admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '722ce731f3'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_Security_Essentials/lookups/UC_malicious_cmdline.csv

42 KiB
Raw Blame History

1hostCommandLineEventCode
2we8105desktaskhost.exe C:\Windows\system32\defrag.exe -c1
3we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
4we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
5we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
6we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
7we8105desk"C:\Windows\system32\w32tm.exe" /stripchart /computer:we9041srv.waynecorpinc.local /dataonly /samples:11
8we8105desk"C:\Windows\system32\PING.EXE" we9041srv.waynecorpinc.local /n 21
9we8105desk"C:\Windows\system32\w32tm.exe" /query /source1
10we8105deskC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES958E.tmp" "c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC958D.tmp"1
11we8105desk"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\l62oeljq.cmdline"1
12we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
13we8105deskC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES93AA.tmp" "c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC93A9.tmp"1
14we8105desk"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\m7m1p90n.cmdline"1
15we8105deskC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\BOBSMI~1.WAY\AppData\Local\Temp\RES936C.tmp" "c:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\CSC936B.tmp"1
16we8105desk"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\bob.smith.WAYNECORPINC\AppData\Local\Temp\skj1oiou.cmdline"1
17we8105desk\??\C:\Windows\system32\conhost.exe1
18we8105deskC:\Windows\System32\sdiagnhost.exe -Embedding1
19we8105deskC:\Windows\System32\svchost.exe -k swprv1
20we8105desk"taskhost.exe"1
21we8105deskC:\Windows\system32\vssvc.exe1
22we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
23we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe21_ Global\UsGthrCtrlFltPipeMssGthrPipe21 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
24we8105desk\??\C:\Windows\system32\conhost.exe1
25we8105deskC:\Windows\system32\mcbuilder.exe1
26we8105desk\??\C:\Windows\system32\conhost.exe1
27we8105deskC:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations1
28we8105deskC:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation1
29we8105deskC:\Windows\system32\lpremove.exe1
30we1149srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
31we1149srvC:\Windows\system32\sc.exe start wuauserv1
32we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
33we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
34we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
35we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe20_ Global\UsGthrCtrlFltPipeMssGthrPipe20 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
36we8105deskC:\Windows\system32\svchost.exe -k defragsvc1
37we8105desk\??\C:\Windows\system32\conhost.exe1
38we8105desk\??\C:\Windows\system32\conhost.exe1
39we8105desk"taskhost.exe"1
40we8105deskC:\Windows\system32\defrag.exe -c1
41we8105deskC:\Windows\system32\aitagent.EXE1
42we8105deskC:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate1
43we8105desktaskhost.exe $(Arg0)1
44we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
45we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
46we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
47we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
48we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
49we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
50we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
51we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
52we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
53we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
54we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe19_ Global\UsGthrCtrlFltPipeMssGthrPipe19 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
55we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
56we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe18_ Global\UsGthrCtrlFltPipeMssGthrPipe18 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
57we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
58we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
59we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
60we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
61we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
62we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
63we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
64we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
65we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
66we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe17_ Global\UsGthrCtrlFltPipeMssGthrPipe17 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
67we8105deskping -n 1 127.0.0.11
68we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
69we8105desktaskkill /t /f /im "osk.exe"1
70we8105desk\??\C:\Windows\system32\conhost.exe1
71we8105desk/d /c taskkill /t /f /im "osk.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe" > NUL1
72we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
73we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
74we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1
75we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-110916_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-110916 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"1
76we8105desk"C:\Windows\System32\WScript.exe" "C:\Users\bob.smith.WAYNECORPINC\Desktop\# DECRYPT MY FILES #.vbs"1
