rms | 93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9

Analysis

max time kernel
164s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
13-02-2022 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9.exe
Size

3.9MB
MD5

e9022a31f63f7753808daf4c637d808f
SHA1

391b59402fa46f86bcf6886cb26d90964085a7dd
SHA256

93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9
SHA512

c42bc6b8f04bed2515faabb7050a3f9e265f87125b9002d465121f30c4b8ea212fba6013db55a76fbcdaa3167ebd0aa0080e745e0b58498252d1280f10825d35

Score

10^/10

rms evasion persistence rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000300000001e905-139.dat	acprotect
behavioral2/files/0x000300000001e90d-156.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4656	data.exe
2988	svchost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001e905-139.dat	upx
behavioral2/files/0x000300000001e90d-156.dat	upx

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	data.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:Windows64\\svchost.exe"	reg.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File created	C:\Windows\4w5tb68h7t987093f4trq893f4rw89etw.txt	wscript.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3076	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
4076	tasklist.exe
312	tasklist.exe
3192	tasklist.exe
3924	tasklist.exe
1388	tasklist.exe
560	tasklist.exe
3720	tasklist.exe
4272	tasklist.exe
1164	tasklist.exe
1132	tasklist.exe
4300	tasklist.exe
3376	tasklist.exe
3492	tasklist.exe
3812	tasklist.exe
4040	tasklist.exe
4212	tasklist.exe
2712	tasklist.exe
1312	tasklist.exe
4284	tasklist.exe
1808	tasklist.exe
3188	tasklist.exe
1312	tasklist.exe
3228	tasklist.exe
4900	tasklist.exe
4052	tasklist.exe
2240	tasklist.exe
4400	tasklist.exe
4152	tasklist.exe
812	tasklist.exe
2392	tasklist.exe
4756	tasklist.exe
4956	tasklist.exe
3176	tasklist.exe
3852	tasklist.exe
4568	tasklist.exe
2660	tasklist.exe
4020	tasklist.exe
2072	tasklist.exe
2148	tasklist.exe
4948	tasklist.exe
4212	tasklist.exe
1296	tasklist.exe
4192	tasklist.exe
1728	tasklist.exe
1960	tasklist.exe
2392	tasklist.exe
456	tasklist.exe
5004	tasklist.exe
812	tasklist.exe
4296	tasklist.exe
3680	tasklist.exe
3892	tasklist.exe
360	tasklist.exe
2480	tasklist.exe
4880	tasklist.exe
4956	tasklist.exe
1936	tasklist.exe
3016	tasklist.exe
3552	tasklist.exe
1968	tasklist.exe
3496	tasklist.exe
228	tasklist.exe
4216	tasklist.exe
2008	tasklist.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1944	taskkill.exe
1152	taskkill.exe
1660	taskkill.exe
4764	taskkill.exe
3580	taskkill.exe
3388	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	data.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3176	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2988	svchost.exe
2988	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	3388	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeTakeOwnershipPrivilege	2988	svchost.exe
Token: SeTcbPrivilege	2988	svchost.exe
Token: SeTcbPrivilege	2988	svchost.exe
Token: SeDebugPrivilege	1272	tasklist.exe
Token: SeDebugPrivilege	3348	tasklist.exe
Token: SeDebugPrivilege	4296	tasklist.exe
Token: SeDebugPrivilege	1132	tasklist.exe
Token: SeDebugPrivilege	1880	tasklist.exe
Token: SeShutdownPrivilege	3500	svchost.exe
Token: SeCreatePagefilePrivilege	3500	svchost.exe
Token: SeShutdownPrivilege	3500	svchost.exe
Token: SeCreatePagefilePrivilege	3500	svchost.exe
Token: SeShutdownPrivilege	3500	svchost.exe
Token: SeCreatePagefilePrivilege	3500	svchost.exe
Token: SeDebugPrivilege	2788	tasklist.exe
Token: SeDebugPrivilege	3112	tasklist.exe
Token: SeDebugPrivilege	1204	tasklist.exe
Token: SeDebugPrivilege	2272	tasklist.exe
Token: SeDebugPrivilege	3672	tasklist.exe
Token: SeDebugPrivilege	3192	tasklist.exe
Token: SeDebugPrivilege	4896	tasklist.exe
Token: SeDebugPrivilege	4976	tasklist.exe
Token: SeDebugPrivilege	3188	tasklist.exe
Token: SeDebugPrivilege	4076	tasklist.exe
Token: SeDebugPrivilege	4192	tasklist.exe
Token: SeDebugPrivilege	5076	tasklist.exe
Token: SeDebugPrivilege	4300	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	4900	tasklist.exe
Token: SeDebugPrivilege	4296	tasklist.exe
Token: SeDebugPrivilege	4052	tasklist.exe
Token: SeDebugPrivilege	4924	tasklist.exe
Token: SeDebugPrivilege	3376	tasklist.exe
Token: SeDebugPrivilege	1880	tasklist.exe
Token: SeDebugPrivilege	4756	tasklist.exe
Token: SeDebugPrivilege	3224	tasklist.exe
