af78e0907d4352f9405cd7e165f2f56c2a80c0654ee49cd7429b1f2ea8e5e031

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02/08/2023, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
Size

3.4MB
MD5

5ffa1b18aedd7733589b26349ee332ef
SHA1

7678a972575972f9a03bbebd364c01a1dc90c6cf
SHA256

e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d
SHA512

12608f4a4e13eedba32c07d31bd3b02e2c72dd2d269c0ad054ed711df802892c6fceb54b6baf157728116769f9cfde0d706adb2b089fcc8212f5ca18412bfb04
SSDEEP

49152:HNd9Lq8J35Irb/TYvO90d7HjmAFd4A64nsfJE8R3akbCKI66d+jtgJ7xYT2WQ118:f35CI64Y0QsNK

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
2160	wevtutil.exe
2516	wevtutil.exe
2548	wevtutil.exe
2532	wevtutil.exe
2268	wevtutil.exe
2736	wevtutil.exe
880	wevtutil.exe
1760	wevtutil.exe
1428	wevtutil.exe
1680	wevtutil.exe
1136	wevtutil.exe
1060	wevtutil.exe
2808	wevtutil.exe
2684	wevtutil.exe
2468	wevtutil.exe
1960	wevtutil.exe
2948	wevtutil.exe
1664	wevtutil.exe
1776	wevtutil.exe
1700	wevtutil.exe
2308	wevtutil.exe
2192	wevtutil.exe
2140	wevtutil.exe
1368	wevtutil.exe
2068	wevtutil.exe
612	wevtutil.exe
1628	wevtutil.exe
2156	wevtutil.exe
1952	wevtutil.exe
1416	wevtutil.exe
1384	wevtutil.exe
568	wevtutil.exe
2332	wevtutil.exe
1724	wevtutil.exe
2796	wevtutil.exe
3044	wevtutil.exe
2076	wevtutil.exe
2340	wevtutil.exe
2348	wevtutil.exe
2696	wevtutil.exe
1172	wevtutil.exe
2320	wevtutil.exe
540	wevtutil.exe
1296	wevtutil.exe
2400	wevtutil.exe
776	wevtutil.exe
2904	wevtutil.exe
2088	wevtutil.exe
1988	wevtutil.exe
1408	wevtutil.exe
1900	wevtutil.exe
644	wevtutil.exe
756	wevtutil.exe
2036	wevtutil.exe
1528	wevtutil.exe
1176	wevtutil.exe
1976	wevtutil.exe
2448	wevtutil.exe
1540	wevtutil.exe
1784	wevtutil.exe
1336	wevtutil.exe
1944	wevtutil.exe
1888	wevtutil.exe
1624	wevtutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Windows.json	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
File opened for modification	C:\Windows\System32\Log.cmd	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
File opened for modification	C:\Windows\System32\Del.cmd	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
File opened for modification	C:\Windows\System32\Trust.cmd	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Icon.png	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2840	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOVA64556\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOVA64556	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOVA64556\DefaultIcon\ = "C:\\Windows\\Icon.png"	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeSecurityPrivilege	2756	wevtutil.exe
Token: SeBackupPrivilege	2756	wevtutil.exe
Token: SeSecurityPrivilege	2716	wevtutil.exe
Token: SeBackupPrivilege	2716	wevtutil.exe
Token: SeSecurityPrivilege	2696	wevtutil.exe
Token: SeBackupPrivilege	2696	wevtutil.exe
Token: SeSecurityPrivilege	1988	wevtutil.exe
Token: SeBackupPrivilege	1988	wevtutil.exe
Token: SeSecurityPrivilege	2780	wevtutil.exe
Token: SeBackupPrivilege	2780	wevtutil.exe
Token: SeSecurityPrivilege	1848	wevtutil.exe
Token: SeBackupPrivilege	1848	wevtutil.exe
Token: SeSecurityPrivilege	1636	wevtutil.exe
