hxxps://drive[.]google[.]com/drive/folders/1lJeAGTiLzgGitTddNHLS-0BF7AJ18CVF

Analysis

max time kernel
224s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1lJeAGTiLzgGitTddNHLS-0BF7AJ18CVF

Score

9^/10

discovery evasion persistence privilege_escalation ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
5520	wevtutil.exe
5080	wevtutil.exe
1804	wevtutil.exe
5928	wevtutil.exe
3756	wevtutil.exe
4036	wevtutil.exe
5256	wevtutil.exe
4196	wevtutil.exe
3768	wevtutil.exe
4536	wevtutil.exe
4892	wevtutil.exe
6132	wevtutil.exe
2268	wevtutil.exe
2864	wevtutil.exe
6028	wevtutil.exe
3672	wevtutil.exe
5776	wevtutil.exe
3076	wevtutil.exe
2964	wevtutil.exe
3508	wevtutil.exe
5760	wevtutil.exe
4532	wevtutil.exe
2256	wevtutil.exe
4360	wevtutil.exe
3288	wevtutil.exe
4364	wevtutil.exe
5160	wevtutil.exe
3228	wevtutil.exe
2348	wevtutil.exe
4376	wevtutil.exe
3052	wevtutil.exe
2728	wevtutil.exe
6064	wevtutil.exe
376	wevtutil.exe
3640	wevtutil.exe
3764	wevtutil.exe
3580	wevtutil.exe
2564	wevtutil.exe
2192	wevtutil.exe
1904	wevtutil.exe
2136	wevtutil.exe
5620	wevtutil.exe
5068	wevtutil.exe
4148	wevtutil.exe
5192	wevtutil.exe
5140	wevtutil.exe
6028	wevtutil.exe
5624	wevtutil.exe
3452	wevtutil.exe
5032	wevtutil.exe
1008	wevtutil.exe
1236	wevtutil.exe
4148	wevtutil.exe
4040	wevtutil.exe
5368	wevtutil.exe
5644	wevtutil.exe
3148	wevtutil.exe
5844	wevtutil.exe
4892	wevtutil.exe
4964	wevtutil.exe
5240	wevtutil.exe
916	wevtutil.exe
5972	wevtutil.exe
3916	wevtutil.exe

Modifies boot configuration data using bcdedit 18 IoCs

pid	Process
5624	bcdedit.exe
1068	bcdedit.exe
2228	bcdedit.exe
3760	bcdedit.exe
5956	bcdedit.exe
3560	bcdedit.exe
5756	bcdedit.exe
5824	bcdedit.exe
5932	bcdedit.exe
452	bcdedit.exe
4964	bcdedit.exe
3672	bcdedit.exe
3820	bcdedit.exe
6104	bcdedit.exe
5868	bcdedit.exe
4536	bcdedit.exe
5520	bcdedit.exe
4440	bcdedit.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4504	netsh.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
7	drive.google.com
8	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4484	reg.exe
5680	NOTEPAD.EXE
5656	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3764	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5936	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkProxy\WAPNodeProcessor = "{FB11047A-4051-4d1d-9DCA-C80C5DF98D70}"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1403246978-718555486-3105247137-1000\{FB1A7CBB-C17A-4B2B-90D8-43DC8C90BB9A}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Downloads"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "10"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\NodeSlot = "17"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "13"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\NodeSlot = "14"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe

Runs .reg file with regedit 11 IoCs

pid	Process
5468	regedit.exe
3516	regedit.exe
6008	regedit.exe
784	regedit.exe
1444	regedit.exe
3316	regedit.exe
1880	regedit.exe
6048	regedit.exe
5772	regedit.exe
6004	regedit.exe
2464	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1468	explorer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2376	msedge.exe
2376	msedge.exe
692	msedge.exe
692	msedge.exe
2876	identity_helper.exe
2876	identity_helper.exe
2124	msedge.exe
2124	msedge.exe
5908	msedge.exe
5908	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1468	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3796	7zG.exe
Token: 35	3796	7zG.exe
Token: SeSecurityPrivilege	3796	7zG.exe
Token: SeSecurityPrivilege	3796	7zG.exe
Token: SeRestorePrivilege	6132	7zG.exe
Token: 35	6132	7zG.exe
Token: SeSecurityPrivilege	6132	7zG.exe
Token: SeSecurityPrivilege	6132	7zG.exe
Token: SeDebugPrivilege	5936	taskkill.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	6104	explorer.exe
Token: SeCreatePagefilePrivilege	6104	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	2408	explorer.exe
Token: SeCreatePagefilePrivilege	2408	explorer.exe
Token: SeShutdownPrivilege	5668	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
3796	7zG.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
6132	7zG.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
6104	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe
5668	explorer.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
5316	StartMenuExperienceHost.exe
5856	StartMenuExperienceHost.exe
5448	StartMenuExperienceHost.exe
5564	SearchApp.exe
452	StartMenuExperienceHost.exe
3560	SearchApp.exe
4624	StartMenuExperienceHost.exe
4136	SearchApp.exe
4560	StartMenuExperienceHost.exe
5336	SearchApp.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 3576	692	msedge.exe	85
PID 692 wrote to memory of 3576	692	msedge.exe	85
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 3852	692	msedge.exe	88
PID 692 wrote to memory of 2376	692	msedge.exe	89
PID 692 wrote to memory of 2376	692	msedge.exe	89
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90
PID 692 wrote to memory of 1048	692	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1lJeAGTiLzgGitTddNHLS-0BF7AJ18CVF
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7fe246f8,0x7ffb7fe24708,0x7ffb7fe24718
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1916 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,1806101210724045733,5637027946924654842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3284

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\1._INTERNET_OPTIMIZATION-20240724T140244Z-001\" -spe -an -ai#7zMap8961:152:7zEvent6811
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\" -spe -an -ai#7zMap1692:122:7zEvent32291
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6132

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Network Speed.reg"
1⤵
PID:3628

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Network Speed.reg"
1⤵
- Modifies registry class
- Runs .reg file with regedit
PID:1880

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Decrease Ping.bat
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Decrease Ping.bat"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5656
- C:\Windows\system32\reg.exe
  REG ADD HKey_Local_Machine\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ /v TcpAckFrequency /t REG_DWORD /d 0 /f
  2⤵
  PID:424
- C:\Windows\system32\reg.exe
  REG ADD HKey_Local_Machine\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ /v TCPNoDelay /t REG_DWORD /d 0 /f
  2⤵
  PID:5968
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:6104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5856

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5564

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3560

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1468
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Disable Background Apps.reg"
  2⤵
  - Runs .reg file with regedit
  PID:5468
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Disable Network Throttling Index.reg"
  2⤵
  - Runs .reg file with regedit
  PID:3516
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Disable OneDrive Network Sync.reg"
  2⤵
  - Runs .reg file with regedit
  PID:6048
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Disable USB 3 Link Power Savings.reg"
  2⤵
  - Runs .reg file with regedit
  PID:6008
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\DisableNetBT.reg"
  2⤵
  - Runs .reg file with regedit
  PID:5772
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Network Speed.reg"
  2⤵
  - Runs .reg file with regedit
  PID:2464
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\OPTIONAL Disable Xbox Services.reg"
  2⤵
  - Runs .reg file with regedit
  PID:784
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Reinforce Network Priorities.reg"
  2⤵
  - Runs .reg file with regedit
  PID:1444
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\vynla_low_ping.reg"
  2⤵
  - Runs .reg file with regedit
  PID:6004
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Diagnostics Services.reg"
  2⤵
  - Runs .reg file with regedit
  PID:3316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\bcd net.bat"
  2⤵
  PID:3972
- - C:\Windows\system32\bcdedit.exe
    bcdedit /deletevalue useplatformclock
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5624
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set disabledynamictick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3760
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set useplatformtick Yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5956
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set disabledynamictick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5756
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set tpmbootentropy ForceDisable
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5824
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5932
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set quietboot yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:452
- - C:\Windows\system32\bcdedit.exe
    bcdedit /timeout 0
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4964
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set bootux disabled
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3672
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set bootmenupolicy legacy
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3820
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set allowedinmemorysettings 0x0
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:6104
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set isolatedcontext No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5868
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {globalsettings} custom:16000067 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4536
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {globalsettings} custom:16000069 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5520
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {globalsettings} custom:16000068 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Cache Cleaner.bat"
  2⤵
  PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      PID:2532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AMSI/Debug"
    3⤵
    PID:5592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:2844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Clears Windows event logs
    PID:5972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    PID:1684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    PID:5828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:5380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    - Clears Windows event logs
    PID:5192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    PID:5332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:5100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    PID:636
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    PID:4024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    PID:4368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    PID:4396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    PID:4256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    PID:5776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:5620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
    3⤵
    PID:5860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationFrameServer"
    3⤵
    PID:5644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    PID:5784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    PID:1276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    PID:3488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    PID:3592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMP4"
    3⤵
    PID:3112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    PID:5004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    PID:5492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:3344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    - Clears Windows event logs
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:5188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:2988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:5872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:5820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:4328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    - Clears Windows event logs
    PID:3916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:2156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:4052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:5976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:4732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:5476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:5508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:4936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:2952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    - Clears Windows event logs
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:5368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    - Clears Windows event logs
    PID:3452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:5136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:2196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:3428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:3848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:5268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:5696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:4496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:6068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:3764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:5284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:2536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:2228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:3760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:1524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:2400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:3852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:3268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:5712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:5288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    - Clears Windows event logs
    PID:4036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:3224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:4836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:3812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:3820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:3708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:5888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:3752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    - Clears Windows event logs
    PID:5256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:2656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    - Clears Windows event logs
    PID:5520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    - Clears Windows event logs
    PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:4772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:5944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:5448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:5596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:4164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:1052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:5656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:5408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:5864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:4128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:5936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:5572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    - Clears Windows event logs
    PID:376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:6080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:5248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:4720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:4396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:4256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:1704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:1172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:5512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:4676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:5024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:3804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:5328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    - Clears Windows event logs
    PID:5140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    - Clears Windows event logs
    PID:5760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:2960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:3084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:4820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:4388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:4148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:5296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    - Clears Windows event logs
    PID:4532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:1120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:5540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:4976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:4624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:3420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:3232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:5496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:3504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    - Clears Windows event logs
    PID:6028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    - Clears Windows event logs
    PID:5160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:6132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:5848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:5564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:3768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:3140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    - Clears Windows event logs
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:4936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:2952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:3452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:5136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:2196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:3788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:1492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:3540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:5640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:4908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:5396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:5456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:6124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:5184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:5948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:5224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:2504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:3816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:5916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:3980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:3480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:5756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:6052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:3940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:4316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:3976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    - Clears Windows event logs
    PID:1904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:5868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:3900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    - Clears Windows event logs
    PID:3228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:2872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:1008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:5420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:3928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:6088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:5324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    - Clears Windows event logs
    PID:2348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:3676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:5040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:3064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:5904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:5648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:5828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:1152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:2600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    PID:1236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:2136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:2528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    - Clears Windows event logs
    PID:4196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:4072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    - Clears Windows event logs
    PID:5776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    - Clears Windows event logs
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:5620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:5860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    - Clears Windows event logs
    PID:5644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:5784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    - Clears Windows event logs
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:5480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:3488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:3592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:5228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:4568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:5492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:5816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:5280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:3344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:3216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:5992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:5496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:3504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    - Clears Windows event logs
    PID:6028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    - Clears Windows event logs
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:5160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:6132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:5848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:5564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    - Clears Windows event logs
    PID:3768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:3140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    - Clears Windows event logs
    PID:2256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:1084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    PID:5156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:5360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    - Clears Windows event logs
    PID:4364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:5320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:3052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:2848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:3848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:5676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:5856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:5276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:2016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:6116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    - Clears Windows event logs
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:4716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:5524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    - Clears Windows event logs
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    - Clears Windows event logs
    PID:5844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
    3⤵
    PID:1488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:5964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:3008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    PID:3280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:5216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
    3⤵
    PID:5428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
    3⤵
    PID:3560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:3268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:5712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:5288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:4036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:3224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    PID:4836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:3812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:3820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:3708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:5888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    PID:3752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    PID:5256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:5728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:3228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:2872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:5420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:3928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:6088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:5324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:2348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:3676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:5040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:3064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
    3⤵
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
    3⤵
    PID:5904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    PID:5648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:5828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    PID:1152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    PID:2600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    - Clears Windows event logs
    PID:1236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    PID:2528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:4196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:4596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:5776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    - Clears Windows event logs
    PID:5620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:5860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:5644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:5784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:5480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:3032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:5816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    PID:5280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:3344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    - Clears Windows event logs
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
    3⤵
    - Clears Windows event logs
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
    3⤵
    PID:3216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    PID:5820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
    3⤵
    PID:3916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
    3⤵
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    PID:6096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    PID:3600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:5920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    PID:4088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    PID:5472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:5200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    PID:928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:3140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:2256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    PID:1084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    PID:5156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    PID:5360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    PID:4364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:5136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
    3⤵
    PID:2196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
    3⤵
    PID:3788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:1492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    PID:1356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:5724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:3468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:5180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:4516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    - Clears Windows event logs
    PID:916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
    3⤵
    PID:6068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    PID:4512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    PID:2228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:3272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:3852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:6052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:3940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    PID:4316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    PID:3672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:3288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:1904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:5868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:3900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:4060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
    3⤵
    PID:4440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
    3⤵
    PID:2432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:4276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:5688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:5940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:5416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:5596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    - Clears Windows event logs
    PID:5240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:1788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:5408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:2972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:4128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:5192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:5100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:6080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:4024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:3688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:5552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:3432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:3092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:1592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:4488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:3964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    PID:3804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:5720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:1548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:1512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:1852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:2356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:1276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:3488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:5480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    - Clears Windows event logs
    PID:4148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:3032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    - Clears Windows event logs
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:5816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    - Clears Windows event logs
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:5280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    - Clears Windows event logs
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:3344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    PID:3216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:5820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
    3⤵
    PID:2156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    PID:5160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:6132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    PID:5848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
    3⤵
    PID:5564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
    3⤵
    PID:3768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    - Clears Windows event logs
    PID:3508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:3888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:2952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:1948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:6056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    PID:5320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    - Clears Windows event logs
    PID:3052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    PID:2848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:3848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\DNS Cache Clear.cmd"
  2⤵
  PID:2356
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:3764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Latency_BCD_Tweaks.cmd"
  2⤵
  PID:2388
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set disabledynamictick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1068
- - C:\Windows\system32\bcdedit.exe
    bcdedit /deletevalue useplatformclock
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2228
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set useplatformtick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Network Settings.BAT"
  2⤵
  PID:5512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "Class" /t REG_DWORD /d "8" /f
    3⤵
    PID:4512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
    3⤵
    PID:3816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
    3⤵
    PID:1696
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
    3⤵
    PID:5428
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
    3⤵
    PID:5288
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
    3⤵
    PID:604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NetBT" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2948
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "Local Port" /t REG_SZ /d "*" /f
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "Protocol" /t REG_SZ /d "UDP" /f
    3⤵
    PID:1056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "Remote IP" /t REG_SZ /d "*" /f
    3⤵
    PID:5344
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "Remote IP Prefix Length" /t REG_SZ /d "*" /f
    3⤵
    PID:5884
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "Remote Port" /t REG_SZ /d "*" /f
    3⤵
    PID:3564
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "throttle Rate" /t REG_SZ /d "-1" /f
    3⤵
    PID:3956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "version" /t REG_SZ /d "1.0" /f
    3⤵
    PID:3288
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "Application Name" /t REG_SZ /d "fortniteclient-win64-shipping.exe" /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4484
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "DSCP value" /t REG_SZ /d "46" /f
    3⤵
    PID:3900
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "Local IP" /t REG_SZ /d "*" /f
    3⤵
    PID:4284
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SoftWARE\Policies\Microsoft\Windows\QoS\Fortnite" /v "Local IP Prefix Length" /t REG_SZ /d "*" /f
    3⤵
    PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Stop Network Throttling Command.bat"
  2⤵
  PID:5152
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="StopThrottling" dir=in action=block remoteip=173.194.55.0/24,206.111.0.0/16 enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
94351cb105884b824e9778d0dded1c64

SHA1
f950bfaf7329f27b9a8d08c6b7aa511e151cc852

SHA256
b67fd799051ec989f549f50ebe37d5eb7a81ad311e0017806d93a138eb4525ef

SHA512
fdf20b838cb3300c4da8f5cf7f934d4dcc4ccf6f55310d584e3478075e1ad8c6de3496da14256c45158691f490141b30c43680f14312e89251b0440cdcccef28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
c0cfdafb1126d7373a97f33783fb5090

SHA1
69d7c415a1ed55308b1947d9b60112820cdcd145

SHA256
4b8aaf370fd0acf809c939974dea69cd524e2edce5df7a6e93b5d457f8af743a

SHA512
f5f84a5685a16af11d6f1ce78c8f50c9fd69c1c328453053848e244e4385a7959c1f7332f515beb43ab5a92dece3413192be9cea4d178c28cb93f01cb03894d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\22a636ef-a51a-4d1e-8946-259088d0465f.tmp

Filesize
11KB

MD5
f119d37216238737b0ef77b4e39697f6

SHA1
2102a60e5ae721868c375daf6e6dcec1c7f28f42

SHA256
c018ec208d933da7a82a230253fd80fdc3ad65bb02a9201a207109419e6b7bb0

SHA512
aebf7bb7a752e87fa2ef1f07514c05a629f0b470bb4de2f1bf3b39c0f6a62eaf92ab131b68bec02b5477d79997aecd8f044ad4023abfe726022f0867fc7b1477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ba72c8d-d438-4d52-abf5-c864bd1c74b3.tmp

Filesize
3KB

MD5
57b8267fe822416f737334e87402a3a1

SHA1
1e18deb502a4ea6759afe8be0f83382dd8c263a8

SHA256
0035a68fbea1ac8d0fca1fb39ca174e98318745e6e2b3955b041914318f2db3c

SHA512
944ef4bc6983e2291d22c363b3ace2a4d3f8a10f75491fd7e332b6f2a81fb63983646e7b56b6489ed302df912b450391432ea4835dd51be2e96a97faa003eb01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
42558bbf9ad86bda15f9916b96fffbb9

SHA1
43a1aae955b88ef466c80adbb21c42ec6bfbcb96

SHA256
2402157ee0cc700bc1343b15e8061061021788feab28ba19a0d1ec178b18fdb3

SHA512
90176e375c46de845f4b23f3e0a7d91004deb902f3006913195b31bde3f051284870e1838dbe63413223929023ce82f3c8f5d3f002ad2fb0afdd0f4d18cb467d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
24cf5ac329bba419c9faf78cf5720e52

SHA1
fd03cb4a93de36d31a3c08056e528cb659c72e07

SHA256
2f8df8b2e01c8fb3616104ddc93666dfd413c488bfa4ac76aaf4da2b3f87c851

SHA512
93d637082dfa4c352ddcadd0ac8dcccfd79cb7401beee26cf08a6be955226043d05f51cfab107af30e4420be26579becf6c7440709c51286ba788fd5ccea8140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9407664aa4b7ff03da780c388cf4d45a

SHA1
6e80cd0f1d381f9ac33815d461f4aa881f1f7814

SHA256
48b547a91e35131f0e84116400cced525f3f80b882265d931e80ab436e3432fc

SHA512
4542ca5d56c75eef7ae672fb1b8b27ceb1fe2253488f432560dd73c2de6cdda10f4000dfa968db8edd482917b29f0a8ca687858f2096909eca0211ec7b8ba232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ea2d3cb35afa725d5af4a2d871d9e9f5

SHA1
083db710ac7596145974a78ef754e6055e3245c3

SHA256
4f8a112f598f827d52ebd414a81997d5ee8e45fe8a04a9075938349a6239e706

SHA512
35835b7f4d4fb53ce83fea1cec21106e5869a54ecf3cd0bb4750828bca892d219bbcdce1a21339e58073c82f198e679356a115643e07c7fd895db3ef0c3da5b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c998987c4a38ed6bea0c0460436137c1

SHA1
ee6ecfdee21d012bb7c2518ef8dfaf5764382650

SHA256
916e29492bb8b28aa85d80ffdcba9412fd52fac0cea37d4eeb9d601d5887aa37

SHA512
53bb8a9e7a617cc765c221e8ab579675fbe48576bc0fce6314c2bf77d3bb06e9df22ce911d62396b6870ca0a74fc3b32e542c614bcf9db2fb6afd28adf971c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0e8653d77b85d458398bdc204e4a733

SHA1
c973e75bb113cf876ea9ab70e381dedd199586d3

SHA256
b224459e0524d38728e0d4ccce36c3e7650d23723e12130cb7ceb7563a3bf16e

SHA512
4126338deceaf66890ffa8fb57860d8a09008419e44fe16e0eca664b823be2a7739aa1aaa9bdaafbb79e33a3f4782caa61087d0526f66ec5f766608a3f2a8b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
760f5da267e3dfb9cece4f1df2356440

SHA1
ee4e940361bd07c48497177e1c4ec281650f5176

SHA256
76490cd092940d0c0e7b2de462d7e9327adedce0ba2f3c51f45dfcd06723dfb2

SHA512
7a9deea10945e3a364b87618ad4cda728b1325bb55ece840e91bbca423ae33bdad9681bed46cfb86da077dfd503e366b8499402e59c215d9181b4eb02c45218c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2882da89596c022054a0068f465d752

SHA1
9e321f05f5e8820b0aac86c6e6f0199576b969e0

SHA256
e68153b1281c8751e12b676122ad97036ce18290dd376ec162f9187388995845

SHA512
e6b07fbfc6710172cb7b16f477886f91693c65015de38dd341bd56919852544e1077079360e0db854c4c31163c0e776d7959eb42f026e605892077388d0860f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dd5c87617f0db9a2271e00c5c93aca5e

SHA1
510d5ac455f68182ffa2411a0da1ed51f7a7c90d

SHA256
9be190a06b99b9a17a3729d4a0e7e373fd021f9b48fd8f83984df4f809fe0aee

SHA512
e435b6e65891199179a84a19e769fecf35c377b59ad38e89bfb1cca8ee5c650fbf94f04f936298db41d69339d72550e1af5ba048dc32503e9e26bf214e4cc0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae3aecf483717bf9c62488955f699d91

SHA1
0825cf5d9282cc3c25805af1903450d041b8ca0d

SHA256
a10de51544f5dccea37c09ed46b63c7d4edd1aa0498aae9e36145a05ed4db31b

SHA512
b0fbd39f38367fa8648c3795900bddf6682b648627dd1c663898e5609ee3f4b38b3e50782a3b33a40f85955ad822fb5eb2e5c528dad9d48eed5fd0f96bd4b9fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f007fddd0e83bb4d839b3749769d4bc

SHA1
03bda7497a47fe843e03dcf8b84512d079ea08e5

SHA256
b6c99ce38596df924e1985ce704b97b0078d42112819c6ec91cea5e458333cc3

SHA512
00368a790e454002491c8e10fd48c485ee636642ee07b63aa8ac4120c0a66861d7882bc835a49106bbf030986f18646b3a29a8dd8f72eb96a19e6366c428529e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e767c04710000a2fcdd5172b8edb07d

SHA1
1b49881cb3af38a6b13cde774f06b92a5d6cbea9

SHA256
7ed1dfa9ff894feebf69d346ccecbcef427357d0de318d03cb64acdbe8956242

SHA512
c3001daf5fef5785240137255e0e9ad608e305fb0382686acb11334df480839daf5b17f52c67d10bde71342ee7e561331d3d1071e4d6bd62abbe9d8fce04c68d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6d73e42b2258f44ccfe799f42fac686d

SHA1
64b065c49f83faf4284c6b24b282058a5e3fd514

SHA256
d9c1560fd3dee5f43e8b3e92ed7105a8f02c7b789568af52241d6e584cc79953

SHA512
100442ec3f7ee32a4bda6eae0086ab00e78f17541e21a3d31fbfea752190dc9639b22882378bd897127005ab10e935474420459bca295e585d17680f7fc6e160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4fc115643a79ade3f2cc64e44f8f8488

SHA1
3ae811b285005a0864a561996c8e800580a568e7

SHA256
15f0c62b1d8864436134f8f0eb64a68f6bac94c795dc621aadc4ab4f9df71fff

SHA512
fb2ef9f8e0f2b02b76ca4a31059fe88f1ccd4a29db04e806b896c394c93dfd414a93826dbc6ce58242a7456f7c95093810145092a61af268146659d2a9d8902e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e65897cfeb526e77561c6a1f9906dd28

SHA1
7f00cfba44069e2daad0c39ba687af36b665a9b5

SHA256
368e81f129df8a0bbf802c1b4bea02b8af155e1ad1e101177da270fd9ff1fd8e

SHA512
50bda669c71f342cf63eac84f42348cc1534b7ac45eb5fa02b7c2e4a522dfc96018941170977d9ee035022f9df36ce71dc661706e1a8038373d151e722ca1af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5849a6.TMP

Filesize
1KB

MD5
0da1bc2090fac80196ce4d133b396ffd

SHA1
d021fc11e7d6be0fd3713c3a43c703b4a1f28e42

SHA256
cbff7819f198e9f9228bce32e015b4e311f047db3644b4cda891cddf512d169c

SHA512
7490a01e8ac13458912492f6e24df069a6ef6b8df29268f85b789da1a1ab060a244e9bd3defef5b7218be7f81357111442765d4df77f1e12826533531fa6b421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b62a8f7b84aef701e7754d8489824939

SHA1
5d910e7dcadac908d86c795776be7415e5403ce3

SHA256
6be2bad057c9300c90757d599d925db846b301f3a0114702c1322217cc00c15d

SHA512
31982617774fdfbe823bcea622c41c098775f9a4731134a0585666843214188b05f5b527e8a57f86a6b0559bedf03d39643575df56d7b7041613cef4a8d36487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7f5e041c2372eac95562f085cbff1991

SHA1
ff5dd3c8e46875a1359e2800eb403bb54afefb1a

SHA256
29f8e2c8e50170923d3d28f8ba52329dd6f76f2aac7b738039d95b7b3926607e

SHA512
c4a54770cba77681ab673763849673d083150949033f9661dcb70e125217991a0d96fff7b978d2e26e37623f574648c28ee87819d440080ea3ec05b2004e6041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2da601f98f9a5ad1be585e430009ad9c

SHA1
cc218948a8745daae6d20bf7ea7587bedfa44c91

SHA256
f32bd53bed6158993d2ef62f6e3d8896c2d267b015d97522039713f54ff0b328

SHA512
40eb509fa1bcd8e98fe8f30b741d289f1ba1aad380e90eba9597e828f026613f9e3ca5c3950173417dc46619c6ab0ef7b7619c5d65fd297921f566664bbe25d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
ec2d67bb99998ae0d006b4329a76bf49

SHA1
39971d668acb66a45fb0d1fd4512a62e10c50359

SHA256
59121514ae6d96123e3ee39a78cc86c28e02887c0ff286188cbc751e5a22469f

SHA512
6233e1b18382c327e865bc57c8f878151cae2218523ed12650b46206cd780c120855305cdfe84f9f69f6af247a77a4ac3a6bc97da41cd91df136f328933e2c0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133663034629753073.txt

Filesize
75KB

MD5
a7d004b7de00b332fe7f011b2088dfc9

SHA1
c94447cfee604441cef60afc8c3f3abe553edef7

SHA256
e0939c1b259b4e2f8e8dfd29ed1ef25c0622e0c2b0f3cb8dde67064fa19a1c6d

SHA512
831466afd0fa5d684c23ec07b13d8686ba5fab384273183a1d217bc22a03672e9b261975b2a1c056e2abe85e61a457ea9c431b946dc5a89b6578872522a3fe42

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RIS1AYJJ\microsoft.windows[1].xml

Filesize
97B

MD5
832501c56badfa07632e434ee9aff766

SHA1
99c8d3c9732abfbbbed9f45e83f6856cea1ca0b8

SHA256
86e5b213f18aa9b62de4e9a0e2029ed054389d9de2966246d955b2ecf292bf9d

SHA512
6ce79c1459e708dcca3cadaa947b7b87efa44d143cd732ed1fae156e8320fc67ca3475490bda806a8e7d48dc57030446cf8839ab88ade36845e36752bb084671

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
169bc5e7d347ee656fcaa372904603de

SHA1
5fe1f1a7f751b34165bf7bf4d1a1ef7b18f9a49c

SHA256
c1f4750e1ffcf45a1945f451c721f2520ff5006f702fb9544a20100dde2eca5a

SHA512
49257b709ea639d7823a562fa5bf89e68f16cedf8fd3f45b91dff5f2b8c41cb2c0d3c06eb834d3343e19e07b0b3478e543865da5a447fe5fb5437849ba0e77c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\766c6474ef2adc83.automaticDestinations-ms

Filesize
1KB

MD5
408cfe2399be9bdd2f7a9827b172cef5

SHA1
9e2e3062855019ab98e043dc5aeac59eda5fc2ca

SHA256
03265168352ab43be13119f11a4466a58ad06342a56fdda6474eacaf06009e92

SHA512
5d2ef501456e27f011da4196d76a60a7028ac5a5634ae321aa21f00929e4778e1e3fac5fb0c1bbf5803dc5d3b56496841906ec518b065bb8e65f93fbfc8ef0bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
9KB

MD5
8f3695d621359ec88a3661c7373c8537

SHA1
50c3a640deb9dc299aad27fa4a265c79fca05879

SHA256
575ad4011fc2386d5fb49bd31e61a0f98a9395ba7f9a37a5f8434946fc1e666f

SHA512
aa0cb9e7ac9d95a2f7f498f5512b52fd5278965392d5649757f82c9a67e2d58b98b5d4eb635db95d5309a091f4320fe35c9bf8c8f42edbf98cc0d2e8ce38e32f

Download Submit
C:\Users\Admin\Downloads\1._INTERNET_OPTIMIZATION-20240724T140244Z-001.zip

Filesize
33KB

MD5
4bf7cb34c604002aa7b69e2d4c04ad9d

SHA1
ba46b27b581222bbd237af9709bb7b3871d99664

SHA256
a184a70973eb2cdfb122bd1b31fab055db12b45a1e0b8b05cd09ca9c258e7939

SHA512
e0bb2aa0be80d1a8dc715b902936c12ed30df9ae323e7b6557b67da806f087667cf6b433ad65d28a16a5300c254db16b1a25737b7dbd42aaca9de1fa10a51f56

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001.zip

Filesize
10KB

MD5
49f607d6d318c3504984d0ad9ef6dff3

SHA1
ecc504b45a8cc3e60f1d976be5db5a9b0b5c74c7

SHA256
7c783b556a6f2262c7df7d46bad2306fb47744687d7a4fca0db37a9a44aa3bf4

SHA512
2dfb047abb7f3c3fe359bf2abadff071945411e5c2ae83ebaeaffb21d54867cb70f1025cd525a102cfff921f0fb0ae447608c95c710ed962d6eb1788bb699d65

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Cache Cleaner.bat

Filesize
824B

MD5
b741f2a2026378cfc69acc3393eba109

SHA1
1066d6b0b1648d291a635f0dd0ca3b3d3e68b8a8

SHA256
e0d757843483dadf7e2f51a526f8dbdfa2091e3a32133833535c0622ea082f84

SHA512
def0b6a0e2fc776051e54fe95818b7a7a68905c3c38824d691ff092bb62c5502084d2f435cf4935e5c49fc131165efac03c116ab1f6ef8aaeb5e0a003067c63f

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\DNS Cache Clear.cmd

Filesize
50B

MD5
b01f41d85d8212a7433f805110837be8

SHA1
22de25f00c21b7d48acd05d00ba014d71bec72b7

SHA256
ceea282669ffa42045c575cb3eaf84ac18265d13d12752222f7f48e25403feda

SHA512
7f42ed88df9ffcec8e053f0ef53264aaca915fcdfe31e2d3eccbf00c99ae0868801b24e1d76c14f4897b447adb58e0002019181759a518419314a75d488929d4

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Decrease Ping.bat

Filesize
320B

MD5
949c439f75eaee73e656ca519b1613b1

SHA1
d78974288f974b08765053935cacffa9503eae0d

SHA256
8168ad056261ea8e197dcf201476040e1b2067c1f72983b35f99ce31763499fa

SHA512
2e4d05a14d479cd4c4618fc29ab8c62e4a550cf80e89495b2482eb15161420e44a616de876017780c78633c226d033e184aafe0b511ed88112d59c2877f632f8

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Diagnostics Services.reg

Filesize
1KB

MD5
187781f67bd2f537aa82aaa4a8e5955e

SHA1
73bf2c1dc69e2e041f647a440ee4665bdc406b70

SHA256
473217370e8fb7631c48b51bd18f4d8dbf617016779edfa878b2ecee7803b52f

SHA512
bc0c9e746f024c873aa017e01e7688e3cfb529269b2f22eb4d5858f29d0fcf75ddb81329b16b5de25ec0e95f1022baeb85d66651744f9e4e42f7479fa6e0a82e

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Disable Background Apps.reg

Filesize
484B

MD5
b97c454b92a2bfcd55db6d4ff379a261

SHA1
ec2fc44f9ead126599ae8df4290f3041182e7ed2

SHA256
593e47184c9094052e2f2f15a56e864cbc8dad8393b33713b3503d0f27894db2

SHA512
e6efdeae87af9c999bb2682349166d18f468ad1f7ea181bd02edd78220ef9d5f25d5d5995662a1df861293d0e877e12cf913792e717d1251de452be79ad66d4d

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Disable Network Throttling Index.reg

Filesize
409B

MD5
0fdafb0a67805077f37e74dbdf6dd399

SHA1
efddfadc828048d2c11f686fb7583c2d8c30ee1c

SHA256
3d8d3dea9e32685a007ffba230d156948d23a49bb6d56e8a0fcd3f370a78b8a5

SHA512
b3dd9a65f7eb6ff9ab012172fb9b6d92d4c0ab63612ee71714b529c679e45eafcea852168f92f03cea9bf618e38693c66b2e8839a20b2b7221ee9f8781396832

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Disable OneDrive Network Sync.reg

Filesize
370B

MD5
35eba92e637c42a1829f2def75f08e99

SHA1
5529625abf4c2daf2fc9fdd346075ab9eab8a82b

SHA256
a90bf50420372369d464d6241598bed8e525b4611115298ca5a01870d6d54f36

SHA512
d32769bb0b4d53af2464432b05b82bebd6ece8855fce1510fbc023a81d6cb1c428c7038aee6f2ff6033577794febae68e262c863edcc66a6b1eef23fe2eda1c2

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Disable USB 3 Link Power Savings.reg

Filesize
785B

MD5
1c747470bfa6f0cb3d424604a9f1519a

SHA1
b655e438191da387a5a0faf4f2c6de29cc633b46

SHA256
bbcf32405d137b2c867d25421ace82a7cc617f6a6a9d9d4cfe0ae67230d9260c

SHA512
0c4e74a1b83b033c36272bed905ed9f0be8d796eb493d11fc44f4d897c2dc8b7cd257ea848b8462fb0098dfdf0e2663217e417e2c28a394c6a24828be1a7227e

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\DisableNetBT.reg

Filesize
250B

MD5
6d7e327e1e24178fd6ebb9c7f6c0972b

SHA1
400611c3517bd60275aab81d12f7d724e4503a69

SHA256
52c77cb4946a48b436244c0efdb0b4d8c4dc938f58c0247e005a082ed55f31c3

SHA512
c71fdac91711c2e51e97aff85a019e926530ecdabb562bc58317a006f95f448a9e5bfe2b645271ec4c2731b7896ecb20db679e03ff73fe7429a77cf43282ec62

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Latency_BCD_Tweaks.cmd

Filesize
266B

MD5
e3abd2580ab4acb2bb5c0e7159f11c73

SHA1
9144066f6d1bc3a6d993bea4f9d937f3087ec6a5

SHA256
ebec3fe59deecafec75c360d1aea12bfc2bc3c8b1536402f88f6ffa359816a8f

SHA512
929035c7c9f8ff6a4d1a95eca51da74a9e1208dff9b2b33a62ad3f0b401a8988d72fa998e6cbeb63b3c101ee084df7fe7a335fc8664921c208dbce38088b0a18

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Network Settings.BAT

Filesize
2KB

MD5
6c601e4eed1cb7748a06ebeb5d7d4581

SHA1
e485c961065c89ec356e406a19de86e61142f5c8

SHA256
f1677f79532918e6f1beb39e85b870b154d4ed1bdea8cefd636f0332b64cf466

SHA512
b88144687659da7acd6d49521becc34ce52937dbb1fcf11451b2f95e6f1d28d9223742befccddbb7a68a5d7868e6e020615450810c125db59fb58a2412b725ff

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Network Speed.reg

Filesize
368B

MD5
d4e613928b7921b26f83c66b1a4a8fa4

SHA1
7e2eefb951820b00932fe6ebcfe5b33608c283ee

SHA256
f5932ccebbd1ef10050d909ebcbc2c7ea6e2f3063b55b3f8dc3d095b54a95eb9

SHA512
01ad72f1f46fcf83df098b8a3027d49df093e3c68c775f7721c8443945d77b1a741fb9c8899bb1c4b55408ae7c1e9cc83c4b4a4abd48f83190d36578db092d21

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\OPTIONAL Disable Xbox Services.reg

Filesize
787B

MD5
1c9f493edc27438382f56e0d3db74571

SHA1
15c3592cd3f8dff834fa0f00e5d772aec9a84365

SHA256
92533ff3527f364359a39be02999e2c9bd3638bfda0058bdaf2e0524dbdee59b

SHA512
b03b88960a0d2fc40193b9dd3cbd778a7287d8ffd7582f33af11114e34f94f077096f56c7087dde9e2f392ee344bda44a9b532d74e58085601d39b74967214a1

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Reinforce Network Priorities.reg

Filesize
476B

MD5
313f8090bb0565cdf2e6014025752aee

SHA1
c92de8170e4107d4d1f986c0a06c6dafa8b848ca

SHA256
3cdbf75f6495fc16b6270e4e48ac887ad658196c4921d97dea60c56a586c95be

SHA512
8b97d1638b68351d761a82f70c6b4a33305299b75d784e7faaef6288cc14074255c5b090955263960ddeaf87f96cb1e2c7decb0c094104e9a09fd589e1966c14

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\Stop Network Throttling Command.bat

Filesize
128B

MD5
9c5094d7455addebcb5888150af01e0b

SHA1
20304bc0ab6271728967b473967b23e6a4ef8def

SHA256
d067971685cdd7e349bf1fbe0eb3a361a4f353718c4f0b8b5493d41d309354f5

SHA512
fce465f96d081ab03c4244078641e14d754a444a2ac3d6c7ea10941c9aa404f483325a86ada834643ac32582704f94b06b3a00344eb745e4c84ff3bf2549d3f0

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\bcd net.bat

Filesize
580B

MD5
9b223cf73a1754adc88abec624bf8f55

SHA1
1725cd7a12ee0cc8d92a9b5b9cab29378dcfd315

SHA256
77fabe048c9a3f82bb4cc4b8bf99894ab706ef22333dfb8999b82e63f6e1237b

SHA512
f4e55c4f74ac1fd3da75accda24cef76311c2daced087bb092af0b6d3d6b3e5f6c26214beb2f09b3c088bad7d86a45a2c3a86ff9ea4561dacdc02f33a4925954

Download Submit
C:\Users\Admin\Downloads\rixsn (2)-20240724T140255Z-001\rixsn (2)\Risxn Network Pack\vynla_low_ping.reg

Filesize
230B

MD5
f6d59ac25994b979eddd553204e489f9

SHA1
3cb22dfcb70294d1861d3ccf6dbd064c18cf4712

SHA256
18be455826a4101604ffd8fb970d113e7e39193004bfac933f6d2fecdb97ebe0

SHA512
55cffa16eaf8446d36c787ddc7d0b413c3f95ab1349dd92d1ec3c3bd6ab71a2a370762082983a5f8e87a4edfa06cb0e3b72f5562e33793999d23c9f62ca18eb6

Download Submit
memory/508-900-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/1468-1053-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/3560-709-0x00000240137E0000-0x0000024013800000-memory.dmp

Filesize
128KB

Download
memory/3560-735-0x0000024013DC0000-0x0000024013DE0000-memory.dmp

Filesize
128KB

Download
memory/3560-734-0x00000240137A0000-0x00000240137C0000-memory.dmp

Filesize
128KB

Download
memory/3560-895-0x0000023810C00000-0x000002381252F000-memory.dmp

Filesize
25.2MB

Download
memory/4136-938-0x0000020D39B20000-0x0000020D39B40000-memory.dmp

Filesize
128KB

Download
memory/4136-904-0x0000020D38B00000-0x0000020D38C00000-memory.dmp

Filesize
1024KB

Download
memory/4136-907-0x0000020D39B60000-0x0000020D39B80000-memory.dmp

Filesize
128KB

Download
memory/4136-902-0x0000020D38B00000-0x0000020D38C00000-memory.dmp

Filesize
1024KB

Download
memory/4136-1051-0x0000020536E00000-0x000002053872F000-memory.dmp

Filesize
25.2MB

Download
memory/4136-939-0x0000020D39F20000-0x0000020D39F40000-memory.dmp

Filesize
128KB

Download
memory/5336-1209-0x00000166B9C00000-0x00000166BB52F000-memory.dmp

Filesize
25.2MB

Download
memory/5336-1056-0x0000016EBB630000-0x0000016EBB730000-memory.dmp

Filesize
1024KB

Download
memory/5336-1183-0x00000166B9C00000-0x00000166BB52F000-memory.dmp

Filesize
25.2MB

Download
memory/5336-1067-0x0000016EBC710000-0x0000016EBC730000-memory.dmp

Filesize
128KB

Download
memory/5336-1068-0x0000016EBCB20000-0x0000016EBCB40000-memory.dmp

Filesize
128KB

Download
memory/5336-1055-0x0000016EBB630000-0x0000016EBB730000-memory.dmp

Filesize
1024KB

Download
memory/5336-1060-0x0000016EBC750000-0x0000016EBC770000-memory.dmp

Filesize
128KB

Download
memory/5564-510-0x000002420C5A0000-0x000002420C5C0000-memory.dmp

Filesize
128KB

Download
memory/5564-638-0x0000023A09400000-0x0000023A0AD2F000-memory.dmp

Filesize
25.2MB

Download
memory/5564-504-0x000002420BF80000-0x000002420BFA0000-memory.dmp

Filesize
128KB

Download
memory/5564-479-0x000002420BFC0000-0x000002420BFE0000-memory.dmp

Filesize
128KB

Download
memory/5564-475-0x000002420B100000-0x000002420B200000-memory.dmp

Filesize
1024KB

Download
memory/5564-476-0x000002420B100000-0x000002420B200000-memory.dmp

Filesize
1024KB

Download
memory/5564-474-0x000002420B100000-0x000002420B200000-memory.dmp

Filesize
1024KB

Download
memory/5652-703-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/5668-472-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download