Token: SeDebugPrivilege	2128	tasklist.exe
Token: SeDebugPrivilege	1484	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe
Token: SeDebugPrivilege	4156	tasklist.exe
Token: SeDebugPrivilege	3888	tasklist.exe
Token: SeDebugPrivilege	5100	tasklist.exe
Token: SeSecurityPrivilege	5016	TiWorker.exe
Token: SeRestorePrivilege	5016	TiWorker.exe
Token: SeBackupPrivilege	5016	TiWorker.exe
Token: SeDebugPrivilege	4896	tasklist.exe
Token: SeDebugPrivilege	4520	tasklist.exe
Token: SeDebugPrivilege	1968	tasklist.exe
Token: SeDebugPrivilege	3412	tasklist.exe
Token: SeDebugPrivilege	2312	tasklist.exe
Token: SeDebugPrivilege	4712	tasklist.exe
Token: SeDebugPrivilege	1728	tasklist.exe
Token: SeDebugPrivilege	1272	tasklist.exe
Token: SeDebugPrivilege	2244	tasklist.exe
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	3016	tasklist.exe
Token: SeDebugPrivilege	4020	tasklist.exe
Token: SeDebugPrivilege	4292	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2988	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4656	4804	93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9.exe	83
PID 4804 wrote to memory of 4656	4804	93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9.exe	83
PID 4804 wrote to memory of 4656	4804	93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9.exe	83
PID 4656 wrote to memory of 952	4656	data.exe	86
PID 4656 wrote to memory of 952	4656	data.exe	86
PID 4656 wrote to memory of 952	4656	data.exe	86
PID 952 wrote to memory of 3500	952	WScript.exe	87
PID 952 wrote to memory of 3500	952	WScript.exe	87
PID 952 wrote to memory of 3500	952	WScript.exe	87
PID 952 wrote to memory of 1396	952	WScript.exe	88
PID 952 wrote to memory of 1396	952	WScript.exe	88
PID 952 wrote to memory of 1396	952	WScript.exe	88
PID 952 wrote to memory of 1756	952	WScript.exe	89
PID 952 wrote to memory of 1756	952	WScript.exe	89
PID 952 wrote to memory of 1756	952	WScript.exe	89
PID 952 wrote to memory of 1904	952	WScript.exe	90
PID 952 wrote to memory of 1904	952	WScript.exe	90
PID 952 wrote to memory of 1904	952	WScript.exe	90
PID 3500 wrote to memory of 3696	3500	wscript.exe	91
PID 3500 wrote to memory of 3696	3500	wscript.exe	91
PID 3500 wrote to memory of 3696	3500	wscript.exe	91
PID 3696 wrote to memory of 224	3696	cmd.exe	93
PID 3696 wrote to memory of 224	3696	cmd.exe	93
PID 3696 wrote to memory of 224	3696	cmd.exe	93
PID 3696 wrote to memory of 2044	3696	cmd.exe	94
PID 3696 wrote to memory of 2044	3696	cmd.exe	94
PID 3696 wrote to memory of 2044	3696	cmd.exe	94
PID 3696 wrote to memory of 5060	3696	cmd.exe	95
PID 3696 wrote to memory of 5060	3696	cmd.exe	95
PID 3696 wrote to memory of 5060	3696	cmd.exe	95
PID 3696 wrote to memory of 4764	3696	cmd.exe	96
PID 3696 wrote to memory of 4764	3696	cmd.exe	96
PID 3696 wrote to memory of 4764	3696	cmd.exe	96
PID 3696 wrote to memory of 3580	3696	cmd.exe	100
PID 3696 wrote to memory of 3580	3696	cmd.exe	100
PID 3696 wrote to memory of 3580	3696	cmd.exe	100
PID 3696 wrote to memory of 3388	3696	cmd.exe	101
PID 3696 wrote to memory of 3388	3696	cmd.exe	101
PID 3696 wrote to memory of 3388	3696	cmd.exe	101
PID 3696 wrote to memory of 1944	3696	cmd.exe	102
PID 3696 wrote to memory of 1944	3696	cmd.exe	102
PID 3696 wrote to memory of 1944	3696	cmd.exe	102
PID 3696 wrote to memory of 1152	3696	cmd.exe	103
PID 3696 wrote to memory of 1152	3696	cmd.exe	103
PID 3696 wrote to memory of 1152	3696	cmd.exe	103
PID 3696 wrote to memory of 1660	3696	cmd.exe	105
PID 3696 wrote to memory of 1660	3696	cmd.exe	105
PID 3696 wrote to memory of 1660	3696	cmd.exe	105
PID 3696 wrote to memory of 2980	3696	cmd.exe	106
PID 3696 wrote to memory of 2980	3696	cmd.exe	106
PID 3696 wrote to memory of 2980	3696	cmd.exe	106
PID 3696 wrote to memory of 2268	3696	cmd.exe	107
PID 3696 wrote to memory of 2268	3696	cmd.exe	107
PID 3696 wrote to memory of 2268	3696	cmd.exe	107
PID 3696 wrote to memory of 4696	3696	cmd.exe	108
PID 3696 wrote to memory of 4696	3696	cmd.exe	108
PID 3696 wrote to memory of 4696	3696	cmd.exe	108
PID 3696 wrote to memory of 3176	3696	cmd.exe	109
PID 3696 wrote to memory of 3176	3696	cmd.exe	109
PID 3696 wrote to memory of 3176	3696	cmd.exe	109
PID 3696 wrote to memory of 3076	3696	cmd.exe	110
PID 3696 wrote to memory of 3076	3696	cmd.exe	110
PID 3696 wrote to memory of 3076	3696	cmd.exe	110
PID 3696 wrote to memory of 2988	3696	cmd.exe	111

