86368d4819ca51b0e1a7c63877314611549cd78c6435137bc31261b9a08cb496

Resubmissions

28-03-2023 22:02

230328-1xxbfade86 9

28-03-2023 21:58

230328-1vl3pade78 9

Analysis

max time kernel
65s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
Size

3.1MB
MD5

92ffd2386f0d90f07e12f74ed815d219
SHA1

161df5d3809b21bcee3c633c9b0cb35f7db046ab
SHA256

f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7
SHA512

e245c920f563fb0a59da61ba4d9d50d62b6628b9f4307cc046cb17498b3883b607296649d97c1e74ec01b4a4a3196f78894cc025b54847973cb2dfea2ca62763
SSDEEP

49152:yQe1or7i33p0rb/TNvO90d7HjmAFd4A64nsfJm++4MKtgynxVT+l9yxm2z1AmW00:bq3prE1g3ezAHco7Y

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
1992	wevtutil.exe
1164	wevtutil.exe
1532	wevtutil.exe
872	wevtutil.exe
1092	wevtutil.exe
1180	wevtutil.exe
756	wevtutil.exe
1940	wevtutil.exe
1480	wevtutil.exe
1948	wevtutil.exe
1116	wevtutil.exe
1340	wevtutil.exe
392	wevtutil.exe
1704	wevtutil.exe
2012	wevtutil.exe
2012	wevtutil.exe
1720	wevtutil.exe
1992	wevtutil.exe
1984	wevtutil.exe
1340	wevtutil.exe
1704	wevtutil.exe
900	wevtutil.exe
1528	wevtutil.exe
1440	wevtutil.exe
1660	wevtutil.exe
1672	wevtutil.exe
912	wevtutil.exe
1160	wevtutil.exe
392	wevtutil.exe
1760	wevtutil.exe
1940	wevtutil.exe
1684	wevtutil.exe
1916	wevtutil.exe
1708	wevtutil.exe
1688	wevtutil.exe
1480	wevtutil.exe
112	wevtutil.exe
1632	wevtutil.exe
1524	wevtutil.exe
1612	wevtutil.exe
1644	wevtutil.exe
1440	wevtutil.exe
1948	wevtutil.exe
768	wevtutil.exe
1744	wevtutil.exe
1488	wevtutil.exe
1068	wevtutil.exe
828	wevtutil.exe
1748	wevtutil.exe
1524	wevtutil.exe
1684	wevtutil.exe
1524	wevtutil.exe
1448	wevtutil.exe
1796	wevtutil.exe
688	wevtutil.exe
1476	wevtutil.exe
1092	wevtutil.exe
1992	wevtutil.exe
1264	wevtutil.exe
1324	wevtutil.exe
1528	wevtutil.exe
1804	wevtutil.exe
1600	wevtutil.exe
1540	wevtutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\ext\jaccess.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Iqaluit.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\bin\java.dll.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Tijuana.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.key-JMKTPMYUOMTD.0xcf94dc203c744	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2008 taskkill.exe
1624 taskkill.exe
1004 taskkill.exe

pid	process
2008	taskkill.exe
1624	taskkill.exe
1004	taskkill.exe

Modifies registry class 3 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.0xcf94dc203c744\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.0xcf94dc203c744	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.0xcf94dc203c744\DefaultIcon\ = "C:\\Windows\\System32\\SHELL32.dll,47"	reg.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1692 powershell.exe