77we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
78we8105desk"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2404 CREDAT:798741
79we8105desk"C:\Windows\system32\NOTEPAD.EXE" C:\Users\bob.smith.WAYNECORPINC\Desktop\# DECRYPT MY FILES #.txt1
80we8105desk"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2404 CREDAT:798731
81we8105desk"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome1
82we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
83we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe15_ Global\UsGthrCtrlFltPipeMssGthrPipe15 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
84we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
85we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
86we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
87we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
88we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
89we8105desk"C:\Windows\explorer.exe"1
90we8105desktaskhost.exe $(Arg0)1
91we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
92we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
93we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
94we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe12_ Global\UsGthrCtrlFltPipeMssGthrPipe12 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
95we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
96we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe11_ Global\UsGthrCtrlFltPipeMssGthrPipe11 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
97we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
98we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
99we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
100we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
101we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
102we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
103we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
104we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
105we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
106we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
107we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
108we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
109we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
110we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
111we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
112we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
113we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe10_ Global\UsGthrCtrlFltPipeMssGthrPipe10 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
114we8105deskC:\Windows\system32\AUDIODG.EXE 0x4d41
115we8105deskrundll32.exe C:\Windows\system32\hotplug.dll,HotPlugEjectVetoed \\.\pipe\PNP_HotPlug_Pipe_1.{339df01b-6d4c-4d9a-b389-98d62839f1b0}1
116we8105deskC:\Windows\system32\DeviceDisplayObjectProvider.exe -Embedding1
117we8105deskC:\Windows\system32\DeviceDisplayObjectProvider.exe -Embedding1
118we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
119we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11099_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11099 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"1
120we8105desk"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:4576 CREDAT:719371
121we8105desk"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome1
122we8105desk"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL D:\Work Stuff\013\013366.pdf1
123we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
124we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
125we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
126we8105desk"C:\Windows\explorer.exe"1
127we8105deskC:\Windows\system32\AUDIODG.EXE 0x2c41
128we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
129we8105desk"C:\Windows\explorer.exe"1
130we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
131we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
132we8105deskC:\Windows\System32\slui.exe -Embedding1
133we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
134we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
135we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
136we8105desk\??\C:\Windows\system32\conhost.exe1
137we8105desk"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures1
138we8105desk\??\C:\Windows\system32\conhost.exe1
139we8105desk"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no1
140we8105desk\??\C:\Windows\system32\conhost.exe1
141we8105desk"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete1
142we8105deskC:\Windows\System32\svchost.exe -k swprv1
143we8105deskC:\Windows\system32\vssvc.exe1
144we8105desk\??\C:\Windows\system32\conhost.exe1
145we8105desk"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet1
146we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1
147we8105deskC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1
148we8105deskconsent.exe 928 274 0000000001CCA4D01
149we8105desk"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"1
150we8105desk"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"1
151we8105desk"C:\Windows\SysWOW64\QqJXZrBKCk72XzRgZs\AdapterTroubleshooter.exe"1
152we8105deskC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1
153we8105deskconsent.exe 928 502 00000000031D81601
154we8105desk"C:\Windows\SysWOW64\QqJXZrBKCk72XzRgZs\AdapterTroubleshooter.exe"1
155we8105deskconsent.exe 928 274 0000000001CCA4D01
156we8105deskconsent.exe 928 274 0000000001CCA4D01
157we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1
158we8105deskC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1
159we8105deskconsent.exe 928 274 0000000001CCA4D01
160we8105desk"C:\Windows\SysWOW64\explorer.exe"1
161we8105desk"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"1
162we8105deskping -n 1 127.0.0.11
163we8105desktaskkill /t /f /im "121214.tmp"1
164we8105desk\??\C:\Windows\system32\conhost.exe1
165we8105desk/d /c taskkill /t /f /im "121214.tmp" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp" > NUL1
166we8105desk"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\{35ACA89F-933F-6A5D-2776-A3589FB99832}\osk.exe"1
167we8105desk"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp"1
168we8105desk"C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp"1
169we8105desk\??\C:\Windows\system32\conhost.exe1
170we8105desk"C:\Windows\System32\cmd.exe" /C START "" "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\121214.tmp"1
171we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
172we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
173we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
174we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
175we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
176we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
177we8105desk"C:\Windows\explorer.exe"1
178we8105deskC:\Windows\splwow64.exe 81921
179we8105desk"C:\Windows\System32\WScript.exe" "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\20429.vbs"1
180we8105desk\??\C:\Windows\system32\conhost.exe1
1812016-08-24T10:43:21.000-0600cmd.exe /V /C set "GSI=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DIm RWRL" "FuNCtioN GNbiPp(Pt5SZ1)" "EYnt=45" "GNbiPp=AsC(Pt5SZ1)" "Xn1=52 This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. This line has been artificially truncated because it was causing Splunk Security Essentials to be flagged by Avast AV. Because we used this in part to look for very long CLI strings... this will be repeated. cho %~i)>"!GSI!" && start "" "!GSI!"we8105desk
182we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
183we8105deskwmiadap.exe /R /T1
184we8105desk"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1
185we8105desk"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "D:\Miranda_Tate_unveiled.dotm"1
186we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
187we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
188we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
189we8105desk"C:\Windows\explorer.exe"1
190we8105deskC:\Windows\system32\AUDIODG.EXE 0x8b81
191we9041srv"dwm.exe"1
192we9041srv"LogonUI.exe" /flags:0x01
193we9041srvwinlogon.exe1
194we9041srv%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161
195we9041srv\SystemRoot\System32\smss.exe 00000000 000000501
196we8105deskchoice /T 1 /C X /D X /N1
197we8105desk\??\C:\Windows\system32\conhost.exe1
198we8105deskcmd /c C:\Windows\temp\nessus_W7GLH62C.bat1
199we1149srv"dwm.exe"1
200we1149srv"LogonUI.exe" /flags:0x01
201we1149srvwinlogon.exe1
202we1149srv%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161
203we1149srv\SystemRoot\System32\smss.exe 00000000 000000501
204we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
205we8105deskC:\Windows\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe1
206we8105desk\??\C:\Windows\system32\conhost.exe1
207we8105desksc start tenable_mw_scan type=1 output=nessus_SFBBT7QA.txt1
208we9041srvchoice /T 1 /C X /D X /N1
209we9041srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
210we9041srvcmd /c C:\Windows\temp\nessus_ZCHPYH15.bat1
211we8105deskschtasks /query /XML1
212we8105desk\??\C:\Windows\system32\conhost.exe1
213we8105deskcmd /c "schtasks /query /XML > %SystemRoot%\TEMP\nessus_VPG2T4UF.TMP & ren %SystemRoot%\TEMP\nessus_VPG2T4UF.TMP nessus_VPG2T4UF.TXT"1
214we9041srvC:\Windows\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe1
215we9041srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
216we9041srvsc start tenable_mw_scan type=1 output=nessus_QYVJLVDT.txt1
217we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
218we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
219we9041srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
220we8105desknetsh advfirewall show allprofiles firewallpolicy1
221we8105deskcmd /c netsh advfirewall show allprofiles firewallpolicy1
222we8105desknetsh advfirewall firewall show rule name=all verbose1
223we8105desk\??\C:\Windows\system32\conhost.exe1
224we8105deskcmd /c netsh advfirewall firewall show rule name=all verbose > %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP & cmd /c netsh advfirewall show allprofiles firewallpolicy >> %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP & move %SystemRoot%\TEMP\nessus_OCREA4YZ.TMP %SystemRoot%\TEMP\nessus_OCREA4YZ.TXT1
225we9041srvschtasks /query /XML1
226we9041srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
227we9041srvcmd /c "schtasks /query /XML > %SystemRoot%\TEMP\nessus_W426FMMY.TMP & ren %SystemRoot%\TEMP\nessus_W426FMMY.TMP nessus_W426FMMY.TXT"1
228we8105desktasklist /svc1
229we8105desk\??\C:\Windows\system32\conhost.exe1
230we8105deskcmd /c "tasklist /svc > %SystemRoot%\TEMP\nessus_task_listY42QJDIQ.TMP & ren %SystemRoot%\TEMP\nessus_task_listY42QJDIQ.TMP nessus_task_listY42QJDIQ.TXT"1
231we9041srvC:\Windows\system32\svchost.exe -k wsappx1
232we9041srvpowershell "Get-AppxPackage -AllUsers | select name, version, architecture, publisher | Format-List | out-string -width 4096"1
233we9041srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
234we9041srvcmd /c powershell "Get-AppxPackage -AllUsers | select name, version, architecture, publisher | Format-List | out-string -width 4096" > %SystemRoot%\TEMP\nessus_R3OP3JQV.TMP & move %SystemRoot%\TEMP\nessus_R3OP3JQV.TMP %SystemRoot%\TEMP\nessus_R3OP3JQV.TXT1
235we9041srvnetsh advfirewall show allprofiles firewallpolicy1
236we9041srvcmd /c netsh advfirewall show allprofiles firewallpolicy1
237we9041srvnetsh advfirewall firewall show rule name=all verbose1
238we9041srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
239we9041srvcmd /c netsh advfirewall firewall show rule name=all verbose > %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP & cmd /c netsh advfirewall show allprofiles firewallpolicy >> %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP & move %SystemRoot%\TEMP\nessus_SV9VMSPT.TMP %SystemRoot%\TEMP\nessus_SV9VMSPT.TXT1
240we8105deskC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
241we8105deskC:\Windows\system32\svchost.exe -k regsvc1
242we8105desknetsh wlan show interface1
243we8105desk\??\C:\Windows\system32\conhost.exe1
244we8105deskcmd /c netsh wlan show interface > %SystemRoot%\TEMP\nessus_IQK9FYH1.TMP & move %SystemRoot%\TEMP\nessus_IQK9FYH1.TMP %SystemRoot%\TEMP\nessus_IQK9FYH1.TXT1
245we8105deskC:\Windows\servicing\TrustedInstaller.exe1
246we8105desknetstat -ano1
247we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
248we8105desk\??\C:\Windows\system32\conhost.exe1
249we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe7_ Global\UsGthrCtrlFltPipeMssGthrPipe7 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
250we8105deskcmd /c "netstat -ano > %SystemRoot%\TEMP\nessus_4UC962OK.TMP & ren %SystemRoot%\TEMP\nessus_4UC962OK.TMP nessus_4UC962OK.TXT"1
251we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
252we1149srvc:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipm45a13fae-8ca5-408b-a9e4-631fc0631086 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 -ta 01
253we9041srvtasklist /svc1
254we9041srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
255we9041srvcmd /c "tasklist /svc > %SystemRoot%\TEMP\nessus_task_listI8RC8S8K.TMP & ren %SystemRoot%\TEMP\nessus_task_listI8RC8S8K.TMP nessus_task_listI8RC8S8K.TXT"1
256we9041srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
257we9041srvnetsh wlan show interface1
258we9041srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
259we9041srvcmd /c netsh wlan show interface > %SystemRoot%\TEMP\nessus_JMJL39S5.TMP & move %SystemRoot%\TEMP\nessus_JMJL39S5.TMP %SystemRoot%\TEMP\nessus_JMJL39S5.TXT1
260we9041srvC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.16384_none_fa1dc1539b4180d8\TiWorker.exe -Embedding1
261we9041srvC:\Windows\servicing\TrustedInstaller.exe1
262we9041srvC:\Windows\system32\sppsvc.exe1
263we9041srvnetstat -ano1
264we9041srv\??\C:\Windows\system32\conhost.exe 0xffffffff1
265we9041srvcmd /c "netstat -ano > %SystemRoot%\TEMP\nessus_4LX6EPAV.TMP & ren %SystemRoot%\TEMP\nessus_4LX6EPAV.TMP nessus_4LX6EPAV.TXT"1
266we9041srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
267we9041srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
268we9041srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
269we1149srvC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
270we1149srvC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
271we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
272we8105deskC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1
273we8105deskC:\Windows\system32\wermgr.exe -queuereporting1
274we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
275we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
276we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11095_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11095 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"1
277we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
278we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11094_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11094 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"1
279we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
280we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
281we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
282we8105deskwmiadap.exe /F /T /R1
283we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
284we8105desktaskhost.exe $(Arg0)1
285we8105deskC:\Windows\System32\sdclt.exe /CONFIGNOTIFICATION1
286we8105desk"C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe"1
287we8105deskC:\Windows\system32\sppsvc.exe1
288we8105desk"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe"1
289we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11092_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-67332772-3493699611-3403467266-11092 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"1
290we8105desk"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 5321
291we8105desk"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1
292we8105deskC:\Windows\system32\SearchIndexer.exe /Embedding1
293we8105deskC:\Windows\system32\SearchIndexer.exe /Embedding1
294we8105desk"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices1
295we8105desk"C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"1
296we8105desk"C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe"1
297we8105desk"C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"1
298we8105desk"C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe"1
299we8105deskC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1
300we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
301we8105deskC:\Windows\SysWOW64\runonce.exe /Run64321