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
224	attrib.exe
532	attrib.exe
3444	attrib.exe

C:\Users\Admin\AppData\Local\Temp\93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9.exe
"C:\Users\Admin\AppData\Local\Temp\93d1acf7029aeee1472271e316a7e8f55342bd963c3708f264a08443af4e8bb9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe" -p284579G45398T745398T
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      Checks computer location settings
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Log\Windows\hiscomponent\install.bat" "
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Log"
        6⤵
        Views/modifies file attributes
        
        PID:224
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state off
        6⤵
        
        PID:2044
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Log\Windows\hiscomponent\msg.vbs"
        6⤵
        
        PID:5060
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im systemc.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im drivemanag.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dumprep.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winlogs.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        6⤵
        
        PID:2980
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
        6⤵
        
        PID:2268
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f
        6⤵
        
        PID:4696
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "Windows\hiscomponent\regedit.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:3176
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:3076
      - C:\Windows64\svchost.exe
        
        svchost.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2988
      - C:\Windows\SysWOW64\reg.exe
        
        Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Services" /t REG_SZ /d "C:Windows64\svchost.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:476
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows64\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:532
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows64"
        6⤵
        Views/modifies file attributes
        
        PID:3444
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows64\process.vbs"
        6⤵
        Checks computer location settings
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows64\process.bat" "
        7⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:648
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:532
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:360
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:560
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3552
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:836
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:312
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:648
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3680
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:536
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:560
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3176
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4192
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2072
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:60
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:696
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:360
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4284
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4756
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:920
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:616
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3852
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:980
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:312
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3892
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:536
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4880
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1808
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:60
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3492
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:812
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:432
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:516
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3188
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2240
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:360
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:812
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:644
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3812
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:648
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4956
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3192
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1728
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1960
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1388
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1312
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4040
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1936
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4216
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:660
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:836
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:872
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:616
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:476
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:516
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1164
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1968
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2392
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3924
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2148
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3016
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:456
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:360
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4568
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:5004
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4400
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4152
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:684
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:60
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:360
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4212
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:980
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:812
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:312
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4956
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:532
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:560
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:448
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4948
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:260
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2712
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4052
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3496
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2480
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2660
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:536
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:384
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:776
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2392
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2008
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:3720
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:660
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:360
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4212
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:812
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:648
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:832
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4272
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:260
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1296
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\find.exe
        
        find "svchost.exe"
        8⤵
        
        PID:3836
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:1396
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2988-161-0x0000000000400000-0x0000000000A94000-memory.dmp

Filesize
6.6MB

Download
memory/2988-162-0x0000000002AF0000-0x0000000002AF2000-memory.dmp

Filesize
8KB

Download
memory/2988-163-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/3500-158-0x000001E931960000-0x000001E931970000-memory.dmp

Filesize
64KB

Download
memory/3500-159-0x000001E931F20000-0x000001E931F30000-memory.dmp

Filesize
64KB

Download
memory/3500-160-0x000001E9345C0000-0x000001E9345C4000-memory.dmp

Filesize
16KB

Download
memory/4804-130-0x00000000779F2000-0x00000000779F3000-memory.dmp

Filesize
4KB

Download
memory/4804-131-0x00000000779F3000-0x00000000779F4000-memory.dmp

Filesize
4KB

Download