pid	process
1692	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exepowershell.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeSecurityPrivilege	592	wevtutil.exe
Token: SeBackupPrivilege	592	wevtutil.exe
Token: SeSecurityPrivilege	1940	wevtutil.exe
Token: SeBackupPrivilege	1940	wevtutil.exe
Token: SeSecurityPrivilege	1052	wevtutil.exe
Token: SeBackupPrivilege	1052	wevtutil.exe
Token: SeSecurityPrivilege	1600	wevtutil.exe
Token: SeBackupPrivilege	1600	wevtutil.exe
Token: SeSecurityPrivilege	1180	wevtutil.exe
Token: SeBackupPrivilege	1180	wevtutil.exe
Token: SeSecurityPrivilege	1700	wevtutil.exe
Token: SeBackupPrivilege	1700	wevtutil.exe
Token: SeSecurityPrivilege	1948	wevtutil.exe
Token: SeBackupPrivilege	1948	wevtutil.exe
Token: SeSecurityPrivilege	296	wevtutil.exe
Token: SeBackupPrivilege	296	wevtutil.exe
Token: SeSecurityPrivilege	1992	wevtutil.exe
Token: SeBackupPrivilege	1992	wevtutil.exe
Token: SeSecurityPrivilege	1540	wevtutil.exe
Token: SeBackupPrivilege	1540	wevtutil.exe
Token: SeSecurityPrivilege	668	wevtutil.exe
Token: SeBackupPrivilege	668	wevtutil.exe
Token: SeSecurityPrivilege	1524	wevtutil.exe
Token: SeBackupPrivilege	1524	wevtutil.exe
Token: SeSecurityPrivilege	1476	wevtutil.exe
Token: SeBackupPrivilege	1476	wevtutil.exe
Token: SeSecurityPrivilege	1480	wevtutil.exe
Token: SeBackupPrivilege	1480	wevtutil.exe
Token: SeSecurityPrivilege	2016	wevtutil.exe
Token: SeBackupPrivilege	2016	wevtutil.exe
Token: SeSecurityPrivilege	1488	wevtutil.exe
Token: SeBackupPrivilege	1488	wevtutil.exe
Token: SeSecurityPrivilege	680	wevtutil.exe
Token: SeBackupPrivilege	680	wevtutil.exe
Token: SeSecurityPrivilege	1068	wevtutil.exe
Token: SeBackupPrivilege	1068	wevtutil.exe
Token: SeSecurityPrivilege	1484	wevtutil.exe
Token: SeBackupPrivilege	1484	wevtutil.exe
Token: SeSecurityPrivilege	112	wevtutil.exe
Token: SeBackupPrivilege	112	wevtutil.exe
Token: SeSecurityPrivilege	1672	wevtutil.exe
Token: SeBackupPrivilege	1672	wevtutil.exe
Token: SeSecurityPrivilege	872	wevtutil.exe
Token: SeBackupPrivilege	872	wevtutil.exe
Token: SeSecurityPrivilege	1092	wevtutil.exe
Token: SeBackupPrivilege	1092	wevtutil.exe
Token: SeSecurityPrivilege	1408	wevtutil.exe
Token: SeBackupPrivilege	1408	wevtutil.exe
Token: SeSecurityPrivilege	900	wevtutil.exe
Token: SeBackupPrivilege	900	wevtutil.exe
Token: SeSecurityPrivilege	1160	wevtutil.exe
Token: SeBackupPrivilege	1160	wevtutil.exe
Token: SeSecurityPrivilege	392	wevtutil.exe
Token: SeBackupPrivilege	392	wevtutil.exe
Token: SeSecurityPrivilege	948	wevtutil.exe
Token: SeBackupPrivilege	948	wevtutil.exe
Token: SeSecurityPrivilege	2008	wevtutil.exe
Token: SeBackupPrivilege	2008	wevtutil.exe
Token: SeSecurityPrivilege	1704	wevtutil.exe
Token: SeBackupPrivilege	1704	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 2032 wrote to memory of 1992	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 1992	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 1992	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 1992 wrote to memory of 1984	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 1984	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 1984	1992	cmd.exe	reg.exe
PID 2032 wrote to memory of 764	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 764	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 764	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 832	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 832	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 832	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 832 wrote to memory of 1480	832	cmd.exe	net.exe
PID 832 wrote to memory of 1480	832	cmd.exe	net.exe
PID 832 wrote to memory of 1480	832	cmd.exe	net.exe
PID 1480 wrote to memory of 1804	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1804	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1804	1480	net.exe	net1.exe
PID 2032 wrote to memory of 680	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 680	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 680	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 680 wrote to memory of 868	680	cmd.exe	net.exe
PID 680 wrote to memory of 868	680	cmd.exe	net.exe
PID 680 wrote to memory of 868	680	cmd.exe	net.exe
PID 868 wrote to memory of 440	868	net.exe	net1.exe
PID 868 wrote to memory of 440	868	net.exe	net1.exe
PID 868 wrote to memory of 440	868	net.exe	net1.exe
PID 2032 wrote to memory of 1484	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 1484	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 1484	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 1484 wrote to memory of 928	1484	cmd.exe	net.exe
PID 1484 wrote to memory of 928	1484	cmd.exe	net.exe
PID 1484 wrote to memory of 928	1484	cmd.exe	net.exe
PID 928 wrote to memory of 564	928	net.exe	net1.exe
PID 928 wrote to memory of 564	928	net.exe	net1.exe
PID 928 wrote to memory of 564	928	net.exe	net1.exe
PID 2032 wrote to memory of 1672	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 1672	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 1672	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 1672 wrote to memory of 1576	1672	cmd.exe	net.exe
PID 1672 wrote to memory of 1576	1672	cmd.exe	net.exe
PID 1672 wrote to memory of 1576	1672	cmd.exe	net.exe
PID 1576 wrote to memory of 696	1576	net.exe	net1.exe
PID 1576 wrote to memory of 696	1576	net.exe	net1.exe
PID 1576 wrote to memory of 696	1576	net.exe	net1.exe
PID 2032 wrote to memory of 268	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 268	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 268	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 268 wrote to memory of 1760	268	cmd.exe	net.exe
PID 268 wrote to memory of 1760	268	cmd.exe	net.exe
PID 268 wrote to memory of 1760	268	cmd.exe	net.exe
PID 1760 wrote to memory of 788	1760	net.exe	net1.exe
PID 1760 wrote to memory of 788	1760	net.exe	net1.exe
PID 1760 wrote to memory of 788	1760	net.exe	net1.exe
PID 2032 wrote to memory of 1340	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 1340	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 2032 wrote to memory of 1340	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe
PID 1340 wrote to memory of 1408	1340	cmd.exe	net.exe
PID 1340 wrote to memory of 1408	1340	cmd.exe	net.exe
PID 1340 wrote to memory of 1408	1340	cmd.exe	net.exe
PID 1408 wrote to memory of 1060	1408	net.exe	net1.exe
PID 1408 wrote to memory of 1060	1408	net.exe	net1.exe
PID 1408 wrote to memory of 1060	1408	net.exe	net1.exe
PID 2032 wrote to memory of 1096	2032	f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe
"C:\Users\Admin\AppData\Local\Temp\f1f72dc070609ea57ed4e3e07fab2de6770f9bcae6b85ec395184f9fe2cb2cb7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\cmd.exe
cmd /C "reg add HKEY_CLASSES_ROOT\.0xcf94dc203c744\DefaultIcon /t REG_SZ /d %SystemRoot%\System32\SHELL32.dll,47 /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.0xcf94dc203c744\DefaultIcon /t REG_SZ /d C:\Windows\System32\SHELL32.dll,47 /f
3⤵
- Modifies registry class
PID:1984

C:\Windows\system32\cmd.exe
cmd /C "iisreset /stop"
2⤵
PID:764

C:\Windows\system32\cmd.exe
cmd /C "NET STOP IISADMIN"
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\net.exe
NET STOP IISADMIN
3⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 STOP IISADMIN
4⤵
PID:1804

C:\Windows\system32\cmd.exe
cmd /C "net stop WAS"
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\net.exe
net stop WAS
3⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WAS
4⤵
PID:440

C:\Windows\system32\cmd.exe
cmd /C "NET stop MSSQLSERVER"
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\net.exe
NET stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:564

C:\Windows\system32\cmd.exe
cmd /C "NET stop \"SQL Server (MSSQLSERVER)\""
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\net.exe
NET stop \"SQL Server (MSSQLSERVER)\"
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop \"SQL Server (MSSQLSERVER)\"
4⤵
PID:696

C:\Windows\system32\cmd.exe
cmd /C "net stop MSSQL$SQLEXPRESS"
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\net.exe
net stop MSSQL$SQLEXPRESS
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
4⤵
PID:788

C:\Windows\system32\cmd.exe
cmd /C "net stop SQLSERVERAGENT"
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1060

C:\Windows\system32\cmd.exe
cmd /C "net stop mysql"
2⤵
PID:1096

C:\Windows\system32\net.exe
net stop mysql
3⤵
PID:1160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mysql
4⤵
PID:340

C:\Windows\system32\cmd.exe
cmd /C "taskkill /F /IM sqlservr.exe /T"
2⤵
PID:1436

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlservr.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\cmd.exe
cmd /C "taskkill /F /IM sqlceip.exe /T"
2⤵
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlceip.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\cmd.exe
cmd /C "taskkill /F /IM sqlwriter.exe /T"
2⤵
PID:1248

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlwriter.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\system32\cmd.exe
cmd /C "Del /S /F /Q %Windir%\Temp"
2⤵
PID:2012

C:\Windows\system32\cmd.exe
cmd /C C:\Users\Public\Log.cmd
2⤵
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "wevtutil el | Foreach-Object {wevtutil cl "$_"}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Analytic
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Application
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl DebugChannel
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl EndpointMapper
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl HardwareEvents
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Media Center"
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-IEDVTOOL/Diagnostic
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-API-Tracing/Operational
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AltTab/Diagnostic
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
4⤵
PID:632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
4⤵
PID:1624

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
4⤵
PID:1440

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
4⤵
PID:1020

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
4⤵
PID:1004

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
4⤵
- Clears Windows event logs
PID:1448

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
4⤵
PID:912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Problem-Steps-Recorder
4⤵
PID:1796

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
4⤵
PID:1336

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
4⤵
PID:1660

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
4⤵
- Clears Windows event logs
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory/Debug
4⤵
PID:1052

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
4⤵
PID:1180

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
4⤵
PID:1700

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
4⤵
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
4⤵
PID:296

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
4⤵
- Clears Windows event logs
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
4⤵
PID:1540

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
4⤵
PID:668

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
4⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
4⤵
PID:1476

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
4⤵
PID:1480

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
4⤵
PID:2016

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
4⤵
PID:1488

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
4⤵
PID:680

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
4⤵
PID:1068

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
4⤵
PID:1676

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
4⤵
PID:1748

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Analytic
4⤵
PID:880

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
4⤵
PID:872

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
4⤵
- Clears Windows event logs
PID:1092

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CDROM/Operational
4⤵
PID:1408

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Analytic
4⤵
PID:900

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Tracing
4⤵
PID:1160

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Calculator/Debug
4⤵
PID:392

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Calculator/Diagnostic
4⤵
PID:948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertPoleEng/Operational
4⤵
PID:2008

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
4⤵
PID:1704

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic
4⤵
PID:632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CmiSetup/Analytic
4⤵
PID:1624

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Operational
4⤵
PID:1440

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Verbose
4⤵
PID:1020

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Analytic
4⤵
PID:1004

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Debug
4⤵
PID:1448

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Client/Operational
4⤵
PID:912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Server/Operational
4⤵
PID:1796

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CredUI/Diagnostic
4⤵
PID:1336

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-RNG/Analytic
4⤵
PID:1660

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/Analytic
4⤵
- Clears Windows event logs
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/PerfTiming
4⤵
PID:1052

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DCLocator/Debug
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DNS-Client/Operational
4⤵
PID:1180

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUI/Diagnostic
4⤵
PID:1700

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUSER/Diagnostic
4⤵
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Analytic
4⤵
PID:296

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Logging
4⤵
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXP/Analytic
4⤵
PID:1540

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Analytic
4⤵
PID:668

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Debug
4⤵
PID:1524

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Operational
4⤵
PID:1476

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deplorch/Analytic
4⤵
PID:1480

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Analytic
4⤵
PID:2016

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Operational
4⤵
- Clears Windows event logs
PID:1488

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Informational
4⤵
PID:680

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Performance
4⤵
PID:1068

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Admin
4⤵
PID:1676

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Operational
4⤵
PID:1748

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DhcpNap/Admin
4⤵
PID:880

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DhcpNap/Operational
4⤵
PID:872

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Admin
4⤵
PID:1092

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Operational
4⤵
PID:1408

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiagCpl/Debug
4⤵
PID:900

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Analytic
4⤵
PID:1160

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Debug
4⤵
PID:392

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Operational
4⤵
PID:948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-MSDE/Debug
4⤵
PID:2008

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Analytic
4⤵
PID:1704

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Debug
4⤵
PID:632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Operational
4⤵
PID:1624

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Debug
4⤵
PID:1440

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Operational
4⤵
PID:1020

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Perfhost/Analytic
4⤵
PID:1004

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scheduled/Operational
4⤵
PID:1448

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Admin
4⤵
PID:912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Analytic
4⤵
PID:1796

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Debug
4⤵
PID:1336

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Operational
4⤵
- Clears Windows event logs
PID:1660

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug
4⤵
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
4⤵
PID:1052

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-TaskManager/Debug
4⤵
- Clears Windows event logs
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDC/Analytic
4⤵
- Clears Windows event logs
PID:1180

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDI/Debug
4⤵
PID:1700

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Debug
4⤵
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Operational
4⤵
PID:296

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic
4⤵
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic
4⤵
- Clears Windows event logs
PID:1540

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic
4⤵
PID:668

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback
4⤵
PID:1524

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Operational
4⤵
PID:1476

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10/Analytic
4⤵
- Clears Windows event logs
PID:1480

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10_1/Analytic
4⤵
PID:2016

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Analytic
4⤵
PID:1488

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Logging
4⤵
PID:680

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/PerfTiming
4⤵
PID:1068

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectShow-KernelSupport/Performance
4⤵
PID:1676

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectSound/Debug
4⤵
PID:1748

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectWrite-FontCache/Tracing
4⤵
PID:880

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectWrite/Tracing
4⤵
PID:872

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Disk/Operational
4⤵
PID:1092

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnostic/Operational
4⤵
PID:1408

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticDataCollector/Operational
4⤵
PID:900

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticResolver/Operational
4⤵
- Clears Windows event logs
PID:1160

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Debug
4⤵
PID:392

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Operational
4⤵
PID:948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplaySwitch/Diagnostic
4⤵
PID:2008

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Documents/Performance
4⤵
PID:1704

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DriverFrameworks-UserMode/Operational
4⤵
PID:632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Diagnostic
4⤵
PID:1624

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Performance
4⤵
- Clears Windows event logs
PID:1440

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxpTaskRingtone/Analytic
4⤵
PID:1020

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxpTaskSyncProvider/Analytic
4⤵
PID:1004

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EFS/Debug
4⤵
PID:1448

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Analytic
4⤵
PID:912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Debug
4⤵
PID:1796

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Operational
4⤵
PID:1336

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EaseOfAccess/Diagnostic
4⤵
PID:1660

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Debug
4⤵
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Operational
4⤵
PID:1052

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog-WMIProvider/Debug
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Analytic
4⤵
PID:1180

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Debug
4⤵
PID:1700

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Analytic
4⤵
- Clears Windows event logs
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Debug
4⤵
PID:296

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Operational
4⤵
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FailoverClustering-Client/Diagnostic
4⤵
PID:1540

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Fault-Tolerant-Heap/Operational
4⤵
PID:668

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Feedback-Service-TriggerProvider
4⤵
PID:1524

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileInfoMinifilter/Operational
4⤵
PID:1476

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Firewall-CPL/Diagnostic
4⤵
PID:1480

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Folder Redirection/Operational"
4⤵
PID:2016

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Debug
4⤵
PID:1488

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Operational
4⤵
PID:680

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GettingStarted/Diagnostic
4⤵
- Clears Windows event logs
PID:1068

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GroupPolicy/Operational
4⤵
PID:1676

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HAL/Debug
4⤵
PID:1748

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Debug
4⤵
PID:880

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Performance
4⤵
PID:872

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenterCPL/Performance
4⤵
PID:1092

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Help/Operational
4⤵
PID:1408

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
4⤵
- Clears Windows event logs
PID:900

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
4⤵
PID:1160

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
4⤵
- Clears Windows event logs
PID:392

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
4⤵
PID:948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
4⤵
PID:2008

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HomeGroup-ListenerService
4⤵
- Clears Windows event logs
PID:1704

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotStart/Diagnostic
4⤵
PID:632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Trace
4⤵
PID:1624

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKE/Operational
4⤵
PID:1440

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKEDBG/Debug
4⤵
PID:1020

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPBusEnum/Tracing
4⤵
PID:1004

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPSEC-SRV/Diagnostic
4⤵
PID:1448

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
4⤵
PID:912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-International/Operational
4⤵
- Clears Windows event logs
PID:1796

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Debug
4⤵
PID:1336

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Operational
4⤵
PID:1660

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Trace
4⤵
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Acpi/Diagnostic
4⤵
PID:944

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Boot/Analytic
4⤵
PID:1984

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic
4⤵
PID:1536

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Disk/Analytic
4⤵
PID:1912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Admin
4⤵
PID:1696

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Analytic
4⤵
PID:764

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-File/Analytic
4⤵
PID:1644

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Memory/Analytic
4⤵
PID:556

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Network/Analytic
4⤵
PID:980

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-PnP/Diagnostic
4⤵
PID:868

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Diagnostic
4⤵
PID:564

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Diagnostic
4⤵
PID:928

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Operational
4⤵
PID:464

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Prefetch/Diagnostic
4⤵
PID:112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Process/Analytic
4⤵
PID:788

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Processor-Power/Diagnostic
4⤵
- Clears Windows event logs
PID:1760

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Registry/Analytic
4⤵
PID:1264

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Analytic
4⤵
PID:584

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Operational
4⤵
PID:340

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Analytic
4⤵
PID:1612

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Debug
4⤵
PID:1300

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Operational
4⤵
PID:1324

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Errors
4⤵
PID:1436

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Operational
4⤵
PID:1112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Known Folders API Service"
4⤵
PID:1284

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-L2NA/Diagnostic
4⤵
PID:688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LDAP-Client/Debug
4⤵
PID:1708

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LUA-ConsentUI/Diagnostic
4⤵
PID:1972

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Analytic
4⤵
- Clears Windows event logs
PID:1684

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Debug
4⤵
PID:828

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Operational
4⤵
PID:2012

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MCT/Operational
4⤵
- Clears Windows event logs
PID:756

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-CLNT/Diagnostic
4⤵
PID:1916

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-DRV/Diagnostic
4⤵
PID:768

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-SRV/Diagnostic
4⤵
PID:844

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Admin
4⤵
PID:1164

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Debug
4⤵
PID:1720

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Diagnostic
4⤵
PID:1688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Admin
4⤵
PID:1648

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Analytic
4⤵
PID:920

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Debug
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Operational
4⤵
PID:1532

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter
4⤵
PID:1528

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader
4⤵
PID:1632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/Transform
4⤵
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-PlayAPI/Analytic
4⤵
PID:296

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MemoryDiagnostics-Results/Debug
4⤵
- Clears Windows event logs
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MobilityCenter/Performance
4⤵
PID:1540

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Analytic
4⤵
PID:668

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Operational
4⤵
PID:1116

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDF-HelperClassDiscovery/Debug
4⤵
PID:868

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS-PacketCapture/Diagnostic
4⤵
PID:564

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Diagnostic
4⤵
PID:928

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Operational
4⤵
PID:464

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NTLM/Operational
4⤵
- Clears Windows event logs
PID:112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NWiFi/Diagnostic
4⤵
PID:788

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Narrator/Diagnostic
4⤵
PID:1760

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetShell/Performance
4⤵
PID:1264

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-and-Sharing-Center/Diagnostic
4⤵
PID:584

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkAccessProtection/Operational
4⤵
PID:340

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkAccessProtection/WHC
4⤵
PID:1612

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkLocationWizard/Operational
4⤵
PID:1300

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Diagnostic
4⤵
PID:1324

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Operational
4⤵
PID:1436

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Networking-Correlation/Diagnostic
4⤵
PID:1112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Diagnostic
4⤵
PID:1284

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Operational
4⤵
PID:688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLEACC/Debug
4⤵
PID:1708

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLEACC/Diagnostic
4⤵
PID:1972

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine/Diagnostic
4⤵
PID:1684

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Analytic
4⤵
PID:828

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Debug
4⤵
- Clears Windows event logs
PID:2012

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Operational
4⤵
PID:756

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/SyncLog
4⤵
- Clears Windows event logs
PID:1916

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneX/Diagnostic
4⤵
PID:768

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OobeLdr/Analytic
4⤵
PID:844

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PCI/Diagnostic
4⤵
PID:1164

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ParentalControls/Operational
4⤵
- Clears Windows event logs
PID:1720

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic
4⤵
PID:1688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PeopleNearMe/Operational
4⤵
PID:1648

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PortableDeviceStatusProvider/Analytic
4⤵
PID:920

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PortableDeviceSyncProvider/Analytic
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerCfg/Diagnostic
4⤵
PID:1532

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerCpl/Diagnostic
4⤵
- Clears Windows event logs
PID:1528

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic
4⤵
PID:1632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Analytic
4⤵
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Operational
4⤵
PID:296

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrimaryNetworkIcon/Performance
4⤵
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Admin
4⤵
PID:1540

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Debug
4⤵
PID:668

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Operational
4⤵
PID:1116

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/Debug
4⤵
PID:868

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-QoS-Pacer/Diagnostic
4⤵
PID:564

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-QoS-qWAVE/Debug
4⤵
PID:928

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC-Proxy/Debug
4⤵
PID:464

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC/Debug
4⤵
PID:112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC/EEInfo
4⤵
PID:788

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoost/Analytic
4⤵
PID:1760

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoost/Operational
4⤵
PID:1264

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoostDriver/Analytic
4⤵
PID:584

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoostDriver/Operational
4⤵
PID:340

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Recovery/Operational
4⤵
- Clears Windows event logs
PID:1612

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReliabilityAnalysisComponent/Operational
4⤵
PID:1300

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
4⤵
PID:1324

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Admin
4⤵
PID:1436

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Operational
4⤵
PID:1112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Tracing
4⤵
PID:1284

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
4⤵
PID:688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
4⤵
PID:1708

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Remotefs-UTProvider/Diagnostic
4⤵
PID:1972

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Detector/Operational
4⤵
PID:1684

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
4⤵
PID:828

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Leak-Diagnostic/Operational
4⤵
PID:2012

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ResourcePublication/Tracing
4⤵
PID:756

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RestartManager/Operational
4⤵
PID:1916

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Search-Core/Diagnostic
4⤵
- Clears Windows event logs
PID:768

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Search-ProtocolHandlers/Diagnostic
4⤵
PID:844

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic
4⤵
PID:1164

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Audit-Configuration-Client/Operational
4⤵
PID:1720

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-IdentityListener/Operational
4⤵
PID:1688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP/Perf
4⤵
PID:1648

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sens/Debug
4⤵
PID:920

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ServiceReportingApi/Debug
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Services-Svchost/Diagnostic
4⤵
PID:1532

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Services/Diagnostic
4⤵
PID:1528

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Setup/Analytic
4⤵
PID:1632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupCl/Analytic
4⤵
- Clears Windows event logs
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupQueue/Analytic
4⤵
PID:296

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupUGC/Analytic
4⤵
- Clears Windows event logs
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic
4⤵
PID:1540

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic
4⤵
PID:668

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Common/Diagnostic
4⤵
PID:1116

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic
4⤵
PID:868

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic
4⤵
PID:564

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic
4⤵
PID:928

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic
4⤵
PID:464

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/Diagnostic
4⤵
PID:112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-DefaultPrograms/Diagnostic
4⤵
PID:788

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Shwebsvc
4⤵
PID:1760

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-ZipFolder/Diagnostic
4⤵
PID:1264

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shsvcs/Diagnostic
4⤵
PID:584

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sidebar/Diagnostic
4⤵
PID:340

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Speech-UserExperience/Diagnostic
4⤵
PID:1612

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Spell-Checking/Analytic
4⤵
PID:1300

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SpellChecker/Analytic
4⤵
- Clears Windows event logs
PID:1324

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StickyNotes/Admin
4⤵
PID:1436

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StickyNotes/Debug
4⤵
PID:1112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StickyNotes/Diagnostic
4⤵
PID:1284

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorDiag/Operational
4⤵
PID:688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorPort/Operational
4⤵
PID:1708

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Subsys-Csr/Operational
4⤵
PID:1972

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Subsys-SMSS/Operational
4⤵
- Clears Windows event logs
PID:1684

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Superfetch/Main
4⤵
- Clears Windows event logs
PID:828

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Superfetch/StoreLog
4⤵
- Clears Windows event logs
PID:2012

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sysprep/Analytic
4⤵
PID:756

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemHealthAgent/Diagnostic
4⤵
PID:1916

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TCPIP/Diagnostic
4⤵
PID:768

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msctf/Debug
4⤵
PID:844

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msctf/Diagnostic
4⤵
- Clears Windows event logs
PID:1164

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msutb/Debug
4⤵
PID:1720

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msutb/Diagnostic
4⤵
PID:1688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZUtil/Operational
4⤵
PID:1648

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Debug
4⤵
PID:920

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Diagnostic
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Operational
4⤵
PID:1532

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskbarCPL/Diagnostic
4⤵
- Clears Windows event logs
PID:1528

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
4⤵
- Clears Windows event logs
PID:1632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic
4⤵
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug
4⤵
PID:980

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
4⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
4⤵
PID:884

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic
4⤵
PID:696

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Debug
4⤵
PID:1576

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
4⤵
- Clears Windows event logs
PID:1672

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-MediaRedirection/Analytic
4⤵
PID:268

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Admin
4⤵
PID:1060

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Analytic
4⤵
PID:1340

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Debug
4⤵
PID:1464

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Operational
4⤵
PID:1096

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Analytic
4⤵
PID:872

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Debug
4⤵
PID:1292

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Operational
4⤵
PID:1328

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture
4⤵
- Clears Windows event logs
PID:1744

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback
4⤵
PID:1732

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
4⤵
PID:1560

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic
4⤵
PID:948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug
4⤵
PID:1112

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
4⤵
PID:1284

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
4⤵
- Clears Windows event logs
PID:688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic
4⤵
- Clears Windows event logs
PID:1708

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug
4⤵
PID:1972

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
4⤵
PID:1684

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ThemeCPL/Diagnostic
4⤵
PID:828

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ThemeUI/Diagnostic
4⤵
PID:2012

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TunnelDriver
4⤵
PID:756

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UAC-FileVirtualization/Operational
4⤵
PID:1916

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UAC/Operational
4⤵
PID:768

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAnimation/Diagnostic
4⤵
PID:844

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Debug
4⤵
PID:1164

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Diagnostic
4⤵
PID:1720

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Perf
4⤵
- Clears Windows event logs
PID:1688

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIRibbon/Diagnostic
4⤵
PID:1648

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBHUB/Diagnostic
4⤵
PID:920

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBPORT/Diagnostic
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
4⤵
- Clears Windows event logs
PID:1532

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Profile Service/Diagnostic"
4⤵
PID:1528

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Profile Service/Operational"
4⤵
PID:1632

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-User-Loader/Analytic
4⤵
PID:1948

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserModePowerService/Diagnostic
4⤵
PID:1992

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/DeviceMetadata/Debug
4⤵
PID:1476

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/DeviceNotifications
4⤵
PID:1480

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/Performance
4⤵
- Clears Windows event logs
PID:1116

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/SchedulerOperations
4⤵
PID:1488

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UxTheme/Diagnostic
4⤵
PID:680

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VAN/Diagnostic
4⤵
PID:1068

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VDRVROOT/Operational
4⤵
PID:1676

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VHDMP/Operational
4⤵
- Clears Windows event logs
PID:1748

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VWiFi/Diagnostic
4⤵
PID:788

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeControl/Performance
4⤵
PID:1548

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeSnapshot-Driver/Operational
4⤵
PID:1264

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WABSyncProvider/Analytic
4⤵
PID:1408

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WCN-Config-Registrar/Diagnostic
4⤵
PID:900

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WER-Diag/Operational
4⤵
PID:1160

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WFP/Analytic
4⤵
PID:392

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WFP/Operational
4⤵
PID:896

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-AutoConfig/Operational
4⤵
PID:1436

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-Autoconfig/Diagnostic
4⤵
PID:1248

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLANConnectionFlow/Diagnostic
4⤵
PID:1552

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMI-Activity/Trace
4⤵
PID:1556

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPDMCCore/Diagnostic
4⤵
PID:1440

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPDMCUI/Diagnostic
4⤵
PID:952

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic
4⤵
PID:840

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-Service/Diagnostic
4⤵
PID:1448

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSSUI/Diagnostic
4⤵
- Clears Windows event logs
PID:912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-ClassInstaller/Analytic
4⤵
PID:1796

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-ClassInstaller/Operational
4⤵
PID:1504

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-CompositeClassDriver/Analytic
4⤵
PID:2044

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-CompositeClassDriver/Operational
4⤵
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPClassDriver/Operational
4⤵
PID:944

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WSC-SRV/Diagnostic
4⤵
- Clears Windows event logs
PID:1984

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WUSA/Debug
4⤵
PID:1180

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WWAN-MM-Events/Diagnostic
4⤵
PID:1912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic
4⤵
PID:1452

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WWAN-SVC-Events/Diagnostic
4⤵
PID:1804

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WWAN-UI-Events/Diagnostic
4⤵
PID:764

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WebIO-NDF/Diagnostic
4⤵
PID:1644

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WebIO/Diagnostic
4⤵
PID:572

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WebServices/Tracing
4⤵
PID:1808

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Win32k/Concurrency
4⤵
PID:744

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Win32k/Power
4⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Win32k/Render
4⤵
PID:884

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Win32k/Tracing
4⤵
PID:696

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Win32k/UIPI
4⤵
PID:1576

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinHTTP-NDF/Diagnostic
4⤵
PID:1672

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinHttp/Diagnostic
4⤵
PID:268

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinINet/Analytic
4⤵
PID:1060

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinRM/Analytic
4⤵
- Clears Windows event logs
PID:1340

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinRM/Debug
4⤵
PID:880

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinRM/Operational
4⤵
PID:788

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Windeploy/Analytic
4⤵
PID:1548

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Defender/Operational"
4⤵
- Clears Windows event logs
PID:1264

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Defender/WHC"
4⤵
PID:1408

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
4⤵
PID:900

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
4⤵
PID:1160

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
4⤵
PID:392

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
4⤵
PID:896

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsBackup/ActionCenter
4⤵
PID:1436

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsColorSystem/Debug
4⤵
PID:1248

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsColorSystem/Operational
4⤵
PID:1552

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsSystemAssessmentTool/Operational
4⤵
PID:1556

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsSystemAssessmentTool/Tracing
4⤵
- Clears Windows event logs
PID:1440

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsUpdateClient/Operational
4⤵
PID:952

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wininit/Diagnostic
4⤵
PID:840

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winlogon/Diagnostic
4⤵
PID:1448

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winlogon/Operational
4⤵
PID:912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winsock-AFD/Operational
4⤵
PID:1796

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winsock-WS2HELP/Operational
4⤵
PID:1504

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winsrv/Analytic
4⤵
PID:2044

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wired-AutoConfig/Diagnostic
4⤵
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wired-AutoConfig/Operational
4⤵
PID:944

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wordpad/Admin
4⤵
PID:1984

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wordpad/Debug
4⤵
PID:1180

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wordpad/Diagnostic
4⤵
PID:1912

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-mobsync/Diagnostic
4⤵
PID:1452

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ntshrui
4⤵
- Clears Windows event logs
PID:1804

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-osk/Diagnostic
4⤵
PID:764

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-stobject/Diagnostic
4⤵
- Clears Windows event logs
PID:1644

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl OAlerts
4⤵
PID:572

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Security
4⤵
PID:1808

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Setup
4⤵
PID:744

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl System
4⤵
PID:1524

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl TabletPC_InputPanel_Channel
4⤵
PID:884

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl WINDOWS_MP4SDECD_CHANNEL
4⤵
PID:696

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl WINDOWS_MSMPEG2VDEC_CHANNEL
4⤵
PID:1576

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl WINDOWS_WMPHOTO_CHANNEL
4⤵
PID:1672

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl WMPSetup
4⤵
PID:268

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl WMPSyncEngine
4⤵
PID:1060

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl "Windows PowerShell"
4⤵
- Clears Windows event logs
PID:1340

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin
4⤵
PID:880

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl muxencode
4⤵
PID:788

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
4KB

MD5
f55d5635a06d79657da0d8e10310d6df

SHA1
435105b3478ca63012816bddef6ee95fa8579f18

SHA256
234270cc47bdea7fc5120df75f158712c85e6762475db7762d90732ffcc348e6

SHA512
de4f0afc587791682107396261d7adac4c49c0b693452d561399d5f09141cd86ec61427aaf6513e57f82420ebceca132d1bc6e9978f2dce5d79a973ac44aced3

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
3KB

MD5
2b43e185da3a93136a45b85b2e90e418

SHA1
d3f19c0a3a9cd52e0edc2c76fa55c6f738c407e0

SHA256
dd781dc332b57baf4151bed7231d791cd3979c31e44a5729922648b14d71d3de

SHA512
16e0062447bbde35a44bfac87fb2b3cfb7735fa38c4829b7efe2e9fe56a9588d025caef13379dad81972413e231df4ae314b7c4d87193e968ff6b3e05ecc8968

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
4KB

MD5
282137648ede28687235f6653c68eba6

SHA1
0153efe5473c41727ad7f5c820f59dde45e51001

SHA256
f0bdcba103bcf8ac934a78ec8d818bff70139a5777ad5fd9cc2ff62b5b3a8c91

SHA512
340525bcdbd46e74631d8bb39ebb3419e7dd2569d2449b3b3f7bdb4a50cb99a03f870c5b8203e0b226f260c45c796bd02fd9d7e671d91f8dbf6abcd108b915b9

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
3KB

MD5
564484f5bcf338d8f8fb554303adb6e1

SHA1
03fa4a0cb992c6f6196b8bb0f8f4e4f8184e0a3f

SHA256
10fda64f21b9937bc3d4f66d0ea5a4a25b3aeffd6c2e26892e0e75a4101464cf

SHA512
7dd45a9c3bd08bafc9aaed14f4bd0d8f0abc2199ca7a02fff5c1e2f6002b3546a6229e9043fcea6b40aac1a3fde9931a5e2625235b65984bff67cedbddec60f7

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
4KB

MD5
b5c69634f6513de1a2e27cec1368a9e0

SHA1
1b93f5f53d0898c3ed6dc95bbc06242ceb032803

SHA256
75516eec2128847f2aa5962da52f99cbcf9ec212e415663dfb07c3dd4b39ee39

SHA512
c6f8c6bff8280356052a308ecc856e5c458b17ca7e3753aeac6610f4db86ee7e688dcd054c9edf640b30dc578e840e9ba8be3e8b0455ea88c399d862921f0f1c

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
3KB

MD5
d4d67020fd098977b190c25392b74644

SHA1
57885627d828200b43e9e203c14463bf9add8b0d

SHA256
ae1b41e682da7d1f7f3f7ea4fae91275c53ed4fb295e955ff667b7c48529f70a

SHA512
bf7e152d19f07dd8d913b3b2664c75f923528fa89aa6f56127aed81b4e9cfa52463063fe4122adbcd781c5343d12ef6be7d62dddec563f8b242d1020f7551d79

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
4KB

MD5
02c62761e13e1c9ea5954256892b392f

SHA1
e0b9f85816351d6324e1f7ead30b511ed153961c

SHA256
8fc6dfcbb48eb3b1e9b662da51163eec9bebf5a44aa296d5a37d1564788f692a

SHA512
7174e159d21dc6465c6b436cbfc41813f99984acce6df2634dfb4fed7a008944161ddf74bd573dd4a28c4d4d01a7f362a9ef8e6532486cdcaca54d869b52e838

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
2KB

MD5
17b6f1a81148ff657ece92de3f598709

SHA1
0914e03f836a13c53290260c322333e76bc3262b

SHA256
cecb9efd208468093f080c7c68581f110e9d38991375d8fabba2fdcd0ff1f174

SHA512
3c37c49f263ba9892264d129fa332c3685f4a44360465e46e8d4d25de2df79a6a9cb122afb138d0ef7b06b8cabe49d5872c816672df9169a85a6cee23e9d6a82

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
2KB

MD5
658e62bb0158d1d03fb8d692f8c0019d

SHA1
5ff7c65ea8c4d7c903cc0347c939a0a0e7ad2339

SHA256
cdbec9bb241619be9d7adc6a614470956f8f2babf958f22dc8b6348e73750a10

SHA512
feee07c50809e5f6ece7f72fccfd8697b026beca626c686b562b6a99d842af32a8e0ac474fe3a55599def18ac36dc4eb1d697921435c8a4dc5d57092de9518dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
5KB

MD5
09624a2497e4007a1dbcb25a8938658e

SHA1
a7201190e6f09b37bc167c42d9f869e297f66ac3

SHA256
03426c96f887c5b9674a49bab7b55597c5e938ea6f6bfa290d9040254c63c82c

SHA512
f7f1ceee731d930a8d419550cb6f948b22aa492422870c3e2ea80310a6b8cadc3de7000282ac2fe92efacbc5917655b623f9d448fc2a91eeffd7c8e4bf04b2ba

