b42a109eb3c132d510fe22b921ddcd2cfe5f0ab0a58feaa293caccea0c76164a

memory/4300-569-0x000000001BA80000-0x000000001BAD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8yeMletNn1

MD5 e5a8414ccb14bd86ac816001b63d2c4e
SHA1 bb99da1c0fd3c5987af3d3ea6643071b0a641521
SHA256 079cf274463c7da76df504fc0536184ac9ed5c28064ff42c1e4317c4a624f1de
SHA512 3a03cede0c3c32a2866ea6b28e140f903e1a2c8cdf0bd84e5dcf06d5685148d9499805ba6dc4957e3002e4f184284b9449b6f2a17398473bc87b204f42092222

memory/2664-682-0x000000001BCC0000-0x000000001BD16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6TVXzSHJ63

MD5 73ac4ac546422c81da7bc281ecf76e2a
SHA1 6a13ff120effdc5d7aa9b491c130f24ace19d6aa
SHA256 1481f25cfb3beba6f9d73305eae6ea8c96fba6fc126b864980e7273a6e8ad4a1
SHA512 9919238c3f36a0ec165e2278b392d028ff085db5f276f6abfc1acd9e00bd5366d6b11843a72a44559ac705b48630908adc832ef7b7b603e5a09a910bb8dbf782

C:\Users\Admin\AppData\Local\Temp\rWwtp8AFNo

MD5 8189d8837600fa3c2d2b88e972568c24
SHA1 98562da0aa45ed1cd95cad18e133351af799abe7
SHA256 25810e68a82f16ed0cc5c5004396fbed468303fb5300bb8a581087f3e62e3d1e
SHA512 63804bd95a3965152850faa5c4ca85e02a71eef506738692e062d193d5ee05ff216ef5030f45cab44891b70568183c1f889a87f44bca244efc742682d8404638

C:\Users\Admin\AppData\Local\Temp\zRs4Qyxf4R

MD5 2df100961e75be2a60ba0ac0062e599f
SHA1 72135b04d505cb01999b1701450a3ef40520f198
SHA256 84681384fb3dd131d2799dc3ae13f67651546caf272019c298940cd2821448f8
SHA512 70f47c47223bdcf9203ff64f5d6caabdd440f19b315c105ac42274e686e5a2d5fb5622399e406bcc0132a1e6936021b8829e00af97709dc1795355dcbe49a764

C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

MD5 26452d221cf5e4060fd3c3d9a44a0375
SHA1 c653e70b3f117cb2767088fa3a54d2da0874e04c
SHA256 5691c66dfc69dead22f890dae6eedb4c17df68a9205856cd1cde6c531ac7879c
SHA512 d31fdf041162205e9445e4f8c8267fbfad1b4344594da66813c3c08767e5185efbddeef98cd62562dbdd8f0bedfaebf7e78311f32acebf2681d80895e0138ae1

memory/4972-764-0x000000001ADB0000-0x000000001AE06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9aUTVW1fpx

MD5 c5a04c801843cbc476a1792b973bd0f9
SHA1 db5b770d5c66868f95efbaa687a47ef6bf3a4fe5
SHA256 9084eda76b91e832d9c4cb0f7547f3c25c3f151e948a187021d7d374ace71ce7
SHA512 2f40d645145ef94e7c4067fc11905d6ef515d6e3825a2c8dbee21ae3bd81ebc4efbdb72e601873e9f62575c4bf5bb55d400e19717bc23a4ae24dad938830b682

C:\Users\Admin\AppData\Local\Temp\ox2ZAjCPGx

MD5 10b0d9332648fb59b1f67b248b1428c0
SHA1 bfde3f1cde2a43dc163ec6068b5c5833eaf3c68d
SHA256 0db594e38f028f890011862757b43a178321ee4323bc0a544de8bb16c001d7eb
SHA512 9e422e34da03395410aa6e1a7045e496398f257ff1560eebb7ead86ab2125f09b16783b58b6b25f2868fc562b71638ff4899f64816b9609ed8de7057b6222d22

C:\Users\Admin\AppData\Local\Temp\pIHgKQsfKv

MD5 63c60822e5ee292d2bd2505aca48145a
SHA1 5e6077bdc94d2eaa99e678564d4b1d1ede69401d
SHA256 2ac654d5272e9f41c008fdb9fe9b2e4222d5732ba70c49f9d4e5d55d49938826
SHA512 f2406a1275ba12aaec0e528736ad6e39d656267458948042875ec3ad3eeafdad27e592636a34c0cdf2d99d446ec1d1b540797e038a4619985b861eb993d70c8f

C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

MD5 09d5e96a8231503c240f4388f8edbe58
SHA1 accc856469d26005b5b17875ff3a8075a36f6e3c
SHA256 195c5fe9498f89874443e55aa3523f403e7af27866cdffc15d480409e9d8e6cb
SHA512 2080ca08a6f85643410d240f5be00a3872ecf554a3e71ee52cfcd6713e30e74002bbaf40c102b6d2ae2b9926c68b5a0a0a849392ac8e34c7d9b9a150f6e65473

C:\Users\Admin\AppData\Local\Temp\C9NnAvzWwo

MD5 deece11eea7f763ebd0c7d592503c48e
SHA1 c29b569657b046783840858fc7c4ee19aab62a84
SHA256 98bc359d96183f7bb9c576b0b07a7fe15d466e55e3ba5ec7bda095fccd6651b2
SHA512 114fcdd888fb63fd68907848c7bb627de9a901a2fdd20ff706cb84220b787e099f9b664db9a329521eb18e22299790cda94e76f10a93d58e2eb36a81e7d9abab

C:\Users\Admin\AppData\Local\Temp\P9sEQhH1Z9

MD5 e9e108190185c5423cc0d40f1729c507
SHA1 e25556ffc3a71a593d025f9354aa6e41ac8ebdda
SHA256 1b403b3b7aca34331ed4834cb7f5dab972ac1d572fa192748e6d94ec6fe930dd
SHA512 b90f110247e80ac9df709cb6b0f847bfa9e7acdd04f78c9fed6cd800e1579fffe6934c1bdbfba140b1b644809691f86a428f1dac10a2e770047f2b036f46c1a2

C:\Users\Admin\AppData\Local\Temp\VHfsjVChnr

MD5 f7c426237ab5e4d7fa6a4b2b6c679a9b
SHA1 1e26f2241dac8cfd507a72b07f8e66796bfaf023
SHA256 69353f1e3a8c559b9bdc0d1ae872f8838c7f0e674800bc10af759697f902a59c
SHA512 2f0f06167b21b8e29f8c923098f3882475d00dcbe7b2c5813c0721e332c3bee1f9cda1214213b497de12f75fd477a86e864982c2a1bfbc4b508f37d4d38c1919

memory/4820-901-0x000000001ACA0000-0x000000001ACF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eoRA4B8PWR

MD5 3a9e8c44f7814a439b00b2e5558bbf7b
SHA1 25f21b2b64e8971b234413d3ffea8c8ac9b12eaa
SHA256 d9e0c74c93a06083cc22c88019dc99caa44b222471c4836bd6e72c018deb7e7b
SHA512 173c0d027364f86513779eb704c71fe75195cd72b7a3fef58052635d2945d8f046d36b77071c5e3e7c47d398f08fb5ee78916275af026ba83e862d6584e509c0

C:\Users\Admin\AppData\Local\Temp\L84Udx7h3L

MD5 2f163505d488403e3ef306f45219cb7b
SHA1 90a167d6f06f0c08a9b490fd598e8a080f6ff476
SHA256 bdc915d901f3042e9f64eb0d09713962037018bf2c8ca2b1d3497536cebf4f50
SHA512 dd4d384d411788154c3cc663eec6b15fe9b1a1ff69a6a08d0599be7e5c32fc39f4fefc8a4bbb8d3d75ff6116a4800d995e7330950f63404c6b31fd84ace12ccf

C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

MD5 efc0003cd18211650f61ecd2d3a7e0a9
SHA1 ab252ccef2138be3d130cf8f004417cf1a9f9364
SHA256 e699a68c292ca5999de922c3dd0cbe3e38e3606bda078bdf81f18966d6848106
SHA512 f72f54835134997383a3993f059aa75827006c6039e64196febc57948c67eef98501399f84f95dede0159ed027ae6bb4fb000045882d91dd89caf3d3a490e540

C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

MD5 15456849895098a3add4a8233d024036
SHA1 bc5090571f2764fe614eaa687f24caa30893806e
SHA256 42b304ce76bdcbd7ea4b65cf38d66ecdfd8da277077f9776842e601f92292448
SHA512 296332b730f66424d6e4c1255852238e4a06fab192c3b8a5252c536cc6de43319ceb39e37212d46ffab992d8a66ce953a1c26f4af1d2afba3ed67c1a170f2b92

C:\Users\Admin\AppData\Local\Temp\03iBAp6x6N

MD5 ade8ebca6e309c62627523f7df6c3b87
SHA1 2b2ed78eaadfab6470aeac668b5baebcf1502d81
SHA256 aa9edb868a0c64c6d8d2fe5754cfe54606a11c6c6db6190f955d309a58fcbb97
SHA512 d1840e07e8d9fc143c01a8367c80ee16dfe1a42093034d712d04219f1e2f5ee50b4164fd9b24fbb4cc4c1d9c6446f5c99aa46202cf1269da596e11d86436e490