302we8105desk"C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"1
303we8105desk"C:\Program Files\Boot Camp\Bootcamp.exe"1
304we8105desk"C:\Windows\System32\igfxpers.exe"1
305we8105desk"C:\Windows\System32\hkcmd.exe"1
306we8105desk"C:\Windows\system32\igfxsrvc.exe" -Embedding1
307we8105desk"C:\Windows\System32\igfxtray.exe"1
308we8105deskC:\Windows\Explorer.EXE1
309we8105desk"C:\Windows\system32\Dwm.exe"1
310we8105deskC:\Windows\system32\userinit.exe1
311we8105desk"taskhost.exe"1
312we8105deskC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1
313we8105deskC:\Windows\System32\svchost.exe -k secsvcs1
314we8105desktaskhost.exe SYSTEM1
315we8105desk"C:\Windows\system32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-ac6024c6-0e8e-4905-9442-280600567282 -SystemEventPortName:HostProcess-47fb5318-ca0f-44a7-866d-cf286eabcb42 -IoCancelEventPortName:HostProcess-73811b94-bc88-4562-beac-f050c8c2e1ab -NonStateChangingEventPortName:HostProcess-487fce22-2fcf-4925-8557-9c32d3729e3e -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:9e02b3ab-0d2b-4e15-8682-744712c1ca2e1
316we8105deskC:\Windows\system32\svchost.exe -k bthsvcs1
317we8105deskC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1
318we8105deskC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted1
319we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"1
320we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"1
321we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"1
322we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"1
323we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"1
324we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"1
325we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"1
326we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"1
327we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"1
328we8105deskcmd /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"1
329we8105deskC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&11
330we8105deskC:\Windows\system32\cmd.exe /c btool server list general --no-log1
331we8105deskC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log1
332we8105deskcscript.exe /nologo C:\Windows\TEMP\E5548D7D-7D5D-4693-A892-94129A925C26.vbs1
333we8105deskcscript.exe /nologo C:\Windows\TEMP\A1985133-B0BB-4771-9B34-54C1DC493370.vbs1
334we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
335we8105deskC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1
336we8105deskcscript.exe /nologo C:\Windows\TEMP\5F336C48-BD3F-46AF-8FB1-E076BA7329CB.vbs1
337we8105deskC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&11
338we8105deskC:\Windows\system32\wbem\wmiprvse.exe -Embedding1
339we8105deskC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1
340we8105deskC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log1
341we8105deskC:\Windows\system32\cmd.exe /c btool server list general --no-log1
342we8105deskC:\Windows\system32\cmd.exe /c btool web list settings --no-log1
343we8105deskC:\Windows\Sysmon.exe1
344we8105deskC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args1
345we8105desk\??\C:\Windows\system32\conhost.exe1
346we8105desk\??\C:\Windows\system32\conhost.exe1
347we8105deskC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars1
348we8105desk"C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe"1
349we8105deskC:\Windows\system32\AppleTimeSrv.exe1
350we8105deskC:\Windows\system32\AppleOSSMgr.exe1
351we8105desk"C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe"1
352we8105desk"C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe"1
353we8105deskC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1
354we8105deskC:\Windows\System32\spoolsv.exe1
355we8105deskC:\Windows\system32\svchost.exe -k NetworkService1
356we8105desk"C:\Windows\system32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-fa915abb-3e19-454d-abc3-af7084ddd6b2 -SystemEventPortName:HostProcess-ac8be148-87a6-4e0c-9c46-e06e1597f0ce -IoCancelEventPortName:HostProcess-c6ad7e19-54f2-46ea-af3f-88f7621e76ea -NonStateChangingEventPortName:HostProcess-b15c724e-59d6-4e9e-bba1-99864b9d80ce -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:584cb968-8b77-45ad-ae19-bbeb66853bc01
357we8105desk"LogonUI.exe" /flags:0x01
358we8105deskC:\Windows\system32\svchost.exe -k LocalService1
359we8105deskwinlogon.exe1
360we8105deskC:\Windows\system32\AUDIODG.EXE 0x2c81
361we8105deskC:\Windows\system32\svchost.exe -k netsvcs1
362we8105deskC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1
363we8105deskC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1
364we8105deskC:\Windows\system32\svchost.exe -k RPCSS1
365we8105deskC:\Windows\system32\svchost.exe -k DcomLaunch1
366we8105deskC:\Windows\system32\lsm.exe1
367we8105deskC:\Windows\system32\lsass.exe1
368we8105deskC:\Windows\system32\services.exe1
369we8105desk%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161
370we8105deskwininit.exe1
371we8105desk\SystemRoot\System32\smss.exe 00000001 000000481
372we8105desk%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161
373we8105desk\SystemRoot\System32\smss.exe 00000000 000000481
374we8105desk\??\C:\Windows\system32\autochk.exe *1
375we8105desk\SystemRoot\System32\smss.exe1
376we8105deskC:\Windows\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}1
377we8105deskC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1
378we8105deskC:\Windows\system32\vssvc.exe1
379we8105desk"C:\Program Files (x86)\Common Files\Acronis\VssRequestor64\vss_requestor.exe" -Embedding1
380we8105deskC:\Windows\system32\wermgr.exe -queuereporting1