3cdb68c5195e98f7beb68a3e0008a2e6e09933d0fc38505a617eeacc18d50352

Analysis

max time kernel
72s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 18:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe
Size

70KB
MD5

35d11b5fc3ecb74ca8a37116f9b4379d
SHA1

76dde20a32955620e212f4e5ed7abecb0cbfb667
SHA256

3cdb68c5195e98f7beb68a3e0008a2e6e09933d0fc38505a617eeacc18d50352
SHA512

34652d425902a99e8a83b2886448acad7eab921bf18b3c78af6aecb131699b6624c0bbb34e37df496cd1364a4a1a315f721095cbdad64013f8ce97eefc3eef65
SSDEEP

1536:O/dI+gjVU6VasTy3YD3P8ktmEtLhS8P/2gh9qO3s5SWUdgrTMG2U0/3GDvi:tSQasT/hS8n2KqO3sFU+rTm2Ti

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	sntsvc.exe

Executes dropped EXE 64 IoCs

pid	Process
220	sntsvc.exe
4528	sntsvc.exe
3224	sntsvc.exe
3052	sntsvc.exe
4504	sntsvc.exe
1760	sntsvc.exe
688	sntsvc.exe
2512	sntsvc.exe
4692	sntsvc.exe
1212	sntsvc.exe
3076	sntsvc.exe
3300	sntsvc.exe
4456	sntsvc.exe
1476	sntsvc.exe
920	sntsvc.exe
772	sntsvc.exe
3416	sntsvc.exe
3400	sntsvc.exe
2832	sntsvc.exe
440	sntsvc.exe
1792	sntsvc.exe
2596	sntsvc.exe
4504	sntsvc.exe
4368	sntsvc.exe
4100	sntsvc.exe
1604	sntsvc.exe
3140	sntsvc.exe
1100	sntsvc.exe
4792	sntsvc.exe
3828	sntsvc.exe
4592	sntsvc.exe
1760	sntsvc.exe
3112	sntsvc.exe
4800	sntsvc.exe
3692	sntsvc.exe
2948	sntsvc.exe
3532	sntsvc.exe
2060	sntsvc.exe
1204	sntsvc.exe
1740	sntsvc.exe
4376	sntsvc.exe
2960	sntsvc.exe
3980	sntsvc.exe
4296	sntsvc.exe
2344	sntsvc.exe
4880	sntsvc.exe
1888	sntsvc.exe
3960	sntsvc.exe
720	sntsvc.exe
4568	sntsvc.exe
3656	sntsvc.exe
2352	sntsvc.exe
2464	sntsvc.exe
4492	sntsvc.exe
1064	sntsvc.exe
3060	sntsvc.exe
4628	sntsvc.exe
932	sntsvc.exe
3056	sntsvc.exe
1840	sntsvc.exe
2648	sntsvc.exe
3384	sntsvc.exe
2336	sntsvc.exe
4892	sntsvc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3068-0-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3068-1-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/files/0x000900000002346d-7.dat	upx
behavioral2/memory/220-37-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3068-39-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4528-44-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/220-43-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3224-47-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4528-49-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3224-53-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4504-58-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3052-57-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4504-62-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1760-63-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1760-67-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/688-68-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/688-73-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2512-74-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2512-78-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4692-79-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4692-83-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1212-84-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3076-89-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1212-88-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3076-92-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3300-93-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3300-97-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4456-101-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1476-102-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1476-106-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/772-111-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/920-110-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3416-115-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/772-114-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3416-119-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3400-123-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2832-124-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2832-128-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/440-129-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1792-134-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/440-133-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1792-138-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2596-139-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4504-142-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2596-143-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4368-149-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4504-148-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4100-154-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4368-153-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4100-158-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1604-157-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3140-163-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1604-162-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3140-167-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1100-168-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1100-173-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4792-177-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3828-178-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4592-183-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3828-182-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4592-187-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1760-188-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/3112-193-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1760-192-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Event Section = "sntsvc.exe"	sntsvc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File created	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe
File opened for modification	C:\Windows\SysWOW64\sntsvc.exe	sntsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sntsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3068	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	220	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4528	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3224	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3052	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4504	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1760	sntsvc.exe
Token: SeIncBasePriorityPrivilege	688	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2512	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4692	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1212	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3076	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3300	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4456	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1476	sntsvc.exe
Token: SeIncBasePriorityPrivilege	920	sntsvc.exe
Token: SeIncBasePriorityPrivilege	772	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3416	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3400	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2832	sntsvc.exe
Token: SeIncBasePriorityPrivilege	440	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1792	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2596	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4504	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4368	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4100	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1604	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3140	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1100	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4792	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3828	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4592	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1760	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3112	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4800	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3692	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2948	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3532	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2060	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1204	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1740	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4376	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2960	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3980	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4296	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2344	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4880	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1888	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3960	sntsvc.exe
Token: SeIncBasePriorityPrivilege	720	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4568	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3656	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2352	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2464	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4492	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1064	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3060	sntsvc.exe
Token: SeIncBasePriorityPrivilege	4628	sntsvc.exe
Token: SeIncBasePriorityPrivilege	932	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3056	sntsvc.exe
Token: SeIncBasePriorityPrivilege	1840	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2648	sntsvc.exe
Token: SeIncBasePriorityPrivilege	3384	sntsvc.exe
Token: SeIncBasePriorityPrivilege	2336	sntsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 220	3068	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe	85
PID 3068 wrote to memory of 220	3068	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe	85
PID 3068 wrote to memory of 220	3068	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe	85
PID 3068 wrote to memory of 392	3068	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe	86
PID 3068 wrote to memory of 392	3068	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe	86
PID 3068 wrote to memory of 392	3068	35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe	86
PID 220 wrote to memory of 4528	220	sntsvc.exe	88
PID 220 wrote to memory of 4528	220	sntsvc.exe	88
PID 220 wrote to memory of 4528	220	sntsvc.exe	88
PID 220 wrote to memory of 3644	220	sntsvc.exe	89
PID 220 wrote to memory of 3644	220	sntsvc.exe	89
PID 220 wrote to memory of 3644	220	sntsvc.exe	89
PID 4528 wrote to memory of 3224	4528	sntsvc.exe	91
PID 4528 wrote to memory of 3224	4528	sntsvc.exe	91
PID 4528 wrote to memory of 3224	4528	sntsvc.exe	91
PID 4528 wrote to memory of 2768	4528	sntsvc.exe	92
PID 4528 wrote to memory of 2768	4528	sntsvc.exe	92
PID 4528 wrote to memory of 2768	4528	sntsvc.exe	92
PID 3224 wrote to memory of 3052	3224	sntsvc.exe	94
PID 3224 wrote to memory of 3052	3224	sntsvc.exe	94
PID 3224 wrote to memory of 3052	3224	sntsvc.exe	94
PID 3224 wrote to memory of 4688	3224	sntsvc.exe	95
PID 3224 wrote to memory of 4688	3224	sntsvc.exe	95
PID 3224 wrote to memory of 4688	3224	sntsvc.exe	95
PID 3052 wrote to memory of 4504	3052	sntsvc.exe	97
PID 3052 wrote to memory of 4504	3052	sntsvc.exe	97
PID 3052 wrote to memory of 4504	3052	sntsvc.exe	97
PID 3052 wrote to memory of 3996	3052	sntsvc.exe	98
PID 3052 wrote to memory of 3996	3052	sntsvc.exe	98
PID 3052 wrote to memory of 3996	3052	sntsvc.exe	98
PID 4504 wrote to memory of 1760	4504	sntsvc.exe	100
PID 4504 wrote to memory of 1760	4504	sntsvc.exe	100
PID 4504 wrote to memory of 1760	4504	sntsvc.exe	100
PID 4504 wrote to memory of 3836	4504	sntsvc.exe	101
PID 4504 wrote to memory of 3836	4504	sntsvc.exe	101
PID 4504 wrote to memory of 3836	4504	sntsvc.exe	101
PID 1760 wrote to memory of 688	1760	sntsvc.exe	103
PID 1760 wrote to memory of 688	1760	sntsvc.exe	103
PID 1760 wrote to memory of 688	1760	sntsvc.exe	103
PID 1760 wrote to memory of 4344	1760	sntsvc.exe	104
PID 1760 wrote to memory of 4344	1760	sntsvc.exe	104
PID 1760 wrote to memory of 4344	1760	sntsvc.exe	104
PID 688 wrote to memory of 2512	688	sntsvc.exe	106
PID 688 wrote to memory of 2512	688	sntsvc.exe	106
PID 688 wrote to memory of 2512	688	sntsvc.exe	106
PID 688 wrote to memory of 2920	688	sntsvc.exe	107
PID 688 wrote to memory of 2920	688	sntsvc.exe	107
PID 688 wrote to memory of 2920	688	sntsvc.exe	107
PID 2512 wrote to memory of 4692	2512	sntsvc.exe	109
PID 2512 wrote to memory of 4692	2512	sntsvc.exe	109
PID 2512 wrote to memory of 4692	2512	sntsvc.exe	109
PID 2512 wrote to memory of 2740	2512	sntsvc.exe	110
PID 2512 wrote to memory of 2740	2512	sntsvc.exe	110
PID 2512 wrote to memory of 2740	2512	sntsvc.exe	110
PID 4692 wrote to memory of 1212	4692	sntsvc.exe	112
PID 4692 wrote to memory of 1212	4692	sntsvc.exe	112
PID 4692 wrote to memory of 1212	4692	sntsvc.exe	112
PID 4692 wrote to memory of 220	4692	sntsvc.exe	113
PID 4692 wrote to memory of 220	4692	sntsvc.exe	113
PID 4692 wrote to memory of 220	4692	sntsvc.exe	113
PID 1212 wrote to memory of 3076	1212	sntsvc.exe	115
PID 1212 wrote to memory of 3076	1212	sntsvc.exe	115
PID 1212 wrote to memory of 3076	1212	sntsvc.exe	115
PID 1212 wrote to memory of 2776	1212	sntsvc.exe	116