Token: SeBackupPrivilege	1636	wevtutil.exe
Token: SeSecurityPrivilege	3040	wevtutil.exe
Token: SeBackupPrivilege	3040	wevtutil.exe
Token: SeSecurityPrivilege	1588	wevtutil.exe
Token: SeBackupPrivilege	1588	wevtutil.exe
Token: SeSecurityPrivilege	1368	wevtutil.exe
Token: SeBackupPrivilege	1368	wevtutil.exe
Token: SeSecurityPrivilege	1060	wevtutil.exe
Token: SeBackupPrivilege	1060	wevtutil.exe
Token: SeSecurityPrivilege	1968	wevtutil.exe
Token: SeBackupPrivilege	1968	wevtutil.exe
Token: SeSecurityPrivilege	2240	wevtutil.exe
Token: SeBackupPrivilege	2240	wevtutil.exe
Token: SeSecurityPrivilege	1172	wevtutil.exe
Token: SeBackupPrivilege	1172	wevtutil.exe
Token: SeSecurityPrivilege	3012	wevtutil.exe
Token: SeBackupPrivilege	3012	wevtutil.exe
Token: SeSecurityPrivilege	2184	wevtutil.exe
Token: SeBackupPrivilege	2184	wevtutil.exe
Token: SeSecurityPrivilege	1960	wevtutil.exe
Token: SeBackupPrivilege	1960	wevtutil.exe
Token: SeSecurityPrivilege	2984	wevtutil.exe
Token: SeBackupPrivilege	2984	wevtutil.exe
Token: SeSecurityPrivilege	2944	wevtutil.exe
Token: SeBackupPrivilege	2944	wevtutil.exe
Token: SeSecurityPrivilege	2948	wevtutil.exe
Token: SeBackupPrivilege	2948	wevtutil.exe
Token: SeSecurityPrivilege	3028	wevtutil.exe
Token: SeBackupPrivilege	3028	wevtutil.exe
Token: SeSecurityPrivilege	1924	wevtutil.exe
Token: SeBackupPrivilege	1924	wevtutil.exe
Token: SeSecurityPrivilege	1688	wevtutil.exe
Token: SeBackupPrivilege	1688	wevtutil.exe
Token: SeSecurityPrivilege	2156	wevtutil.exe
Token: SeBackupPrivilege	2156	wevtutil.exe
Token: SeSecurityPrivilege	3000	wevtutil.exe
Token: SeBackupPrivilege	3000	wevtutil.exe
Token: SeSecurityPrivilege	1344	wevtutil.exe
Token: SeBackupPrivilege	1344	wevtutil.exe
Token: SeSecurityPrivilege	2160	wevtutil.exe
Token: SeBackupPrivilege	2160	wevtutil.exe
Token: SeSecurityPrivilege	1880	wevtutil.exe
Token: SeBackupPrivilege	1880	wevtutil.exe
Token: SeSecurityPrivilege	1408	wevtutil.exe
Token: SeBackupPrivilege	1408	wevtutil.exe
Token: SeSecurityPrivilege	1952	wevtutil.exe
Token: SeBackupPrivilege	1952	wevtutil.exe
Token: SeSecurityPrivilege	1664	wevtutil.exe
Token: SeBackupPrivilege	1664	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2384	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	29
PID 2204 wrote to memory of 2384	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	29
PID 2204 wrote to memory of 2384	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	29
PID 2384 wrote to memory of 2440	2384	cmd.exe	30
PID 2384 wrote to memory of 2440	2384	cmd.exe	30
PID 2384 wrote to memory of 2440	2384	cmd.exe	30
PID 2204 wrote to memory of 2468	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	31
PID 2204 wrote to memory of 2468	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	31
PID 2204 wrote to memory of 2468	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	31
PID 2204 wrote to memory of 2488	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	32
PID 2204 wrote to memory of 2488	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	32
PID 2204 wrote to memory of 2488	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	32
PID 2488 wrote to memory of 2032	2488	cmd.exe	33