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
12KB

MD5
6e313ac1d99bd09b2a66190c481e2874

SHA1
cef56c738b145abf0dadbf494a57e36350a0fe86

SHA256
ac02cc6ee5bf3582b5384d1c65eef1c44029c0d2cae8a28ca3ff6d620b01145b

SHA512
bf894fdca95094229b9673ce15313df8bae644bc4d9143f5736b89026ae6ce8bb8d7ff3de622a158958a731408abb9c12c764740473ceb9a5080b26c92e48af2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
8KB

MD5
23226f4f461cab87934826cb7640c0cf

SHA1
cae0497ab37e698fd58a205e15081fa0e65c8110

SHA256
ad05bff4f837f5d440368dd50c7d84d6cc9c678cd98e6d3f06c1b093e18d11fe

SHA512
f88352cb8fd3441aa4f66d476d7775821e2f6ede0a0532dada68c39bbf2572bcbe8b81af38850159b142fa0163ff2d9f941a7e9535939613431257b62fbfe399

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
57B

MD5
bc05e45f70892530e74166ee5608fd61

SHA1
3f948f3236970b0a7afc05635d0ea26a4eec67f1

SHA256
1db82373bad1d11d902be5e47ba84716cd1acb226579a6153a68a08b46274b4a

SHA512
37df11bb5e64ee458660ec3d2ee931e3ef3d43d122259bc9a6274db3e5dc0544f793eb9c819b7d2da3031c7e5e083ab5cb05603acd24cb378e1d7e1df76155bb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
7KB

MD5
fa48f42a18e73193c9c02cbc37e699ce

SHA1
790bea88ebd772d6833426d3eb32c111cafdd346

SHA256
2aa62504112ecf48723872193a4c4d39576016f97628c21e2c52fc3c3aa7bbf1

SHA512
ee84c778259539d982737168cebce8e663903f180eec0e4df3b167b5bafc52326cd603687e0e396a1f7e40c4311b3effb532725ef635f8ceb041aef6dea9bc32

Download Submit
C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
809KB

MD5
3d0d14a97f81aa3b2a671ba7fbe53772

SHA1
e5f47a807b4fbf257a8f9cfbb914a735ee81517f

SHA256
81aed57e1f33e3af3bd75227b7cd6d8fe700eafc44493aa323814d4f87aad7c4

SHA512
7f9b8ff71594bfa096a1eb15d0ceafa337b3787c275a0f35ae095433c28853d39197151826ab49a3fb984830e15d8c25fea3a704da717a6f3692b7e2a7e34bf9

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
153B

MD5
9bc033587397eb3fad74466a991d098a

SHA1
ab26aeb91de5303c7e4e0bc71a81547e8d4ad778

SHA256
01601aac5420062ce4ec97889f51d72f2fc5302b266fbf24dcb9783c8ebbdf9e

SHA512
e9880a1d0012c5bc6efe8801b07dc5dd94632e83baccb424dc4296e48ae9ebedd9392ba5f4c073a74557cdbf1b382ddcace2df9a27039cbb1ed5d66a40139abc

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
27B

MD5
e68460b4e81bc85700af3b0412d1b8ad

SHA1
a8704d8e87ed9a997c8e5eae685d61d8c07a2432

SHA256
375227b3ed9b17465476fc08cd51682e74aa442b3f513c4d9ea5c4c8f9aa7c2f

SHA512
e4299861f6233bdd2328d0a844e7487262e73486b58e911f74aacf608bea2e7698679c00b74e8100c67c1a792d233b773d3462ff939c466b2b9321980e37dce6

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
27B

MD5
b4f82a537b58726cf865218f9be2fbf6

SHA1
436d281d90cc558c7ff9fba73daeec56b19c685c

SHA256
d0b29e271264ce5c4dd345b4170b895e0315f25e3146ee3fb9a7748abfa92ea8

SHA512
4c0f7c3fbce3a0c7a8735b46e8c870527e0af6c7502dfa38a1e46ead5f42818488ae7ddf01a59333578210f6c5f4e035f6b053578f5a9378452dad2d84114957

Download Submit
C:\Program Files\Java\jre7\lib\zi\HST.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
27B

MD5
8732d31495dcda8a9497d296826f4e5d

SHA1
b7d6bba7aa9d6746ee5f5d699717ff731f9db073

SHA256
d18eea4aa0c55303ea95095a75ce9325da12cc4740695aa1c4b4806f8e6533ce

SHA512
66daa46720077f628930389fb04a546b557507110f6cba908304af946cb739ccf6e6201c121b1fd93f9bfc898a16a49368da24fb692be72b18a1ffec2d869e4f

Download Submit
C:\Program Files\Java\jre7\lib\zi\MST.key-JMKTPMYUOMTD.0xcf94dc203c744
Filesize
27B

MD5
d223cde449eb94a191872930f67b7bc8

SHA1
1de4a96af346b97f434addf4bf9ddecd92725539

SHA256
23bc967cfd6067878b6350b037a9034253d81f6e848d678322417447cecbeeae

SHA512
42c89d7910ae5211d05ec05d0d7921537a69718765b1687aaf1da9314723c5a30ec03c112c867dee592d6ad8f5a40c9eda85fe46ad85ca6c3876c4c9ac97d828

Download Submit
C:\Users\Public\Log.cmd
Filesize
60B

MD5
6a2f870841e0126632f5b9bf0d000d6a

SHA1
51689e26641f0eb054cd90553a21a472a2e79148

SHA256
4bcbb565ad2fd05a4fc458cd68254853cbcbf5749beffccb2b1e22b8a53ecb2f

SHA512
de089c5d2dd691c64e38bdc82a2a5266e65cf8f9fc40e2d60ecded7a775922ae5100cc406f09346fbaf402fc1fe3074ca29ecd64119f7c490381aee72780bdb0

Download Submit
memory/1692-66-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1692-59-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/1692-60-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1692-61-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1692-62-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1692-63-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1692-64-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1692-65-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads