af78e0907d4352f9405cd7e165f2f56c2a80c0654ee49cd7429b1f2ea8e5e031

Analysis

max time kernel
54s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
Size

3.4MB
MD5

5ffa1b18aedd7733589b26349ee332ef
SHA1

7678a972575972f9a03bbebd364c01a1dc90c6cf
SHA256

e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d
SHA512

12608f4a4e13eedba32c07d31bd3b02e2c72dd2d269c0ad054ed711df802892c6fceb54b6baf157728116769f9cfde0d706adb2b089fcc8212f5ca18412bfb04
SSDEEP

49152:HNd9Lq8J35Irb/TYvO90d7HjmAFd4A64nsfJE8R3akbCKI66d+jtgJ7xYT2WQ118:f35CI64Y0QsNK

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
4084	wevtutil.exe
4124	wevtutil.exe
3168	wevtutil.exe
2468	wevtutil.exe
1320	wevtutil.exe
4556	wevtutil.exe
2456	wevtutil.exe
5016	wevtutil.exe
4556	wevtutil.exe
4184	wevtutil.exe
1904	wevtutil.exe
1232	wevtutil.exe
3868	wevtutil.exe
4884	wevtutil.exe
1908	wevtutil.exe
3684	wevtutil.exe
4640	wevtutil.exe
1264	wevtutil.exe
1224	wevtutil.exe
4640	wevtutil.exe
4088	wevtutil.exe
1684	wevtutil.exe
3928	wevtutil.exe
4184	wevtutil.exe
4376	wevtutil.exe
1868	wevtutil.exe
1856	wevtutil.exe
2884	wevtutil.exe
3312	wevtutil.exe
648	wevtutil.exe
3092	wevtutil.exe
4076	wevtutil.exe
1032	wevtutil.exe
1672	wevtutil.exe
2356	wevtutil.exe
3432	wevtutil.exe
3492	wevtutil.exe
4856	wevtutil.exe
3524	wevtutil.exe
1124	wevtutil.exe
4328	wevtutil.exe
2412	wevtutil.exe
4588	wevtutil.exe
3516	wevtutil.exe
3208	wevtutil.exe
1260	wevtutil.exe
3596	wevtutil.exe
4100	wevtutil.exe
2884	wevtutil.exe
840	wevtutil.exe
4152	wevtutil.exe
1320	wevtutil.exe
2060	wevtutil.exe
1032	wevtutil.exe
3300	wevtutil.exe
236	wevtutil.exe
3492	wevtutil.exe
3956	wevtutil.exe
4528	wevtutil.exe
5104	wevtutil.exe
3492	wevtutil.exe
3196	wevtutil.exe
3448	wevtutil.exe
1208	wevtutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Trust.cmd	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
File opened for modification	C:\Windows\System32\Windows.json	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
File opened for modification	C:\Windows\System32\Log.cmd	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
File opened for modification	C:\Windows\System32\Del.cmd	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Icon.png	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1260	1476	WerFault.exe	188
3928	2044	WerFault.exe	254
2356	3324	WerFault.exe	301
3856	60	WerFault.exe	346
528	3836	WerFault.exe	394

Kills process with taskkill 1 IoCs

evasion

pid	Process
3756	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	wevtutil.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wevtutil.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "CC"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1"	wevtutil.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "804"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	wevtutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0"	wevtutil.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	wevtutil.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "0"	wevtutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	wevtutil.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40A;C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History	wevtutil.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.NOVA6e648\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	wevtutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Anywhere;Trailing"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	wevtutil.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\NumberOfSubdomains = "0"	wevtutil.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	wevtutil.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4984	powershell.exe
4984	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeSecurityPrivilege	4564	wevtutil.exe
Token: SeBackupPrivilege	4564	wevtutil.exe
Token: SeSecurityPrivilege	2584	wevtutil.exe
Token: SeBackupPrivilege	2584	wevtutil.exe
Token: SeSecurityPrivilege	3420	wevtutil.exe
Token: SeBackupPrivilege	3420	wevtutil.exe
Token: SeSecurityPrivilege	3060	wevtutil.exe
Token: SeBackupPrivilege	3060	wevtutil.exe
Token: SeSecurityPrivilege	1948	wevtutil.exe
Token: SeBackupPrivilege	1948	wevtutil.exe
Token: SeSecurityPrivilege	1424	wevtutil.exe
Token: SeBackupPrivilege	1424	wevtutil.exe
Token: SeSecurityPrivilege	5116	wevtutil.exe
Token: SeBackupPrivilege	5116	wevtutil.exe
Token: SeSecurityPrivilege	460	wevtutil.exe
Token: SeBackupPrivilege	460	wevtutil.exe
Token: SeSecurityPrivilege	952	wevtutil.exe
Token: SeBackupPrivilege	952	wevtutil.exe
Token: SeSecurityPrivilege	4044	wevtutil.exe
Token: SeBackupPrivilege	4044	wevtutil.exe
Token: SeSecurityPrivilege	3400	wevtutil.exe
Token: SeBackupPrivilege	3400	wevtutil.exe
Token: SeSecurityPrivilege	2044	wevtutil.exe
Token: SeBackupPrivilege	2044	wevtutil.exe
Token: SeSecurityPrivilege	4868	wevtutil.exe
Token: SeBackupPrivilege	4868	wevtutil.exe
Token: SeSecurityPrivilege	4556	wevtutil.exe
Token: SeBackupPrivilege	4556	wevtutil.exe
Token: SeSecurityPrivilege	3496	wevtutil.exe
Token: SeBackupPrivilege	3496	wevtutil.exe
Token: SeSecurityPrivilege	3868	wevtutil.exe
Token: SeBackupPrivilege	3868	wevtutil.exe
Token: SeSecurityPrivilege	1544	wevtutil.exe
Token: SeBackupPrivilege	1544	wevtutil.exe
Token: SeSecurityPrivilege	3092	wevtutil.exe
Token: SeBackupPrivilege	3092	wevtutil.exe
Token: SeSecurityPrivilege	2196	wevtutil.exe
Token: SeBackupPrivilege	2196	wevtutil.exe
Token: SeSecurityPrivilege	4848	wevtutil.exe
Token: SeBackupPrivilege	4848	wevtutil.exe
Token: SeSecurityPrivilege	4108	wevtutil.exe
Token: SeBackupPrivilege	4108	wevtutil.exe
Token: SeSecurityPrivilege	4636	wevtutil.exe
Token: SeBackupPrivilege	4636	wevtutil.exe
Token: SeSecurityPrivilege	1280	wevtutil.exe
Token: SeBackupPrivilege	1280	wevtutil.exe
Token: SeSecurityPrivilege	4612	wevtutil.exe
Token: SeBackupPrivilege	4612	wevtutil.exe
Token: SeSecurityPrivilege	3444	wevtutil.exe
Token: SeBackupPrivilege	3444	wevtutil.exe
Token: SeSecurityPrivilege	3332	wevtutil.exe
Token: SeBackupPrivilege	3332	wevtutil.exe
Token: SeManageVolumePrivilege	3688	svchost.exe
Token: SeSecurityPrivilege	1908	wevtutil.exe
Token: SeBackupPrivilege	1908	wevtutil.exe
Token: SeSecurityPrivilege	4692	wevtutil.exe
Token: SeBackupPrivilege	4692	wevtutil.exe
Token: SeSecurityPrivilege	1112	wevtutil.exe
Token: SeBackupPrivilege	1112	wevtutil.exe
Token: SeSecurityPrivilege	3848	wevtutil.exe
Token: SeBackupPrivilege	3848	wevtutil.exe
Token: SeSecurityPrivilege	3948	wevtutil.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
60	SearchApp.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1476	SearchApp.exe
2044	SearchApp.exe
3324	SearchApp.exe
60	SearchApp.exe
3836	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 5116	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	86
PID 5000 wrote to memory of 5116	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	86
PID 5116 wrote to memory of 4836	5116	cmd.exe	87
PID 5116 wrote to memory of 4836	5116	cmd.exe	87
PID 5000 wrote to memory of 3392	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	88
PID 5000 wrote to memory of 3392	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	88
PID 5000 wrote to memory of 1728	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	89
PID 5000 wrote to memory of 1728	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	89
PID 1728 wrote to memory of 3896	1728	cmd.exe	90
PID 1728 wrote to memory of 3896	1728	cmd.exe	90
PID 3896 wrote to memory of 4368	3896	net.exe	91
PID 3896 wrote to memory of 4368	3896	net.exe	91
PID 5000 wrote to memory of 1128	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	92
PID 5000 wrote to memory of 1128	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	92
PID 1128 wrote to memory of 1396	1128	cmd.exe	93
PID 1128 wrote to memory of 1396	1128	cmd.exe	93
PID 1396 wrote to memory of 4192	1396	net.exe	94
PID 1396 wrote to memory of 4192	1396	net.exe	94
PID 5000 wrote to memory of 4872	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	95
PID 5000 wrote to memory of 4872	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	95
PID 4872 wrote to memory of 1284	4872	cmd.exe	96
PID 4872 wrote to memory of 1284	4872	cmd.exe	96
PID 1284 wrote to memory of 2412	1284	net.exe	97
PID 1284 wrote to memory of 2412	1284	net.exe	97
PID 5000 wrote to memory of 4000	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	99
PID 5000 wrote to memory of 4000	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	99
PID 4000 wrote to memory of 4924	4000	cmd.exe	100
PID 4000 wrote to memory of 4924	4000	cmd.exe	100
PID 4924 wrote to memory of 4396	4924	net.exe	101
PID 4924 wrote to memory of 4396	4924	net.exe	101
PID 5000 wrote to memory of 2804	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	102
PID 5000 wrote to memory of 2804	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	102
PID 2804 wrote to memory of 4440	2804	cmd.exe	103
PID 2804 wrote to memory of 4440	2804	cmd.exe	103
PID 4440 wrote to memory of 2044	4440	net.exe	104
PID 4440 wrote to memory of 2044	4440	net.exe	104
PID 5000 wrote to memory of 1332	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	105
PID 5000 wrote to memory of 1332	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	105
PID 1332 wrote to memory of 3580	1332	cmd.exe	106
PID 1332 wrote to memory of 3580	1332	cmd.exe	106
PID 3580 wrote to memory of 4464	3580	net.exe	107
PID 3580 wrote to memory of 4464	3580	net.exe	107
PID 5000 wrote to memory of 3196	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	108
PID 5000 wrote to memory of 3196	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	108
PID 3196 wrote to memory of 1544	3196	cmd.exe	109
PID 3196 wrote to memory of 1544	3196	cmd.exe	109
PID 1544 wrote to memory of 2732	1544	net.exe	110
PID 1544 wrote to memory of 2732	1544	net.exe	110
PID 5000 wrote to memory of 4108	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	111
PID 5000 wrote to memory of 4108	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	111
PID 4108 wrote to memory of 3756	4108	cmd.exe	112
PID 4108 wrote to memory of 3756	4108	cmd.exe	112
PID 5000 wrote to memory of 4412	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	116
PID 5000 wrote to memory of 4412	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	116
PID 5000 wrote to memory of 2952	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	117
PID 5000 wrote to memory of 2952	5000	e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe	117
PID 2952 wrote to memory of 4984	2952	cmd.exe	119
PID 2952 wrote to memory of 4984	2952	cmd.exe	119
PID 4984 wrote to memory of 4564	4984	powershell.exe	123
PID 4984 wrote to memory of 4564	4984	powershell.exe	123
PID 4984 wrote to memory of 2584	4984	powershell.exe	124
PID 4984 wrote to memory of 2584	4984	powershell.exe	124
PID 4984 wrote to memory of 3420	4984	powershell.exe	126
PID 4984 wrote to memory of 3420	4984	powershell.exe	126

C:\Users\Admin\AppData\Local\Temp\e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe
"C:\Users\Admin\AppData\Local\Temp\e8b02f4683dc4c841454495c018e6427781c830498fecb6c6d9381e6ab77f16d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\system32\cmd.exe
  cmd /C "reg add HKEY_CLASSES_ROOT\.NOVA6e648\DefaultIcon /t REG_SZ /d C:\Windows\Icon.png /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\system32\reg.exe
    reg add HKEY_CLASSES_ROOT\.NOVA6e648\DefaultIcon /t REG_SZ /d C:\Windows\Icon.png /f
    3⤵
    - Modifies registry class
    PID:4836
- C:\Windows\system32\cmd.exe
  cmd /C "iisreset /stop"
  2⤵
  PID:3392
- C:\Windows\system32\cmd.exe
  cmd /C "NET STOP IISADMIN"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\net.exe
    NET STOP IISADMIN
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 STOP IISADMIN
      4⤵
      PID:4368
- C:\Windows\system32\cmd.exe
  cmd /C "net stop WAS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\system32\net.exe
    net stop WAS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WAS
      4⤵
      PID:4192
- C:\Windows\system32\cmd.exe
  cmd /C "NET stop MSSQLSERVER"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\net.exe
    NET stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2412
- C:\Windows\system32\cmd.exe
  cmd /C "NET stop \"SQL Server (MSSQLSERVER)\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\system32\net.exe
    NET stop \"SQL Server (MSSQLSERVER)\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop \"SQL Server (MSSQLSERVER)\"
      4⤵
      PID:4396
- C:\Windows\system32\cmd.exe
  cmd /C "net stop MSSQL$SQLEXPRESS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:2044
- C:\Windows\system32\cmd.exe
  cmd /C "net stop SQLSERVERAGENT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:4464
- C:\Windows\system32\cmd.exe
  cmd /C "net stop mysql"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\system32\net.exe
    net stop mysql
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mysql
      4⤵
      PID:2732
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sql*"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Windows\system32\cmd.exe
  cmd /C "Del /S /F /Q %Windir%\Temp"
  2⤵
  PID:4412
- C:\Windows\system32\cmd.exe
  cmd /C C:\Windows\System32\Log.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "wevtutil el | Foreach-Object {wevtutil cl "$_"}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3420
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Analytic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Application
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1948
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1424
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:460
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4044
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3400
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "General Logging"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2044
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:4556
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3496
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3092
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1280
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3332
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4692
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1112
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3948
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
      4⤵
      PID:3096
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
      4⤵
      PID:4132
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
      4⤵
      PID:4212
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
      4⤵
      PID:4752
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
      4⤵
      PID:3696
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
      4⤵
      PID:4344
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
      4⤵
      PID:448
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
      4⤵
      PID:3268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
      4⤵
      PID:2596
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
      4⤵
      PID:2244
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
      4⤵
      PID:1320
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
      4⤵
      PID:4168
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
      4⤵
      PID:1716
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
      4⤵
      PID:1472
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
      4⤵
      PID:4000
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
      4⤵
      PID:4044
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
      4⤵
      PID:3400
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
      4⤵
      PID:3652
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
      4⤵
      PID:4100
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
      4⤵
      PID:1032
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
      4⤵
      PID:3364
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
      4⤵
      PID:1904
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
      4⤵
      Clears Windows event logs
      PID:648
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
      4⤵
      PID:3496
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
      4⤵
      PID:3868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
      4⤵
      PID:4848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
      4⤵
      PID:1620
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
      4⤵
      PID:4832
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
      4⤵
      PID:3876
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
      4⤵
      PID:3108
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
      4⤵
      PID:3956
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
      4⤵
      PID:3948
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
      4⤵
      PID:3096
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
      4⤵
      PID:696
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
      4⤵
      PID:3488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
      4⤵
      PID:3680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
      4⤵
      PID:4076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
      4⤵
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
      4⤵
      PID:4380
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
      4⤵
      PID:1284
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
      4⤵
      PID:4156
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
      4⤵
      PID:3596
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:4084
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:4440
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
      4⤵
      PID:3652
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
      4⤵
      Clears Windows event logs
      PID:4100
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
      4⤵
      Clears Windows event logs
      PID:1032
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
      4⤵
      PID:3364
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
      4⤵
      PID:2448
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
      4⤵
      PID:404
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
      4⤵
      PID:1332
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
      4⤵
      PID:2760
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
      4⤵
      Clears Windows event logs
      PID:4528
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
      4⤵
      PID:1488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
      4⤵
      PID:4128
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
      4⤵
      PID:4184
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
      4⤵
      PID:3448
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
      4⤵
      PID:5104
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Diagnostic
      4⤵
      Clears Windows event logs
      PID:3928
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
      4⤵
      PID:3876
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
      4⤵
      PID:444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Analytic
      4⤵
      PID:3840
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
      4⤵
      PID:4576
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:5036
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:3956
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:3920
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug
      4⤵
      Clears Windows event logs
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
      4⤵
      PID:4752
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic
      4⤵
      PID:3488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace
      4⤵
      PID:3680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
      4⤵
      PID:1364
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
      4⤵
      PID:528
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
      4⤵
      PID:968
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
      4⤵
      PID:672
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Debug
      4⤵
      PID:2956
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
      4⤵
      PID:3100
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Performance
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
      4⤵
      PID:1472
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
      4⤵
      PID:5016
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
      4⤵
      PID:4608
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AsynchronousCausality/Causality
      4⤵
      PID:4340
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
      4⤵
      PID:3836
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
      4⤵
      PID:4900
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
      4⤵
      PID:2196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
      4⤵
      Clears Windows event logs
      PID:3092
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
      4⤵
      PID:1868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
      4⤵
      PID:2376
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
      4⤵
      PID:4588
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:1232
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUser-Client
      4⤵
      PID:3644
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
      4⤵
      PID:4680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
      4⤵
      PID:5036
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
      4⤵
      PID:2116
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/HCI
      4⤵
      PID:3096
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/L2CAP
      4⤵
      PID:2920
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Diagnostic
      4⤵
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Performance
      4⤵
      PID:3432
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic
      4⤵
      Clears Windows event logs
      PID:2468
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Operational
      4⤵
      PID:4320
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
      4⤵
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
      4⤵
      PID:4924
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
      4⤵
      PID:2668
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Battery/Diagnostic
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Analytic
      4⤵
      PID:4556
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
      4⤵
      PID:1332
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
      4⤵
      PID:2760
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
      4⤵
      PID:4464
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-Driver-Performance/Operational
      4⤵
      PID:3836
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Management"
      4⤵
      PID:3756
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Operational"
      4⤵
      PID:1764
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker/Tracing
      4⤵
      PID:3020
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
      4⤵
      PID:4848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
      4⤵
      PID:3160
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Bthmini/Operational
      4⤵
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1476
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Policy/Operational
      4⤵
      PID:4244
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
      4⤵
      PID:4168
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
      4⤵
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
      4⤵
      PID:4832
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheMonitoring/Analytic
      4⤵
      PID:4692
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Analytic
      4⤵
      PID:3644
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
      4⤵
      PID:1744
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
      4⤵
      PID:4076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CDROM/Operational
      4⤵
      PID:2520
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Analytic
      4⤵
      Clears Windows event logs
      PID:236
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentInitialize
      4⤵
      PID:1364
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentUninitialize
      4⤵
      PID:3100
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Call
      4⤵
      PID:3264
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/CreateInstance
      4⤵
      PID:2756
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ExtensionCatalog
      4⤵
      PID:4972
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/FreeUnusedLibrary
      4⤵
      PID:2480
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/RundownInstrumentation
      4⤵
      PID:4360
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Activations
      4⤵
      PID:4044
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/MessageProcessing
      4⤵
      PID:4504
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Tracing
      4⤵
      PID:2668
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertPoleEng/Operational
      4⤵
      PID:752
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
      4⤵
      PID:648
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
      4⤵
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Cleanmgr/Diagnostic
      4⤵
      PID:3868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic
      4⤵
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CloudStore/Debug
      4⤵
      PID:4900
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CloudStore/Operational
      4⤵
      PID:5044
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CmiSetup/Analytic
      4⤵
      PID:3196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Operational
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Verbose
      4⤵
      PID:2824
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Analytic
      4⤵
      PID:4884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Debug
      4⤵
      PID:4136
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Compat-Appraiser/Analytic
      4⤵
      Clears Windows event logs
      PID:4588
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Compat-Appraiser/Operational
      4⤵
      PID:388
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-BindFlt/Debug
      4⤵
      Clears Windows event logs
      PID:1264
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-BindFlt/Operational
      4⤵
      PID:4268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcifs/Debug
      4⤵
      PID:1232
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcifs/Operational
      4⤵
      PID:4580
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcnfs/Debug
      4⤵
      PID:4680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcnfs/Operational
      4⤵
      PID:444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Diagnostic
      4⤵
      PID:1744
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Operational
      4⤵
      PID:3680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Tracing
      4⤵
      Clears Windows event logs
      PID:4076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug
      4⤵
      PID:228
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational
      4⤵
      PID:3060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreWindow/Analytic
      4⤵
      PID:4152
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreWindow/Debug
      4⤵
      PID:4752
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Client/Operational
      4⤵
      PID:3364
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Server/Operational
      4⤵
      Clears Windows event logs
      PID:3492
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crashdump/Operational
      4⤵
      Clears Windows event logs
      PID:3516
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CredUI/Diagnostic
      4⤵
      PID:3436
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-BCRYPT/Analytic
      4⤵
      PID:3672
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-CNG/Analytic
      4⤵
      PID:3984
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc
      4⤵
      PID:3488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/Debug
      4⤵
      PID:2116
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/Operational
      4⤵
      PID:4212
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DSSEnh/Analytic
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-NCrypt/Operational
      4⤵
      PID:2784
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-RNG/Analytic
      4⤵
      PID:1508
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-RSAEnh/Analytic
      4⤵
      PID:3020
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/Analytic
      4⤵
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/PerfTiming
      4⤵
      Clears Windows event logs
      PID:3196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAL-Provider/Analytic
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAL-Provider/Operational
      4⤵
      PID:1620
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAMM/Diagnostic
      4⤵
      PID:2780
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DCLocator/Debug
      4⤵
      PID:1420
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DDisplay/Analytic
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DDisplay/Logging
      4⤵
      PID:4268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DLNA-Namespace/Analytic
      4⤵
      Clears Windows event logs
      PID:5104
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DNS-Client/Operational
      4⤵
      PID:3124
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Admin
      4⤵
      PID:2192
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Analytic
      4⤵
      PID:696
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Debug
      4⤵
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Operational
      4⤵
      PID:4456
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUI/Diagnostic
      4⤵
      PID:5080
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUSER/Diagnostic
      4⤵
      Clears Windows event logs
      PID:3448
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Analytic
      4⤵
      PID:3928
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Logging
      4⤵
      PID:1112
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXP/Analytic
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Data-Pdf/Debug
      4⤵
      Clears Windows event logs
      PID:1320
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DataIntegrityScan/Admin
      4⤵
      PID:2456
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DataIntegrityScan/CrashRecovery
      4⤵
      Clears Windows event logs
      PID:3492
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Analytic
      4⤵
      PID:2480
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Debug
      4⤵
      PID:1472
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Operational
      4⤵
      PID:3516
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Diagnostic
      4⤵
      PID:1060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Operational
      4⤵
      PID:4856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Performance
      4⤵
      PID:1332
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Scrubbing
      4⤵
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Defrag-Core/Debug
      4⤵
      PID:2588
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deplorch/Analytic
      4⤵
      PID:1300
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DesktopActivityModerator/Diagnostic
      4⤵
      Clears Windows event logs
      PID:3868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic
      4⤵
      PID:5072
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceAssociationService/Performance
      4⤵
      PID:5032
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceConfidence/Analytic
      4⤵
      PID:1508
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceGuard/Operational
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceGuard/Verbose
      4⤵
      Clears Windows event logs
      PID:4556
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
      4⤵
      PID:1264
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational
      4⤵
      PID:1128
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Admin
      4⤵
      PID:4832
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Analytic
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Debug
      4⤵
      Clears Windows event logs
      PID:3956
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Operational
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Analytic
      4⤵
      PID:1744
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Operational
      4⤵
      PID:3680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUpdateAgent/Operational
      4⤵
      PID:4076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Informational
      4⤵
      PID:4460
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Performance
      4⤵
      PID:3060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Devices-Background/Operational
      4⤵
      PID:4752
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Admin
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Operational
      4⤵
      PID:1320
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Admin
      4⤵
      Clears Windows event logs
      PID:2456
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Operational
      4⤵
      Clears Windows event logs
      PID:3492
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiagCpl/Debug
      4⤵
      PID:2480
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic
      4⤵
      PID:1472
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Analytic
      4⤵
      PID:3516
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Debug
      4⤵
      PID:1060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Operational
      4⤵
      PID:4856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-MSDE/Debug
      4⤵
      PID:1332
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Analytic
      4⤵
      PID:4900
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Debug
      4⤵
      PID:3868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Operational
      4⤵
      PID:5072
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Debug
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Operational
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Perfhost/Analytic
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scheduled/Operational
      4⤵
      PID:4244
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Admin
      4⤵
      PID:4136
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Analytic
      4⤵
      PID:1908
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Debug
      4⤵
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Operational
      4⤵
      PID:4424
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug
      4⤵
      Clears Windows event logs
      PID:4184
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
      4⤵
      PID:4368
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDC/Analytic
      4⤵
      PID:3684
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDI/Debug
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Debug
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Operational
      4⤵
      PID:1284
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic
      4⤵
      PID:1488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic
      4⤵
      PID:5020
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic
      4⤵
      PID:2808
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback
      4⤵
      PID:2428
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Operational
      4⤵
      PID:4580
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10/Analytic
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10_1/Analytic
      4⤵
      PID:444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Analytic
      4⤵
      PID:2520
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Logging
      4⤵
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/PerfTiming
      4⤵
      PID:4456
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/Analytic
      4⤵
      PID:5080
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/Logging
      4⤵
      PID:2412
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/PerfTiming
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D9/Analytic
      4⤵
      PID:4924
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3DShaderCache/Default
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectComposition/Diagnostic
      4⤵
      PID:968
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectManipulation/Diagnostic
      4⤵
      Clears Windows event logs
      PID:1224
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectShow-KernelSupport/Performance
      4⤵
      PID:392
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectSound/Debug
      4⤵
      PID:1112
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Disk/Operational
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnostic/Operational
      4⤵
      PID:4848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticDataCollector/Operational
      4⤵
      PID:3432
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticResolver/Operational
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/Analytic
      4⤵
      Clears Windows event logs
      PID:3208
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/ExternalAnalytic
      4⤵
      PID:2824
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/InternalAnalytic
      4⤵
      PID:4664
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Cli/Analytic
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Debug
      4⤵
      Clears Windows event logs
      PID:1260
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Operational
      4⤵
      PID:2100
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplaySwitch/Diagnostic
      4⤵
      PID:4528
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Documents/Performance
      4⤵
      PID:4128
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dot3MM/Diagnostic
      4⤵
      PID:4504
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DriverFrameworks-UserMode/Operational
      4⤵
      Clears Windows event logs
      PID:5016
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DucUpdateAgent/Operational
      4⤵
      PID:4100
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-API/Diagnostic
      4⤵
      PID:4024
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Core/Diagnostic
      4⤵
      Clears Windows event logs
      PID:4856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Dwm/Diagnostic
      4⤵
      PID:2224
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Redir/Diagnostic
      4⤵
      PID:4464
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Udwm/Diagnostic
      4⤵
      PID:5072
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl-Admin
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl-Operational
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Contention
      4⤵
      PID:4244
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Diagnostic
      4⤵
      PID:2512
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Performance
      4⤵
      PID:1292
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Power
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxpTaskSyncProvider/Analytic
      4⤵
      PID:4424
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Application-Learning/Admin
      4⤵
      Clears Windows event logs
      PID:4184
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Audit-Regular/Admin
      4⤵
      Clears Windows event logs
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Audit-TCB/Admin
      4⤵
      PID:3596
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EFS/Debug
      4⤵
      PID:1208
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ESE/IODiagnose
      4⤵
      PID:4132
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ESE/Operational
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Analytic
      4⤵
      PID:3268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Debug
      4⤵
      PID:3124
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Operational
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-RasChap/Operational
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-RasTls/Operational
      4⤵
      PID:3816
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-Sim/Operational
      4⤵
      PID:4076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-Ttls/Operational
      4⤵
      PID:5080
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EaseOfAccess/Diagnostic
      4⤵
      PID:2412
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Energy-Estimation-Engine/EventLog
      4⤵
      Clears Windows event logs
      PID:4152
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Energy-Estimation-Engine/Trace
      4⤵
      PID:2136
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Debug
      4⤵
      PID:3524
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Operational
      4⤵
      PID:1704
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog-WMIProvider/Debug
      4⤵
      PID:4752
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Analytic
      4⤵
      PID:3756
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Debug
      4⤵
      PID:3020
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Analytic
      4⤵
      PID:4416
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Debug
      4⤵
      PID:1856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Operational
      4⤵
      PID:3736
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FailoverClustering-Client/Diagnostic
      4⤵
      PID:3780
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Fault-Tolerant-Heap/Operational
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FeatureConfiguration/Analytic
      4⤵
      PID:3552
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FeatureConfiguration/Operational
      4⤵
      PID:1804
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Catalog/Analytic
      4⤵
      PID:4664
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Catalog/Debug
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-ConfigManager/Analytic
      4⤵
      Clears Windows event logs
      PID:1320
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-ConfigManager/Debug
      4⤵
      PID:4088
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/Analytic
      4⤵
      PID:2100
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/Debug
      4⤵
      PID:4528
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/WHC
      4⤵
      PID:4868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/Analytic
      4⤵
      PID:1472
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/BackupLog
      4⤵
      PID:752
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/Debug
      4⤵
      PID:648
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-EventListener/Analytic
      4⤵
      PID:3504
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-EventListener/Debug
      4⤵
      PID:4060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Service/Analytic
      4⤵
      PID:840
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Service/Debug
      4⤵
      PID:980
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-UI-Events/Analytic
      4⤵
      PID:3196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-UI-Events/Debug
      4⤵
      Clears Windows event logs
      PID:4884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileInfoMinifilter/Operational
      4⤵
      PID:1620
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Firewall-CPL/Diagnostic
      4⤵
      PID:3876
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      Clears Windows event logs
      PID:4640
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Debug
      4⤵
      PID:4660
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Operational
      4⤵
      PID:4136
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GPIO-ClassExtension/Analytic
      4⤵
      PID:1692
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GenericRoaming/Admin
      4⤵
      PID:4512
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GroupPolicy/Operational
      4⤵
      PID:4320
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HAL/Debug
      4⤵
      PID:3632
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Debug
      4⤵
      Clears Windows event logs
      PID:4084
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Performance
      4⤵
      PID:4808
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenterCPL/Performance
      4⤵
      Clears Windows event logs
      PID:3596
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HelloForBusiness/Operational
      4⤵
      PID:3068
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Help/Operational
      4⤵
      PID:3824
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1208
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:4132
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:3268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:3124
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HomeGroup-ListenerService
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotspotAuth/Analytic
      4⤵
      PID:3916
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotspotAuth/Operational
      4⤵
      PID:2808
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Log
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Trace
      4⤵
      PID:3816
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
      4⤵
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
      4⤵
      PID:3768
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
      4⤵
      PID:1676
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
      4⤵
      PID:3928
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Admin
      4⤵
      PID:2196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Analytic
      4⤵
      PID:3532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Operational
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-NETVSC/Diagnostic
      4⤵
      Clears Windows event logs
      PID:3524
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-VID-Admin
      4⤵
      Clears Windows event logs
      PID:1904
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-VID-Analytic
      4⤵
      PID:3984
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IE-SmartScreen
      4⤵
      PID:404
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKE/Operational
      4⤵
      PID:4848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKEDBG/Debug
      4⤵
      PID:3432
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-Broker/Analytic
      4⤵
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CandidateUI/Analytic
      4⤵
      PID:3840
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CustomerFeedbackManager/Debug
      4⤵
      PID:4576
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic
      4⤵
      PID:1300
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPAPI/Analytic
      4⤵
      PID:2784
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPLMP/Analytic
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPPRED/Analytic
      4⤵
      PID:4412
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPSetting/Analytic
      4⤵
      PID:3264
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPTIP/Analytic
      4⤵
      PID:3420
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-KRAPI/Analytic
      4⤵
      PID:3788
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-KRTIP/Analytic
      4⤵
      PID:3492
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-OEDCompiler/Analytic
      4⤵
      PID:3804
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TCCORE/Analytic
      4⤵
      PID:4128
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TCTIP/Analytic
      4⤵
      PID:3836
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TIP/Analytic
      4⤵
      PID:3516
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPNAT/Diagnostic
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPSEC-SRV/Diagnostic
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPxlatCfg/Debug
      4⤵
      PID:4568
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPxlatCfg/Operational
      4⤵
      PID:1896
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IdCtrls/Analytic
      4⤵
      PID:3168
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IdCtrls/Operational
      4⤵
      Clears Windows event logs
      PID:1124
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic
      4⤵
      Clears Windows event logs
      PID:840
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Input-HIDCLASS-Analytic
      4⤵
      PID:980
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-InputSwitch/Diagnostic
      4⤵
      PID:3196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
      4⤵
      PID:4328
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Debug
      4⤵
      Clears Windows event logs
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Operational
      4⤵
      Clears Windows event logs
      PID:1908
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Trace
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KdsSvc/Operational
      4⤵
      PID:2780
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kerberos/Operational
      4⤵
      PID:2920
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Acpi/Diagnostic
      4⤵
      PID:60
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-AppCompat/General
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-AppCompat/Performance
      4⤵
      PID:1232
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Analytic
      4⤵
      PID:4184
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Debug
      4⤵
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Operational
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Boot/Analytic
      4⤵
      PID:3700
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Boot/Operational
      4⤵
      Clears Windows event logs
      PID:1032
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic
      4⤵
      PID:3060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Disk/Analytic
      4⤵
      PID:3604
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Admin
      4⤵
      PID:1284
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Analytic
      4⤵
      PID:2364
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-File/Analytic
      4⤵
      PID:5020
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-IO/Operational
      4⤵
      PID:1508
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-IoTrace/Diagnostic
      4⤵
      PID:3268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-LiveDump/Analytic
      4⤵
      PID:3124
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-LiveDump/Operational
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Memory/Analytic
      4⤵
      PID:3644
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Network/Analytic
      4⤵
      PID:444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Pdc/Diagnostic
      4⤵
      PID:3108
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Pep/Diagnostic
      4⤵
      PID:532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
      4⤵
      PID:2520
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-PnP/Configuration
      4⤵
      PID:4460
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
      4⤵
      PID:2668
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
      4⤵
      PID:2732
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2412
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
      4⤵
      PID:4980
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Diagnostic
      4⤵
      PID:1280
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Diagnostic
      4⤵
      PID:1152
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Operational
      4⤵
      PID:4152
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Prefetch/Diagnostic
      4⤵
      PID:3240
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Process/Analytic
      4⤵
      PID:2196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Processor-Power/Diagnostic
      4⤵
      PID:3532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Registry/Analytic
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Registry/Performance
      4⤵
      PID:3524
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Debug
      4⤵
      PID:1904
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Diagnostic
      4⤵
      PID:3984
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Operational
      4⤵
      PID:404
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Analytic
      4⤵
      PID:4848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Operational
      4⤵
      PID:3432
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Analytic
      4⤵
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Debug
      4⤵
      PID:3736
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Operational
      4⤵
      PID:3780
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Errors
      4⤵
      PID:4316
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Operational
      4⤵
      PID:4608
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-XDV/Analytic
      4⤵
      PID:2756
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Admin
      4⤵
      Clears Windows event logs
      PID:1672
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Operational
      4⤵
      PID:1544
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Performance
      4⤵
      PID:1260
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      Clears Windows event logs
      PID:4088
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-L2NA/Diagnostic
      4⤵
      PID:4476
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LDAP-Client/Debug
      4⤵
      PID:4528
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Diagnostic
      4⤵
      PID:4628
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Operational
      4⤵
      PID:1816
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Performance
      4⤵
      PID:4504
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LUA-ConsentUI/Diagnostic
      4⤵
      PID:4408
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Analytic
      4⤵
      PID:1060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Debug
      4⤵
      PID:2760
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Operational
      4⤵
      PID:4024
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LimitsManagement/Diagnostic
      4⤵
      PID:4064
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic
      4⤵
      PID:2116
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational
      4⤵
      PID:4212
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LiveId/Analytic
      4⤵
      PID:4852
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LiveId/Operational
      4⤵
      PID:980
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic
      4⤵
      PID:3196
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-CLNT/Diagnostic
      4⤵
      Clears Windows event logs
      PID:4328
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-DRV/Diagnostic
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-SRV/Diagnostic
      4⤵
      PID:1908
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSFTEDIT/Diagnostic
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Admin
      4⤵
      PID:2780
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Debug
      4⤵
      PID:2920
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Diagnostic
      4⤵
      PID:60
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Admin
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Analytic
      4⤵
      Clears Windows event logs
      PID:1232
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Debug
      4⤵
      PID:4184
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Operational
      4⤵
      Clears Windows event logs
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/DMC
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/DMR
      4⤵
      Clears Windows event logs
      PID:3684
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/MDE
      4⤵
      Clears Windows event logs
      PID:3312
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine
      4⤵
      Clears Windows event logs
      PID:4124
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter
      4⤵
      PID:4900
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader
      4⤵
      PID:4120
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/Transform
      4⤵
      PID:3332
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-Performance/SARStreamResource
      4⤵
      PID:1128
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-PlayAPI/Analytic
      4⤵
      PID:2428
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MemoryDiagnostics-Results/Debug
      4⤵
      PID:3956
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Minstore/Analytic
      4⤵
      PID:696
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Minstore/Debug
      4⤵
      Clears Windows event logs
      PID:1868
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic
      4⤵
      PID:5104
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic
      4⤵
      PID:2000
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic
      4⤵
      PID:2468
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational
      4⤵
      PID:3680
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic
      4⤵
      PID:1592
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MobilityCenter/Performance
      4⤵
      PID:3816
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot
      4⤵
      PID:3448
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug
      4⤵
      PID:3768
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
      4⤵
      PID:3100
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mprddm/Operational
      4⤵
      Clears Windows event logs
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Analytic
      4⤵
      PID:4976
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Operational
      4⤵
      PID:1836
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDF-HelperClassDiscovery/Debug
      4⤵
      PID:4924
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS-PacketCapture/Diagnostic
      4⤵
      Clears Windows event logs
      PID:2356
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Diagnostic
      4⤵
      PID:4592
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Operational
      4⤵
      PID:1224
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NTLM/Operational
      4⤵
      PID:892
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NWiFi/Diagnostic
      4⤵
      PID:392
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Narrator/Diagnostic
      4⤵
      PID:1112
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ncasvc/Operational
      4⤵
      PID:3756
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NcdAutoSetup/Diagnostic
      4⤵
      PID:3984
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NcdAutoSetup/Operational
      4⤵
      PID:404
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NdisImPlatform/Operational
      4⤵
      PID:4848
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ndu/Diagnostic
      4⤵
      Clears Windows event logs
      PID:3432
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetShell/Performance
      4⤵
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-Connection-Broker
      4⤵
      PID:3736
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-DataUsage/Analytic
      4⤵
      PID:3780
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-Setup/Diagnostic
      4⤵
      PID:4316
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-and-Sharing-Center/Diagnostic
      4⤵
      PID:4608
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkBridge/Diagnostic
      4⤵
      PID:2756
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkLocationWizard/Operational
      4⤵
      PID:1672
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Diagnostic
      4⤵
      PID:1544
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Operational
      4⤵
      PID:1260
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvider/Operational
      4⤵
      PID:4088
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvisioning/Analytic
      4⤵
      PID:4476
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvisioning/Operational
      4⤵
      PID:4528
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkSecurity/Debug
      4⤵
      PID:4628
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkStatus/Analytic
      4⤵
      PID:4488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Networking-Correlation/Diagnostic
      4⤵
      PID:3516
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Networking-RealTimeCommunication/Tracing
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Diagnostic
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Operational
      4⤵
      PID:4568
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/Operational
      4⤵
      PID:4060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/Performance
      4⤵
      Clears Windows event logs
      PID:3168
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/WHC
      4⤵
      PID:1124
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLE/Clipboard-Performance
      4⤵
      Clears Windows event logs
      PID:2060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLEACC/Debug
      4⤵
      PID:4684
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLEACC/Diagnostic
      4⤵
      PID:4296
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic
      4⤵
      PID:4884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-Core/Diagnostic
      4⤵
      PID:3408
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-DUI/Diagnostic
      4⤵
      PID:3876
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-DUI/Operational
      4⤵
      PID:2512
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic
      4⤵
      PID:3048
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OcpUpdateAgent/Operational
      4⤵
      PID:5032
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Analytic
      4⤵
      PID:236
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Debug
      4⤵
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Operational
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/SyncLog
      4⤵
      PID:684
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneBackup/Debug
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneX/Diagnostic
      4⤵
      PID:1264
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneX/Operational
      4⤵
      PID:3596
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OobeLdr/Analytic
      4⤵
      PID:1096
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OtpCredentialProvider/Operational
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PCI/Diagnostic
      4⤵
      PID:3060
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Analytic
      4⤵
      PID:3824
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Debug
      4⤵
      PID:1208
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Operational
      4⤵
      PID:4132
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ParentalControls/Operational
      4⤵
      PID:4268
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Partition/Analytic
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Partition/Diagnostic
      4⤵
      PID:2532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic
      4⤵
      PID:4580
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PerceptionRuntime/Operational
      4⤵
      PID:2192
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PerceptionSensorDataService/Operational
      4⤵
      PID:2716
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Analytic
      4⤵
      PID:3644
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Operational
      4⤵
      PID:1744
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Analytic
      4⤵
      PID:4076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic
      4⤵
      PID:5080
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Operational
      4⤵
      PID:4156
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Analytic
      4⤵
      PID:2396
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Certification
      4⤵
      PID:1828
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Diagnose
      4⤵
      PID:2672
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Operational
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PhotoAcq/Analytic
      4⤵
      PID:1676
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PlayToManager/Analytic
      4⤵
      PID:3928
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Policy/Analytic
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Policy/Operational
      4⤵
      PID:968
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PortableDeviceStatusProvider/Analytic
      4⤵
      PID:3364
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PortableDeviceSyncProvider/Analytic
      4⤵
      PID:3044
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Power-Meter-Polling/Diagnostic
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerCfg/Diagnostic
      4⤵
      PID:3524
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerCpl/Diagnostic
      4⤵
      PID:1904
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic
      4⤵
      PID:3028
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug
      4⤵
      PID:3884
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
      4⤵
      Clears Windows event logs
      PID:1856
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Admin
      4⤵
      PID:3096
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Analytic
      4⤵
      PID:388
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Debug
      4⤵
      PID:4576
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Operational
      4⤵
      PID:1300
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrimaryNetworkIcon/Performance
      4⤵
      PID:2784
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintBRM/Admin
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService-USBMon/Debug
      4⤵
      PID:4412
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Admin
      4⤵
      PID:3264
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Debug
      4⤵
      PID:3420
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Operational
      4⤵
      PID:3788
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Privacy-Auditing/Operational
      4⤵
      PID:672
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ProcessStateManager/Diagnostic
      4⤵
      PID:3804
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/Analytic
      4⤵
      PID:4128
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade
      4⤵
      PID:3836
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin
      4⤵
      PID:4824
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot
      4⤵
      PID:752
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug
      4⤵
      PID:648
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService
      4⤵
      PID:2976
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Diagnostic
      4⤵
      PID:2760
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Informational
      4⤵
      PID:4024
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Performance
      4⤵
      PID:4064
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Developer/Debug
      4⤵
      PID:2224
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-InProc/Debug
      4⤵
      PID:840
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Admin
      4⤵
      PID:5072
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Debug
      4⤵
      PID:980
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Operational
      4⤵
      PID:2376
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-QoS-Pacer/Diagnostic
      4⤵
      PID:4244
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-QoS-qWAVE/Debug
      4⤵
      PID:3864
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC-Proxy/Debug
      4⤵
      Clears Windows event logs
      PID:4640
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC/Debug
      4⤵
      PID:4660

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:3828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:1528

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:4872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1476
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1476 -s 3940
  2⤵
  - Program crash
  PID:1260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 1476 -ip 1476
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2044 -s 4360
  2⤵
  - Program crash
  PID:3928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 2044 -ip 2044
1⤵
PID:448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3324
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3324 -s 4220
  2⤵
  - Program crash
  PID:2356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3324 -ip 3324
1⤵
PID:1320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:60
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 60 -s 4344
  2⤵
  - Program crash
  PID:3856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 60 -ip 60
1⤵
PID:2804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3836
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3836 -s 4404
  2⤵
  - Program crash
  PID:528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 3836 -ip 3836
1⤵
PID:4132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\NU6PCZ4Z\microsoft.windows[1].xml

Filesize
97B

MD5
7fd408ae1eb30bf5847a61a06b120326

SHA1
543506da7fd9bb0a7f0cd36941d1e10dcbaa2819

SHA256
8ce67c822a2267ea2ffb53d534152ce6e25ae5fb29faa84c249dd1388371c53e

SHA512
6284bc971ce0c74f88890153b880d701d0ca9783655a28bfb85a2d20e8fabc1b28ebf6fb4beddb540c053d43e9b83f2ecb9cdcaa83df91e0ed7cc3ce1b7f15e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a1f06a57-e48c-45b8-8615-a2fe380da2bd}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a1f06a57-e48c-45b8-8615-a2fe380da2bd}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a1f06a57-e48c-45b8-8615-a2fe380da2bd}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a1f06a57-e48c-45b8-8615-a2fe380da2bd}\settings.csg

Filesize
454B

MD5
411d53fc8e09fb59163f038ee9257141

SHA1
cb67574c7872f684e586b438d55cab7144b5303d

SHA256
1844105bb927dbc405685d3bf5546be47fa2fc5846b763c9f2ba2b613ec6bc48

SHA512
67b342c434d8f3a8b9e9ac8a4cbd4c3ef83ddfc450fe7e6ad6f375dba9c8a4977a15a08b49f5ad7644fbde092396e6da08865aa54d399836e5444cb177a33444

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a1f06a57-e48c-45b8-8615-a2fe380da2bd}\settings.schema

Filesize
162B

MD5
ac68ac6bffd26dbea6b7dbd00a19a3dd

SHA1
a3d70e56249db0b4cc92ba0d1fc46feb540bc83f

SHA256
d6bdeaa9bc0674ae9e8c43f2e9f68a2c7bb8575b3509685b481940fda834e031

SHA512
6c3fcce2f73e9a5fc6094f16707109d03171d4a7252cf3cb63618243dbb25adb40045de9be27cad7932fd98205bdaf0f557d282b2ba92118bba26efcf1cd2a02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a1f06a57-e48c-45b8-8615-a2fe380da2bd}\settingsconversions.txt

Filesize
520KB

MD5
721134982ff8900b0e68a9c5f6f71668

SHA1
fca3e3eb8f49dd8376954b499c20a7b7cad6b0f1

SHA256
2541db95c321472c4cb91864cdfa2f1ed0f0069ac7f9cec86e10822283985c13

SHA512
5d1c305b938e52a82216b3d0cee0eead2dc793fac35da288061942b2bd281fb48c7bd18f5fdaa93a88aa42c88b2a0cce1f0513effb193782670d46164d277a59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a1f06a57-e48c-45b8-8615-a2fe380da2bd}\settingsglobals.txt

Filesize
43KB

MD5
bbeadc734ad391f67be0c31d5b9cbf7b

SHA1
8fd5391c482bfbca429aec17da69b2ca00ed81ae

SHA256
218042bc243a1426dd018d484f9122662dba2c44a0594c37ffb3b3d1d0fb454a

SHA512
a046600c7ad6c30b003a1ac33841913d7d316606f636c747a0989425697457b4bc78da6607edd4b8510bd4e9b86011b5bd108a5590a2ba722d44e51633ed784f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a1f06a57-e48c-45b8-8615-a2fe380da2bd}\settingssynonyms.txt

Filesize
101KB

MD5
003ece80b3820c43eb83878928b8469d

SHA1
790af92ff0eb53a926412e16113c5d35421c0f42

SHA256
12d00eee26e5f261931e51cfa56e04c54405eb32d1c4b440e35bd2b48d5fcf07

SHA512
b2d6d9b843124f5e8e06a35a89e34228af9e05cbfa2ae1fe3d9bc4ddbebda4d279ce52a99066f2148817a498950e37a7f0b73fe477c0c6c39c7016aa647079a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e6866ff0-20e0-4211-8d66-4a9d4e6e8d6a}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{e6866ff0-20e0-4211-8d66-4a9d4e6e8d6a}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133354386142886047.txt

Filesize
61KB

MD5
4b1cd81d7da10f56290d567fadb8cfaa

SHA1
d5f101c2b3ebc70a20d1d5faca4eff2d538aa56c

SHA256
5bed707bf6ff8a004b7b91004d63e3c934900c3b8a3986ae94babd67b8bec012

SHA512
87c53fa81869133a962683014fab76af04970e43f0ce2fdfbd0377f50019d5de1dc0c3c5c4f16c70e2dd38159e82323cebe3c65cfdeff890b2c93833b4a277fc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
104KB

MD5
2181929d6a3b4bec0db4b936ab6a3740

SHA1
b314f6c270adc002270dc772bb452c672ef27ed5

SHA256
1e03fa913796c9dcd2f6e6b7d8231f27b08c6d0831a18954e62743873760f029

SHA512
e2ddb445763145561f1618eca50125b41dfff82706ae38e6eb72cb35b22242b1f585b9658b2e7622dff7724abe11a8ad5578d24fb3eaae3a7c29ecdd5a6094dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json.~tmp

Filesize
102KB

MD5
819403c10bcf9a997baf0ef45b68e774

SHA1
5e4416087b9c217386445b879ae39b4041b757c2

SHA256
73157b60c7dba7a6505006c6880d24d4dc2e42204e48f634dbc3310cceceb7bc

SHA512
2fd325b960b55d950224594aaafa94ca63c689ba27a56fec78d4a202fa389d77c1c5a3ea4b9d21a181906d3f5b494360826e999445468e5823955f933467a208

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
8KB

MD5
119129a638e8cd2a4c217435fbb893e1

SHA1
1a98bbffd838a9a9e48ec8124c3b0521ac52cbb7

SHA256
6bd7e82aec58a3b827f71197bb524f21f99f1103b2474da810207aea0228ac8c

SHA512
342826e65931fb6998982a33594ff8dc2098a4ca543531b29933b2d9b5b34c2ef6f89b8439c41e1f3e9cb4b47479ed1f5de5a9ede4ebe4d3bab4835485af0859

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
9fae73c8169f3d0a49c29d5dfb5e00bd

SHA1
7e525cfdbabb136076ed5918da7d1c86d50bbbc3

SHA256
b96c9acf6412c695bd756a614f7a4a3b0830bfb9b4ec0a969d21e445175f499b

SHA512
10afa60d4ab3af6701edb2427bca377744a8ab822d3942ebbeb56c65d1d8b799386d31fb0281286282ad1d1ccf9d40ed9a40a5ecf08e0f99aef791c6482ac051

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
5c4c21300d6c97ef990c35c9652ac624

SHA1
1834fa062a9dbfcc8c5025b0b5ecc9ec4ae781e6

SHA256
7a8d29a8f2cfac249848dd0871ad226b0b2c478931b6a5b4978aa97de347ac31

SHA512
d1f8ef5f194903197664f7e691f772d0b9739c77d7a42dc53b345efb56775927f2d5d643f1a24b28268a7b01e5fd3b6df124b9a65a924dde9bc4c89a44475bd3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
404B

MD5
5c4c21300d6c97ef990c35c9652ac624

SHA1
1834fa062a9dbfcc8c5025b0b5ecc9ec4ae781e6

SHA256
7a8d29a8f2cfac249848dd0871ad226b0b2c478931b6a5b4978aa97de347ac31

SHA512
d1f8ef5f194903197664f7e691f772d0b9739c77d7a42dc53b345efb56775927f2d5d643f1a24b28268a7b01e5fd3b6df124b9a65a924dde9bc4c89a44475bd3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\NU6PCZ4Z\microsoft.windows[1].xml

Filesize
97B

MD5
7fd408ae1eb30bf5847a61a06b120326

SHA1
543506da7fd9bb0a7f0cd36941d1e10dcbaa2819

SHA256
8ce67c822a2267ea2ffb53d534152ce6e25ae5fb29faa84c249dd1388371c53e

SHA512
6284bc971ce0c74f88890153b880d701d0ca9783655a28bfb85a2d20e8fabc1b28ebf6fb4beddb540c053d43e9b83f2ecb9cdcaa83df91e0ed7cc3ce1b7f15e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\NU6PCZ4Z\microsoft.windows[1].xml

Filesize
97B

MD5
7fd408ae1eb30bf5847a61a06b120326

SHA1
543506da7fd9bb0a7f0cd36941d1e10dcbaa2819

SHA256
8ce67c822a2267ea2ffb53d534152ce6e25ae5fb29faa84c249dd1388371c53e

SHA512
6284bc971ce0c74f88890153b880d701d0ca9783655a28bfb85a2d20e8fabc1b28ebf6fb4beddb540c053d43e9b83f2ecb9cdcaa83df91e0ed7cc3ce1b7f15e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\NU6PCZ4Z\microsoft.windows[1].xml

Filesize
97B

MD5
7fd408ae1eb30bf5847a61a06b120326

SHA1
543506da7fd9bb0a7f0cd36941d1e10dcbaa2819

SHA256
8ce67c822a2267ea2ffb53d534152ce6e25ae5fb29faa84c249dd1388371c53e

SHA512
6284bc971ce0c74f88890153b880d701d0ca9783655a28bfb85a2d20e8fabc1b28ebf6fb4beddb540c053d43e9b83f2ecb9cdcaa83df91e0ed7cc3ce1b7f15e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\NU6PCZ4Z\microsoft.windows[1].xml

Filesize
97B

MD5
7fd408ae1eb30bf5847a61a06b120326

SHA1
543506da7fd9bb0a7f0cd36941d1e10dcbaa2819

SHA256
8ce67c822a2267ea2ffb53d534152ce6e25ae5fb29faa84c249dd1388371c53e

SHA512
6284bc971ce0c74f88890153b880d701d0ca9783655a28bfb85a2d20e8fabc1b28ebf6fb4beddb540c053d43e9b83f2ecb9cdcaa83df91e0ed7cc3ce1b7f15e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlwzepr3.xy1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Log.cmd

Filesize
60B

MD5
6a2f870841e0126632f5b9bf0d000d6a

SHA1
51689e26641f0eb054cd90553a21a472a2e79148

SHA256
4bcbb565ad2fd05a4fc458cd68254853cbcbf5749beffccb2b1e22b8a53ecb2f

SHA512
de089c5d2dd691c64e38bdc82a2a5266e65cf8f9fc40e2d60ecded7a775922ae5100cc406f09346fbaf402fc1fe3074ca29ecd64119f7c490381aee72780bdb0

Download Submit
memory/1476-226-0x0000019BC4B20000-0x0000019BC4B40000-memory.dmp

Filesize
128KB

Download
memory/1476-233-0x0000019BC4E70000-0x0000019BC4E90000-memory.dmp

Filesize
128KB

Download
memory/1476-231-0x0000019BC4AE0000-0x0000019BC4B00000-memory.dmp

Filesize
128KB

Download
memory/3688-197-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-193-0x00000157A1E70000-0x00000157A1E71000-memory.dmp

Filesize
4KB

Download
memory/3688-211-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-212-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-213-0x00000157A1EA0000-0x00000157A1EA1000-memory.dmp

Filesize
4KB

Download
memory/3688-214-0x00000157A1EA0000-0x00000157A1EA1000-memory.dmp

Filesize
4KB

Download
memory/3688-215-0x00000157A1FB0000-0x00000157A1FB1000-memory.dmp

Filesize
4KB

Download
memory/3688-216-0x00000157A1F00000-0x00000157A1F01000-memory.dmp

Filesize
4KB

Download
memory/3688-217-0x00000157A1F00000-0x00000157A1F01000-memory.dmp

Filesize
4KB

Download
memory/3688-209-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-208-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-207-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-206-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-152-0x0000015799A40000-0x0000015799A50000-memory.dmp

Filesize
64KB

Download
memory/3688-168-0x0000015799B40000-0x0000015799B50000-memory.dmp

Filesize
64KB

Download
memory/3688-187-0x00000157A1D20000-0x00000157A1D21000-memory.dmp

Filesize
4KB

Download
memory/3688-205-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-204-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-203-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-189-0x00000157A1E60000-0x00000157A1E61000-memory.dmp

Filesize
4KB

Download
memory/3688-202-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-201-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-200-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-199-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-198-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-196-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-195-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-194-0x00000157A1E70000-0x00000157A1E71000-memory.dmp

Filesize
4KB

Download
memory/3688-210-0x00000157A1E90000-0x00000157A1E91000-memory.dmp

Filesize
4KB

Download
memory/3688-192-0x00000157A1E70000-0x00000157A1E71000-memory.dmp

Filesize
4KB

Download
memory/3688-191-0x00000157A1E60000-0x00000157A1E61000-memory.dmp

Filesize
4KB

Download
memory/4984-282-0x000001C4D81D0000-0x000001C4D81E0000-memory.dmp

Filesize
64KB

Download
memory/4984-250-0x000001C4D81D0000-0x000001C4D81E0000-memory.dmp

Filesize
64KB

Download
memory/4984-249-0x000001C4D81D0000-0x000001C4D81E0000-memory.dmp

Filesize
64KB

Download
memory/4984-248-0x00007FFAFED20000-0x00007FFAFF7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-150-0x000001C4D81D0000-0x000001C4D81E0000-memory.dmp

Filesize
64KB

Download
memory/4984-151-0x000001C4D81D0000-0x000001C4D81E0000-memory.dmp

Filesize
64KB

Download
memory/4984-149-0x00007FFAFED20000-0x00007FFAFF7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-139-0x000001C4D8300000-0x000001C4D8322000-memory.dmp

Filesize
136KB

Download