PID 2488 wrote to memory of 2032	2488	cmd.exe	33
PID 2488 wrote to memory of 2032	2488	cmd.exe	33
PID 2032 wrote to memory of 1884	2032	net.exe	34
PID 2032 wrote to memory of 1884	2032	net.exe	34
PID 2032 wrote to memory of 1884	2032	net.exe	34
PID 2204 wrote to memory of 2212	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	35
PID 2204 wrote to memory of 2212	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	35
PID 2204 wrote to memory of 2212	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	35
PID 2212 wrote to memory of 2200	2212	cmd.exe	36
PID 2212 wrote to memory of 2200	2212	cmd.exe	36
PID 2212 wrote to memory of 2200	2212	cmd.exe	36
PID 2200 wrote to memory of 2228	2200	net.exe	37
PID 2200 wrote to memory of 2228	2200	net.exe	37
PID 2200 wrote to memory of 2228	2200	net.exe	37
PID 2204 wrote to memory of 332	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	38
PID 2204 wrote to memory of 332	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	38
PID 2204 wrote to memory of 332	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	38
PID 332 wrote to memory of 2644	332	cmd.exe	39
PID 332 wrote to memory of 2644	332	cmd.exe	39
PID 332 wrote to memory of 2644	332	cmd.exe	39
PID 2644 wrote to memory of 2660	2644	net.exe	40
PID 2644 wrote to memory of 2660	2644	net.exe	40
PID 2644 wrote to memory of 2660	2644	net.exe	40
PID 2204 wrote to memory of 1084	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	41
PID 2204 wrote to memory of 1084	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	41
PID 2204 wrote to memory of 1084	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	41
PID 1084 wrote to memory of 2648	1084	cmd.exe	42
PID 1084 wrote to memory of 2648	1084	cmd.exe	42
PID 1084 wrote to memory of 2648	1084	cmd.exe	42
PID 2648 wrote to memory of 2288	2648	net.exe	43
PID 2648 wrote to memory of 2288	2648	net.exe	43
PID 2648 wrote to memory of 2288	2648	net.exe	43
PID 2204 wrote to memory of 2592	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	44
PID 2204 wrote to memory of 2592	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	44
PID 2204 wrote to memory of 2592	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	44
PID 2592 wrote to memory of 2796	2592	cmd.exe	45
PID 2592 wrote to memory of 2796	2592	cmd.exe	45
PID 2592 wrote to memory of 2796	2592	cmd.exe	45
PID 2796 wrote to memory of 3068	2796	net.exe	46
PID 2796 wrote to memory of 3068	2796	net.exe	46
PID 2796 wrote to memory of 3068	2796	net.exe	46
PID 2204 wrote to memory of 2904	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	47
PID 2204 wrote to memory of 2904	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	47
PID 2204 wrote to memory of 2904	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	47
PID 2904 wrote to memory of 620	2904	cmd.exe	48
PID 2904 wrote to memory of 620	2904	cmd.exe	48
PID 2904 wrote to memory of 620	2904	cmd.exe	48
PID 620 wrote to memory of 2444	620	net.exe	49
PID 620 wrote to memory of 2444	620	net.exe	49
PID 620 wrote to memory of 2444	620	net.exe	49
PID 2204 wrote to memory of 2088	2204	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	50

C:\Users\Admin\AppData\Local\Temp\e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
"C:\Users\Admin\AppData\Local\Temp\e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\cmd.exe
  cmd /C "reg add HKEY_CLASSES_ROOT\.NOVA64556\DefaultIcon /t REG_SZ /d C:\Windows\Icon.png /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\reg.exe
    reg add HKEY_CLASSES_ROOT\.NOVA64556\DefaultIcon /t REG_SZ /d C:\Windows\Icon.png /f
    3⤵
    - Modifies registry class
    PID:2440
- C:\Windows\system32\cmd.exe
  cmd /C "iisreset /stop"
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  cmd /C "NET STOP IISADMIN"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\net.exe
    NET STOP IISADMIN
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 STOP IISADMIN
      4⤵
      PID:1884
- C:\Windows\system32\cmd.exe
  cmd /C "net stop WAS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\net.exe
    net stop WAS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WAS
      4⤵
      PID:2228
- C:\Windows\system32\cmd.exe
  cmd /C "NET stop MSSQLSERVER"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\system32\net.exe
    NET stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2660
- C:\Windows\system32\cmd.exe
  cmd /C "NET stop \"SQL Server (MSSQLSERVER)\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\system32\net.exe
    NET stop \"SQL Server (MSSQLSERVER)\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop \"SQL Server (MSSQLSERVER)\"
      4⤵
      PID:2288
- C:\Windows\system32\cmd.exe
  cmd /C "net stop MSSQL$SQLEXPRESS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:3068
- C:\Windows\system32\cmd.exe
  cmd /C "net stop SQLSERVERAGENT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:2444
- C:\Windows\system32\cmd.exe
  cmd /C "net stop mysql"
  2⤵
  PID:2088
- - C:\Windows\system32\net.exe
    net stop mysql
    3⤵
    PID:2352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mysql
      4⤵
      PID:2412
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sql*"
  2⤵
  PID:2852
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- C:\Windows\system32\cmd.exe
  cmd /C "Del /S /F /Q %Windir%\Temp"
  2⤵
  PID:2880
- C:\Windows\system32\cmd.exe
  cmd /C C:\Windows\System32\Log.cmd
  2⤵
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "wevtutil el | Foreach-Object {wevtutil cl "$_"}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2756
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Analytic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Application
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2696
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl DebugChannel
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2780
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1636
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3040
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2240
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Media Center"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2184
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1960
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2984
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEDVTOOL/Diagnostic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1924
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2156
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3000
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-API-Tracing/Operational
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1344
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1880
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AltTab/Diagnostic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1952
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:1760
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      Clears Windows event logs
      PID:2400
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      Clears Windows event logs
      PID:2448
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:2276
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:308
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Problem-Steps-Recorder
      4⤵
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
      4⤵
      PID:1372
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
      4⤵
      PID:584
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory/Debug
      4⤵
      Clears Windows event logs
      PID:1888
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
      4⤵
      PID:2236
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
      4⤵
      Clears Windows event logs
      PID:1700
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
      4⤵
      Clears Windows event logs
      PID:1528
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
      4⤵
      PID:292
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
      4⤵
      Clears Windows event logs
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      Clears Windows event logs
      PID:2516
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
      4⤵
      Clears Windows event logs
      PID:568
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
      4⤵
      Clears Windows event logs
      PID:1176
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
      4⤵
      PID:1484
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
      4⤵
      Clears Windows event logs
      PID:644
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
      4⤵
      PID:1152
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
      4⤵
      Clears Windows event logs
      PID:1540
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
      4⤵
      PID:1908
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
      4⤵
      Clears Windows event logs
      PID:1784
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
      4⤵
      PID:1736
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
      4⤵
      Clears Windows event logs
      PID:1624
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Analytic
      4⤵
      Clears Windows event logs
      PID:776
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
      4⤵
      Clears Windows event logs
      PID:2808
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
      4⤵
      PID:1560
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CDROM/Operational
      4⤵
      Clears Windows event logs
      PID:756
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Analytic
      4⤵
      PID:696
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Tracing
      4⤵
      PID:1468
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Calculator/Debug
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Calculator/Diagnostic
      4⤵
      PID:836
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertPoleEng/Operational
      4⤵
      PID:904
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
      4⤵
      Clears Windows event logs
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic
      4⤵
      PID:616
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CmiSetup/Analytic
      4⤵
      PID:2388
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Operational
      4⤵
      Clears Windows event logs
      PID:2548
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Verbose
      4⤵
      Clears Windows event logs
      PID:2308
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Analytic
      4⤵
      PID:1532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Debug
      4⤵
      PID:2264
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Client/Operational
      4⤵
      PID:2512
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Server/Operational
      4⤵
      PID:2132
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CredUI/Diagnostic
      4⤵
      PID:560
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-RNG/Analytic
      4⤵
      Clears Windows event logs
      PID:2332
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/Analytic
      4⤵
      Clears Windows event logs
      PID:2320
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/PerfTiming
      4⤵
      Clears Windows event logs
      PID:2684
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DCLocator/Debug
      4⤵
      PID:2612
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DNS-Client/Operational
      4⤵
      PID:884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUI/Diagnostic
      4⤵
      PID:2252
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUSER/Diagnostic
      4⤵
      PID:1524
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Analytic
      4⤵
      PID:1704
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Logging
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXP/Analytic
      4⤵
      PID:1612
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Analytic
      4⤵
      PID:1608
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Debug
      4⤵
      Clears Windows event logs
      PID:1724
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Operational
      4⤵
      PID:2312
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deplorch/Analytic
      4⤵
      Clears Windows event logs
      PID:2468
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Analytic
      4⤵
      PID:2044
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Operational
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Informational
      4⤵
      Clears Windows event logs
      PID:2192
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Performance
      4⤵
      PID:2212
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Admin
      4⤵
      PID:2644
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Operational
      4⤵
      PID:2656
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DhcpNap/Admin
      4⤵
      PID:2648
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DhcpNap/Operational
      4⤵
      PID:2792
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Admin
      4⤵
      Clears Windows event logs
      PID:2796
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Operational
      4⤵
      PID:1076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiagCpl/Debug
      4⤵
      PID:2500
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Analytic
      4⤵
      Clears Windows event logs
      PID:2904
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Debug
      4⤵
      PID:2104
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Operational
      4⤵
      Clears Windows event logs
      PID:2088
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-MSDE/Debug
      4⤵
      Clears Windows event logs
      PID:2736
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Analytic
      4⤵
      PID:2972
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Debug
      4⤵
      PID:2856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Operational
      4⤵
      PID:2428
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Debug
      4⤵
      PID:2876
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Operational
      4⤵
      PID:2724
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Perfhost/Analytic
      4⤵
      PID:2456
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scheduled/Operational
      4⤵
      Clears Windows event logs
      PID:1336
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Admin
      4⤵
      Clears Windows event logs
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Analytic
      4⤵
      PID:2112
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Debug
      4⤵
      PID:2436
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Operational
      4⤵
      PID:2464
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug
      4⤵
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
      4⤵
      Clears Windows event logs
      PID:1988
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-TaskManager/Debug
      4⤵
      PID:1308
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDC/Analytic
      4⤵
      PID:808
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDI/Debug
      4⤵
      PID:1748
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Debug
      4⤵
      Clears Windows event logs
      PID:3044
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Operational
      4⤵
      PID:1200
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic
      4⤵
      Clears Windows event logs
      PID:880
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic
      4⤵
      PID:2680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic
      4⤵
      Clears Windows event logs
      PID:1628
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback
      4⤵
      PID:3004
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Operational
      4⤵
      Clears Windows event logs
      PID:1976
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10/Analytic
      4⤵
      PID:2184
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10_1/Analytic
      4⤵
      Clears Windows event logs
      PID:1960
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Analytic
      4⤵
      PID:2984
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Logging
      4⤵
      PID:2944
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/PerfTiming
      4⤵
      Clears Windows event logs
      PID:2948
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectShow-KernelSupport/Performance
      4⤵
      PID:3028
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectSound/Debug
      4⤵
      PID:1924
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectWrite-FontCache/Tracing
      4⤵
      PID:1688
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectWrite/Tracing
      4⤵
      Clears Windows event logs
      PID:2156
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Disk/Operational
      4⤵
      PID:3000
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnostic/Operational
      4⤵
      PID:1344
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticDataCollector/Operational
      4⤵
      PID:2160
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticResolver/Operational
      4⤵
      PID:1880
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Debug
      4⤵
      Clears Windows event logs
      PID:1408
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Operational
      4⤵
      Clears Windows event logs
      PID:1952
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplaySwitch/Diagnostic
      4⤵
      Clears Windows event logs
      PID:1664
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Documents/Performance
      4⤵
      Clears Windows event logs
      PID:1760
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DriverFrameworks-UserMode/Operational
      4⤵
      PID:2400
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Diagnostic
      4⤵
      PID:2448
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Performance
      4⤵
      PID:2276
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxpTaskRingtone/Analytic
      4⤵
      PID:308
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxpTaskSyncProvider/Analytic
      4⤵
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EFS/Debug
      4⤵
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Analytic
      4⤵
      PID:1372
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Debug
      4⤵
      Clears Windows event logs
      PID:2076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Operational
      4⤵
      PID:2188
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EaseOfAccess/Diagnostic
      4⤵
      Clears Windows event logs
      PID:1416
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Debug
      4⤵
      PID:2136
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Operational
      4⤵
      PID:268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog-WMIProvider/Debug
      4⤵
      Clears Windows event logs
      PID:1900
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Analytic
      4⤵
      PID:288
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Debug
      4⤵
      PID:1472
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Analytic
      4⤵
      PID:2232
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Debug
      4⤵
      PID:580
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Operational
      4⤵
      Clears Windows event logs
      PID:1384
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FailoverClustering-Client/Diagnostic
      4⤵
      Clears Windows event logs
      PID:2140
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Fault-Tolerant-Heap/Operational
      4⤵
      Clears Windows event logs
      PID:540
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Feedback-Service-TriggerProvider
      4⤵
      Clears Windows event logs
      PID:1428
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileInfoMinifilter/Operational
      4⤵
      PID:2000
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Firewall-CPL/Diagnostic
      4⤵
      PID:1696
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      PID:2800
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Debug
      4⤵
      Clears Windows event logs
      PID:1296
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Operational
      4⤵
      Clears Windows event logs
      PID:1776
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GettingStarted/Diagnostic
      4⤵
      PID:1740
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GroupPolicy/Operational
      4⤵
      Clears Windows event logs
      PID:1680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HAL/Debug
      4⤵
      PID:796
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Debug
      4⤵
      PID:596
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Performance
      4⤵
      PID:1744
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenterCPL/Performance
      4⤵
      Clears Windows event logs
      PID:1944
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Help/Operational
      4⤵
      PID:2596
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:1940
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:1008
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:888
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:2080
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      Clears Windows event logs
      PID:2532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HomeGroup-ListenerService
      4⤵
      PID:1544
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotStart/Diagnostic
      4⤵
      PID:712
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Trace
      4⤵
      Clears Windows event logs
      PID:2340
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKE/Operational
      4⤵
      PID:1928
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKEDBG/Debug
      4⤵
      Clears Windows event logs
      PID:2268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPBusEnum/Tracing
      4⤵
      Clears Windows event logs
      PID:1136
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPSEC-SRV/Diagnostic
      4⤵
      PID:980
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
      4⤵
      Clears Windows event logs
      PID:2348
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-International/Operational
      4⤵
      PID:364
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Debug
      4⤵
      PID:1212
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Operational
      4⤵
      PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Log.cmd

Filesize
60B

MD5
6a2f870841e0126632f5b9bf0d000d6a

SHA1
51689e26641f0eb054cd90553a21a472a2e79148

SHA256
4bcbb565ad2fd05a4fc458cd68254853cbcbf5749beffccb2b1e22b8a53ecb2f

SHA512
de089c5d2dd691c64e38bdc82a2a5266e65cf8f9fc40e2d60ecded7a775922ae5100cc406f09346fbaf402fc1fe3074ca29ecd64119f7c490381aee72780bdb0

Download Submit
memory/2768-60-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2768-61-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2768-62-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-64-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-63-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2768-65-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2768-66-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2768-67-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2768-68-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-69-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2768-70-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-71-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2768-72-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2768-73-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2768-74-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download