C:\Users\Admin\AppData\Local\Temp\35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35d11b5fc3ecb74ca8a37116f9b4379d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\sntsvc.exe
  "C:\Windows\system32\sntsvc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\sntsvc.exe
    "C:\Windows\system32\sntsvc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\sntsvc.exe
      "C:\Windows\system32\sntsvc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:720
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        66⤵
        Checks computer location settings
        
        PID:4840
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        69⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        70⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1456
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        71⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        73⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        74⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        75⤵
        Checks computer location settings
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        77⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        78⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        79⤵
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        80⤵
        Adds Run key to start application
        
        PID:4220
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        82⤵
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        83⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        84⤵
        Checks computer location settings
        
        PID:1760
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        85⤵
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        86⤵
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        87⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        88⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2324
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        89⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        90⤵
        Adds Run key to start application
        
        PID:3304
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        91⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        93⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        94⤵
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        95⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        96⤵
        Adds Run key to start application
        
        PID:1864
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        97⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        98⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2040
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        99⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        100⤵
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        101⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        102⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        103⤵
        Checks computer location settings
        
        PID:2916
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        104⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        105⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        106⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        108⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        109⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        110⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        111⤵
        Adds Run key to start application
        
        PID:652
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        112⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        113⤵
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        114⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        115⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        116⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        117⤵
        Checks computer location settings
        
        PID:4368
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        118⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        119⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        120⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4580
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        121⤵
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        122⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        123⤵
        Adds Run key to start application
        
        PID:3836
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        124⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2152
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        125⤵
        Checks computer location settings
        
        PID:3928
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        126⤵
        Adds Run key to start application
        
        PID:3460
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        127⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        128⤵
        Adds Run key to start application
        
        PID:968
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        129⤵
        Adds Run key to start application
        
        PID:3224
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        130⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        131⤵
        Checks computer location settings
        
        PID:4492
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        132⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        133⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        134⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        135⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        136⤵
        Adds Run key to start application
        
        PID:4844
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        137⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        138⤵
        Checks computer location settings
        
        PID:4340
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        139⤵
        Checks computer location settings
        
        PID:1864
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        140⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        142⤵
        Checks computer location settings
        
        PID:5036
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        143⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        144⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        145⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        146⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        147⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        148⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        149⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        150⤵
        
        PID:620
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        151⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        152⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        153⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        154⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        155⤵
        
        PID:212
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        156⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        157⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        158⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        159⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        160⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        161⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        162⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        163⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        164⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        165⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        166⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        167⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        168⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        169⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        170⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        171⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        172⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        173⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        174⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        175⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        176⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        177⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        178⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        179⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        180⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        181⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        182⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        183⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        184⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        185⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        186⤵
        
        PID:544
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        187⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        188⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        189⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        190⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        191⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        192⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        193⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        194⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        195⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        196⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        197⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        198⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        199⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        200⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        201⤵
        
        PID:812
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        202⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        203⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        204⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        205⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        206⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        207⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        208⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        209⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        210⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        211⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        212⤵
        
        PID:440
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        213⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        214⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        215⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        216⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        217⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        218⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        219⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        220⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        221⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        222⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        223⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        224⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        225⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        226⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        227⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        228⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        229⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        230⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        231⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        232⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        233⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        234⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        235⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        236⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        237⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        238⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        239⤵
        
        PID:884
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        240⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        241⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        242⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        243⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        244⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        245⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        246⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        247⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        248⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        249⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        250⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        251⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        252⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        253⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        254⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        255⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        256⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        257⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        258⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        259⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        260⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        261⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        262⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        263⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        264⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        265⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        266⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        267⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        268⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        269⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        270⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        271⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        272⤵
        
        PID:540
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        273⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        274⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        275⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        276⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        277⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        278⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        279⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        280⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        281⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        282⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        283⤵
        
        PID:864
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        284⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        285⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        286⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        287⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        288⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        289⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        290⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        291⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        292⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        293⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        294⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        295⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        296⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        297⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\sntsvc.exe
        
        "C:\Windows\system32\sntsvc.exe"
        298⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        298⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        297⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        296⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        295⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        294⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        293⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        292⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        291⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        290⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        289⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        288⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        287⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        286⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        287⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        285⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        284⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        283⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        282⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        281⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        280⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        279⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        278⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        277⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        276⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        275⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        274⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        273⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        272⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        271⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        270⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        269⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        268⤵
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        267⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        266⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        265⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        264⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        263⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        264⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        262⤵
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        261⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        260⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        259⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        258⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        257⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        256⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        255⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        254⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        253⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        252⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        251⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        250⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        249⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        248⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        247⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        246⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        245⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        244⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        243⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        242⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        241⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        240⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        239⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        238⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        237⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        236⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        235⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        234⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        233⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        232⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        231⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        230⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        229⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        228⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        227⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        226⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        225⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        224⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        223⤵
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        224⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        222⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        221⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        220⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        219⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        218⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        217⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        216⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        215⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        214⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        213⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        214⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        212⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        211⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        210⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        209⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        210⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        208⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        207⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        206⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        205⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        204⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        203⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        204⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        202⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        201⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        200⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        199⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        198⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        197⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        196⤵
        
        PID:3756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        195⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        194⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        193⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        192⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        191⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        190⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        189⤵
        
        PID:1568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        188⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        187⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        186⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        185⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        184⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        183⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        182⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        181⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        180⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        179⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        178⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        177⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        176⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        175⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        174⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        173⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        172⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        171⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        170⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        169⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        168⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        167⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        166⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        165⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        164⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        163⤵
        
        PID:3280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        162⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        161⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        160⤵
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        159⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        158⤵
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        157⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        156⤵
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        155⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        154⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        153⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        152⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        151⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        150⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        149⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        148⤵
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        147⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        146⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        145⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        144⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        143⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        142⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        141⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        140⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        139⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        138⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        137⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        136⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        135⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        134⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        133⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        132⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        131⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        130⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        129⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        128⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        127⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        126⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        125⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        124⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        123⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        122⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        121⤵
        
        PID:4168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        120⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        119⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        118⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        117⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        116⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        115⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        114⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        113⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        112⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        111⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        110⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        109⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        108⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        107⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        106⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        105⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        104⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        103⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        102⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        101⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        100⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        99⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        98⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        97⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        96⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        95⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        94⤵
        
        PID:3756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        93⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        92⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        91⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        90⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        89⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        88⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        87⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        86⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        85⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        84⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        83⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        82⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        81⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        80⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        79⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        78⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        77⤵
        
        PID:1776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        76⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        75⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        74⤵
        
        PID:4108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        73⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        72⤵
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        71⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        70⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        69⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        68⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        67⤵
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        66⤵
        
        PID:4412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        65⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        64⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        63⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        62⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        61⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        60⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        59⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        58⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        57⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        56⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        55⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        54⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        53⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        52⤵
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        51⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        50⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        49⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        48⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        47⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        46⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        45⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        44⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        43⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        42⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        41⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        40⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        39⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        38⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        37⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        36⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        35⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        34⤵
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        33⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        32⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        31⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        30⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        29⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        28⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        27⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        26⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        25⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        24⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        23⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        22⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        21⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        20⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        19⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        18⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        17⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        16⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        15⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        14⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        13⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        12⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        11⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        10⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        9⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        7⤵
        
        PID:3836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        6⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
        5⤵
        
        PID:4688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
      4⤵
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\sntsvc.exe > nul
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\35D11B~1.EXE > nul
  2⤵
  PID:392

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv B6O2k4YXXk2BvEl6i5Bkbw.0.1
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sntsvc.exe

Filesize
70KB

MD5
35d11b5fc3ecb74ca8a37116f9b4379d

SHA1
76dde20a32955620e212f4e5ed7abecb0cbfb667

SHA256
3cdb68c5195e98f7beb68a3e0008a2e6e09933d0fc38505a617eeacc18d50352

SHA512
34652d425902a99e8a83b2886448acad7eab921bf18b3c78af6aecb131699b6624c0bbb34e37df496cd1364a4a1a315f721095cbdad64013f8ce97eefc3eef65

Download Submit
memory/220-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/220-43-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/440-129-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/440-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/688-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/688-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/720-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/772-111-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/772-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/920-110-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1100-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1100-173-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-216-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1212-88-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1212-84-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1476-106-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1476-102-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1604-162-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1604-157-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1740-223-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1740-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1760-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1760-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1760-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1760-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1792-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1792-138-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2060-215-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2344-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2344-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2352-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2352-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2464-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2464-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-78-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-74-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2596-143-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2596-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2832-124-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2832-128-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2948-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2948-206-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2960-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2960-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3052-57-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3068-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3068-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3068-2-0x0000000000418000-0x000000000042A000-memory.dmp

Filesize
72KB

Download
memory/3068-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3076-92-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3076-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3112-197-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3112-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3140-163-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3140-167-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3224-53-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3224-47-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3300-93-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3300-97-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3400-123-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3416-119-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3416-115-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3532-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3656-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3656-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3692-202-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3692-205-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3828-182-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3828-178-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3960-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3960-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3980-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3980-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4100-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4100-158-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4296-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4296-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4368-149-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4368-153-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4376-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4376-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4456-101-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-148-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-142-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4528-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4528-49-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4568-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4568-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4592-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4592-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4692-79-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4692-83-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4792-177-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4800-201-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4800-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4880-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4880-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads