hxxps://drive[.]google[.]com/drive/folders/1lJeAGTiLzgGitTddNHLS-0BF7AJ18CVF

Analysis

max time kernel
156s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1lJeAGTiLzgGitTddNHLS-0BF7AJ18CVF

Score

9^/10

defense_evasion discovery evasion execution persistence privilege_escalation ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
1544	wevtutil.exe
2264	Process not Found
5568	Process not Found
5736	Process not Found
5600	wevtutil.exe
5656	wevtutil.exe
2748	wevtutil.exe
5548	wevtutil.exe
1424	wevtutil.exe
1424	wevtutil.exe
744	wevtutil.exe
460	wevtutil.exe
1456	wevtutil.exe
4716	wevtutil.exe
5648	wevtutil.exe
5176	Process not Found
1088	Process not Found
2360	wevtutil.exe
5984	wevtutil.exe
5492	wevtutil.exe
1880	Process not Found
4464	Process not Found
1764	wevtutil.exe
3836	wevtutil.exe
2272	wevtutil.exe
5244	wevtutil.exe
2488	wevtutil.exe
1416	Process not Found
5932	Process not Found
4536	Process not Found
3644	wevtutil.exe
5996	wevtutil.exe
1480	Process not Found
4204	wevtutil.exe
4092	wevtutil.exe
1872	wevtutil.exe
5496	wevtutil.exe
4536	wevtutil.exe
1424	wevtutil.exe
5496	wevtutil.exe
5020	wevtutil.exe
5456	Process not Found
4336	Process not Found
3976	wevtutil.exe
2908	wevtutil.exe
5832	Process not Found
4076	wevtutil.exe
1836	wevtutil.exe
2796	Process not Found
2360	Process not Found
5456	wevtutil.exe
5812	wevtutil.exe
6016	wevtutil.exe
4952	wevtutil.exe
2144	wevtutil.exe
2480	Process not Found
5928	Process not Found
2180	wevtutil.exe
5864	wevtutil.exe
5576	wevtutil.exe
5756	wevtutil.exe
4640	wevtutil.exe
4540	wevtutil.exe
4164	wevtutil.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 46 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe	powershell.exe

Indirect Command Execution 1 TTPs 3 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
1452	forfiles.exe
1720	forfiles.exe
2664	forfiles.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2036	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 46 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
18	drive.google.com
4	drive.google.com
16	drive.google.com
17	drive.google.com

Power Settings 1 TTPs 3 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5412	powercfg.exe
2256	powercfg.exe
1960	powercfg.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 4 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
5808	powershell.exe
2036	powershell.exe
1340	powershell.exe
5812	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 60 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3228	cmd.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1596	netsh.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3308	timeout.exe
3704	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0"	regedit.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 969025.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 3 IoCs

pid	Process
5648	regedit.exe
5272	regedit.exe
5380	regedit.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
3136	msedge.exe
3136	msedge.exe
4256	identity_helper.exe
4256	identity_helper.exe
2544	msedge.exe
2544	msedge.exe
5532	msedge.exe
5532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
5648	powershell.exe
5648	powershell.exe
5648	powershell.exe
5812	powershell.exe
5812	powershell.exe
5812	powershell.exe
5808	powershell.exe
5808	powershell.exe
5808	powershell.exe
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe
1340	powershell.exe
1340	powershell.exe
1340	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	6060	7zG.exe
Token: 35	6060	7zG.exe
Token: SeSecurityPrivilege	6060	7zG.exe
Token: SeSecurityPrivilege	6060	7zG.exe
Token: SeDebugPrivilege	5648	powershell.exe
Token: SeIncreaseQuotaPrivilege	5648	powershell.exe
Token: SeSecurityPrivilege	5648	powershell.exe
Token: SeTakeOwnershipPrivilege	5648	powershell.exe
Token: SeLoadDriverPrivilege	5648	powershell.exe
Token: SeSystemProfilePrivilege	5648	powershell.exe
Token: SeSystemtimePrivilege	5648	powershell.exe
Token: SeProfSingleProcessPrivilege	5648	powershell.exe
Token: SeIncBasePriorityPrivilege	5648	powershell.exe
Token: SeCreatePagefilePrivilege	5648	powershell.exe
Token: SeBackupPrivilege	5648	powershell.exe
Token: SeRestorePrivilege	5648	powershell.exe
Token: SeShutdownPrivilege	5648	powershell.exe
Token: SeDebugPrivilege	5648	powershell.exe
Token: SeSystemEnvironmentPrivilege	5648	powershell.exe
Token: SeRemoteShutdownPrivilege	5648	powershell.exe
Token: SeUndockPrivilege	5648	powershell.exe
Token: SeManageVolumePrivilege	5648	powershell.exe
Token: 33	5648	powershell.exe
Token: 34	5648	powershell.exe
Token: 35	5648	powershell.exe
Token: 36	5648	powershell.exe
Token: SeDebugPrivilege	5812	powershell.exe
Token: SeIncreaseQuotaPrivilege	5812	powershell.exe
Token: SeSecurityPrivilege	5812	powershell.exe
Token: SeTakeOwnershipPrivilege	5812	powershell.exe
Token: SeLoadDriverPrivilege	5812	powershell.exe
Token: SeSystemProfilePrivilege	5812	powershell.exe
Token: SeSystemtimePrivilege	5812	powershell.exe
Token: SeProfSingleProcessPrivilege	5812	powershell.exe
Token: SeIncBasePriorityPrivilege	5812	powershell.exe
Token: SeCreatePagefilePrivilege	5812	powershell.exe
Token: SeBackupPrivilege	5812	powershell.exe
Token: SeRestorePrivilege	5812	powershell.exe
Token: SeShutdownPrivilege	5812	powershell.exe
Token: SeDebugPrivilege	5812	powershell.exe
Token: SeSystemEnvironmentPrivilege	5812	powershell.exe
Token: SeRemoteShutdownPrivilege	5812	powershell.exe
Token: SeUndockPrivilege	5812	powershell.exe
Token: SeManageVolumePrivilege	5812	powershell.exe
Token: 33	5812	powershell.exe
Token: 34	5812	powershell.exe
Token: 35	5812	powershell.exe
Token: 36	5812	powershell.exe
Token: SeIncreaseQuotaPrivilege	5812	powershell.exe
Token: SeSecurityPrivilege	5812	powershell.exe
Token: SeTakeOwnershipPrivilege	5812	powershell.exe
Token: SeLoadDriverPrivilege	5812	powershell.exe
Token: SeSystemProfilePrivilege	5812	powershell.exe
Token: SeSystemtimePrivilege	5812	powershell.exe
Token: SeProfSingleProcessPrivilege	5812	powershell.exe
Token: SeIncBasePriorityPrivilege	5812	powershell.exe
Token: SeCreatePagefilePrivilege	5812	powershell.exe
Token: SeBackupPrivilege	5812	powershell.exe
Token: SeRestorePrivilege	5812	powershell.exe
Token: SeShutdownPrivilege	5812	powershell.exe
Token: SeDebugPrivilege	5812	powershell.exe
Token: SeSystemEnvironmentPrivilege	5812	powershell.exe
Token: SeRemoteShutdownPrivilege	5812	powershell.exe
Token: SeUndockPrivilege	5812	powershell.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
6060	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe
3136	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 368	3136	msedge.exe	84
PID 3136 wrote to memory of 368	3136	msedge.exe	84
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 4576	3136	msedge.exe	85
PID 3136 wrote to memory of 2424	3136	msedge.exe	86
PID 3136 wrote to memory of 2424	3136	msedge.exe	86
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87
PID 3136 wrote to memory of 1476	3136	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1lJeAGTiLzgGitTddNHLS-0BF7AJ18CVF
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff904346f8,0x7fff90434708,0x7fff90434718
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1260 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8567662735705722580,5922637725297166495,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4132 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1924

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ULTIMATE_TWEAKS_PREMIUM\" -spe -an -ai#7zMap8572:108:7zEvent13749
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6060

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Downloads\ULTIMATE_TWEAKS_PREMIUM\UltimateTweaks GO PRO Pack\9 KBM\M2 MarkC Windows 10 Mouse Fix.reg"
1⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:5648

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Downloads\ULTIMATE_TWEAKS_PREMIUM\UltimateTweaks GO PRO Pack\9 KBM\Mouse Tweaks 1.reg"
1⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:5272

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Downloads\ULTIMATE_TWEAKS_PREMIUM\UltimateTweaks GO PRO Pack\9 KBM\Mouse Tweaks 2.reg"
1⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:5380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Sjay_s_ZeroPing_Crack___.bat"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3228
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3308
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=normal
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4124
- C:\Windows\system32\netsh.exe
  netsh interface 6to4 set state disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5188
- C:\Windows\system32\netsh.exe
  netsh int tcp set global timestamps=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Time Discovery
  PID:1596
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5216
- C:\Windows\system32\netsh.exe
  netsh int tcp set global chimney=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5248
- C:\Windows\system32\netsh.exe
  netsh int tcp set global ecncapability=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3020
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rsc=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5440
- C:\Windows\system32\netsh.exe
  netsh int tcp set global nonsackrttresiliency=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5404
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1416
- C:\Windows\system32\netsh.exe
  netsh int tcp set security profiles=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5444
- C:\Windows\system32\netsh.exe
  netsh int ip set global icmpredirects=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1584
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=disabled profiles=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5480
- C:\Windows\system32\netsh.exe
  netsh int tcp set supplemental internet congestionprovider=ctcp
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3164
- C:\Windows\system32\netsh.exe
  netsh interface teredo set state disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5516
- C:\Windows\system32\netsh.exe
  netsh winsock set autotuning on
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:6072
- C:\Windows\system32\netsh.exe
  netsh int isatap set state disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5596
- C:\Windows\system32\netsh.exe
  netsh int ip set global taskoffload=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5020
- C:\Windows\system32\netsh.exe
  netsh int ip set global neighborcachelimit=4096
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2456
- C:\Windows\system32\netsh.exe
  netsh int ip set global routecachelimit=4096
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2244
- C:\Windows\system32\netsh.exe
  netsh int ip set global sourceroutingbehavior=drop
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell Disable-NetAdapterLso -Name "*"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterPowerManagement -Name $adapter.Name -ErrorAction SilentlyContinue}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:5808
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "0" /f
  2⤵
  PID:4940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f
  2⤵
  PID:6096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "32" /f
  2⤵
  PID:3436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "GlobalMaxTcpWindowSize" /t REG_DWORD /d "8760" /f
  2⤵
  PID:624
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpWindowSize" /t REG_DWORD /d "8760" /f
  2⤵
  PID:5124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxConnectionsPerServer" /t REG_DWORD /d "0" /f
  2⤵
  PID:5968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f
  2⤵
  PID:464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f
  2⤵
  PID:6124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f
  2⤵
  PID:6092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:1904
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3308
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AB1848B7-436A-497A-AE43-DB91F91E6C8E}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
  2⤵
  PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:4124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:5228
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:5220
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AB1848B7-436A-497A-AE43-DB91F91E6C8E}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
  2⤵
  PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:1544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:1340
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3020
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AB1848B7-436A-497A-AE43-DB91F91E6C8E}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:5420
- C:\Windows\system32\powercfg.exe
  powercfg import "C:\ExcusesFN"
  2⤵
  - Power Settings
  PID:5412
- C:\Windows\system32\forfiles.exe
  forfiles -p "C:\Windows\prefetch" -s -m *.* /C "cmd /c del @path"
  2⤵
  - Indirect Command Execution
  PID:1452
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\AgAppLaunch.db"
    3⤵
    PID:1896
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\AgGlFaultHistory.db"
    3⤵
    PID:1416
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\AgGlFgAppHistory.db"
    3⤵
    PID:4152
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\AgGlGlobalHistory.db"
    3⤵
    PID:780
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\AgRobust.db"
    3⤵
    PID:1176
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf"
    3⤵
    PID:3704
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ASPNET_REGIIS.EXE-945CDB73.pf"
    3⤵
    PID:5448
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ASPNET_REGIIS.EXE-A5891C91.pf"
    3⤵
    PID:2480
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\AUDIODG.EXE-BDFD3029.pf"
    3⤵
    PID:3908
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf"
    3⤵
    PID:5492
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf"
    3⤵
    PID:5480
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\BYTECODEGENERATOR.EXE-C1E9BCE6.pf"
    3⤵
    PID:1824
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\CONHOST.EXE-1F3E9D7E.pf"
    3⤵
    PID:1772
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\DISM.EXE-DE199F71.pf"
    3⤵
    PID:5556
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\DISMHOST.EXE-8F2B04FD.pf"
    3⤵
    PID:3596
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\DLLHOST.EXE-504C779A.pf"
    3⤵
    PID:5640
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\DLLHOST.EXE-5E46FA0D.pf"
    3⤵
    PID:5972
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\DLLHOST.EXE-A73FB9CB.pf"
    3⤵
    PID:2072
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\DLLHOST.EXE-FC981FFE.pf"
    3⤵
    PID:5576
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\FILESYNCCONFIG.EXE-33763EB7.pf"
    3⤵
    PID:6060
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\FSQUIRT.EXE-BBD9646E.pf"
    3⤵
    PID:6064
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf"
    3⤵
    PID:4532
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf"
    3⤵
    PID:5604
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf"
    3⤵
    PID:5600
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\NGEN.EXE-AE594A6B.pf"
    3⤵
    PID:3184
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\NGEN.EXE-EC3F9239.pf"
    3⤵
    PID:5620
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ONEDRIVE.EXE-96969DDA.pf"
    3⤵
    PID:5564
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf"
    3⤵
    PID:4436
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf"
    3⤵
    PID:5048
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\PfPre_5f3b4030.mkd"
    3⤵
    PID:4824
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\PfSvPerfStats.bin"
    3⤵
    PID:4884
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\POWERSHELL.EXE-920BBA2A.pf"
    3⤵
    PID:3960
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\REG.EXE-E7E8BD26.pf"
    3⤵
    PID:5052
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ResPriHMStaticDb.ebd"
    3⤵
    PID:2188
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-002D6F84.pf"
    3⤵
    PID:3920
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-01E21A55.pf"
    3⤵
    PID:2244
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-0521102C.pf"
    3⤵
    PID:2496
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-08AF006C.pf"
    3⤵
    PID:4516
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-0A03C9B5.pf"
    3⤵
    PID:5304
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-0C84305E.pf"
    3⤵
    PID:1028
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-1463E66D.pf"
    3⤵
    PID:5380
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-156D43F1.pf"
    3⤵
    PID:2376
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-1589E4C3.pf"
    3⤵
    PID:4072
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-16AF9B6E.pf"
    3⤵
    PID:1908
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-18665B15.pf"
    3⤵
    PID:648
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-23EA2E5B.pf"
    3⤵
    PID:3148
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-2C52326A.pf"
    3⤵
    PID:5672
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-32DA767E.pf"
    3⤵
    PID:4296
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-373C0EED.pf"
    3⤵
    PID:5272
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-4DC9A20E.pf"
    3⤵
    PID:4288
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-4EFE6110.pf"
    3⤵
    PID:3536
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-56E309E9.pf"
    3⤵
    PID:5720
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-5B70F332.pf"
    3⤵
    PID:5732
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-61696F68.pf"
    3⤵
    PID:5648
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-641DCE1C.pf"
    3⤵
    PID:5768
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-6F2A95AF.pf"
    3⤵
    PID:5008
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-7194EF5E.pf"
    3⤵
    PID:5780
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-7BB97BF6.pf"
    3⤵
    PID:5764
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-7BCB4814.pf"
    3⤵
    PID:1408
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-7C77C512.pf"
    3⤵
    PID:2156
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-7CB48DE8.pf"
    3⤵
    PID:6024
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-7E8D1C35.pf"
    3⤵
    PID:4464
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-7EF4A0DD.pf"
    3⤵
    PID:5240
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-7F337F0A.pf"
    3⤵
    PID:4864
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-894C9E34.pf"
    3⤵
    PID:4936
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-8AFD300C.pf"
    3⤵
    PID:2488
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-976DB280.pf"
    3⤵
    PID:6100
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-97BCF638.pf"
    3⤵
    PID:6096
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-99F89D15.pf"
    3⤵
    PID:3436
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-AE5EC6E9.pf"
    3⤵
    PID:624
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-AED2006F.pf"
    3⤵
    PID:6088
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-B2C296EF.pf"
    3⤵
    PID:5932
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-C5BE1C43.pf"
    3⤵
    PID:6132
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-C8D69DC6.pf"
    3⤵
    PID:6136
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-D2B15AE2.pf"
    3⤵
    PID:5952
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-D71F3FEA.pf"
    3⤵
    PID:5180
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-DB926CB0.pf"
    3⤵
    PID:2256
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-E66A223C.pf"
    3⤵
    PID:1960
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-E8196656.pf"
    3⤵
    PID:2036
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-FCAF5656.pf"
    3⤵
    PID:3192
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-FDF50724.pf"
    3⤵
    PID:5216
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNDLL32.EXE-FFCC5BB3.pf"
    3⤵
    PID:4252
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-005D3145.pf"
    3⤵
    PID:180
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-06226CEB.pf"
    3⤵
    PID:5232
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-3ED30A86.pf"
    3⤵
    PID:2304
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-4DE02988.pf"
    3⤵
    PID:1592
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-94A02D86.pf"
    3⤵
    PID:5396
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-98C67737.pf"
    3⤵
    PID:376
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf"
    3⤵
    PID:5288
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-BC366267.pf"
    3⤵
    PID:6084
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf"
    3⤵
    PID:5392
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\RUNTIMEBROKER.EXE-D9106866.pf"
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf"
    3⤵
    PID:2144
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SGRMBROKER.EXE-0CA31CC6.pf"
    3⤵
    PID:1044
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf"
    3⤵
    PID:2472
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SHUTDOWN.EXE-E7D5C9CC.pf"
    3⤵
    PID:2016
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SLUI.EXE-724E99D9.pf"
    3⤵
    PID:744
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf"
    3⤵
    PID:5456
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf"
    3⤵
    PID:2600
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SOBQL9.EXE-62BA7442.pf"
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-033BBABB.pf"
    3⤵
    PID:5488
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-342BD74A.pf"
    3⤵
    PID:5524
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-4BA0E729.pf"
    3⤵
    PID:5508
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-5AC380EC.pf"
    3⤵
    PID:5504
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-7CFEDEA3.pf"
    3⤵
    PID:5568
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-8102A33C.pf"
    3⤵
    PID:4444
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-C49E779A.pf"
    3⤵
    PID:4512
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-CABA5DBC.pf"
    3⤵
    PID:2492
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-DF3D779F.pf"
    3⤵
    PID:2280
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-E45D8788.pf"
    3⤵
    PID:1728
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-F027B880.pf"
    3⤵
    PID:5580
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\SVCHOST.EXE-FF8EBD82.pf"
    3⤵
    PID:5548
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\TAKEOWN.EXE-A80759AD.pf"
    3⤵
    PID:3832
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\TASKHOSTW.EXE-3E0B74C8.pf"
    3⤵
    PID:5624
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\TASKKILL.EXE-8F5B2253.pf"
    3⤵
    PID:3488
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\TIWORKER.EXE-C101ABCD.pf"
    3⤵
    PID:3732
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf"
    3⤵
    PID:3776
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\VSSVC.EXE-B8AFC319.pf"
    3⤵
    PID:2596
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\WFSERVICESREG.EXE-3EE82250.pf"
    3⤵
    PID:1836
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\WFSERVICESREG.EXE-766D3C5B.pf"
    3⤵
    PID:432
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\WLRMDR.EXE-C2B47318.pf"
    3⤵
    PID:5252
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\WMIADAP.EXE-F8DFDFA2.pf"
    3⤵
    PID:2392
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\WMIPRVSE.EXE-1628051C.pf"
    3⤵
    PID:3496
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ReadyBoot\rblayout.xin"
    3⤵
    PID:2512
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ReadyBoot\ReadyBoot.etl"
    3⤵
    PID:1372
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\prefetch\ReadyBoot\Trace1.fx"
    3⤵
    PID:5652
- C:\Windows\system32\forfiles.exe
  forfiles -p "C:\Users\justin\AppData\Local\Temp" -s -m *.* /C "cmd /c del @path"
  2⤵
  - Indirect Command Execution
  PID:1720
- C:\Windows\system32\forfiles.exe
  forfiles -p "C:\Windows\Temp" -s -m *.* /C "cmd /c del @path"
  2⤵
  - Indirect Command Execution
  PID:2664
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc34FA.tmp"
    3⤵
    PID:5644
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc34FA.tmp.LOG1"
    3⤵
    PID:4716
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc34FA.tmp.LOG2"
    3⤵
    PID:4112
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc34FB.tmp"
    3⤵
    PID:5752
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc34FB.tmp.LOG1"
    3⤵
    PID:5864
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc34FB.tmp.LOG2"
    3⤵
    PID:5380
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc3A69.tmp"
    3⤵
    PID:2192
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc3A69.tmp.LOG1"
    3⤵
    PID:5912
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\amc3A69.tmp.LOG2"
    3⤵
    PID:4796
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\ASPNETSetup_00000.log"
    3⤵
    PID:4816
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\ASPNETSetup_00001.log"
    3⤵
    PID:5860
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\FXSAPIDebugLogFile.txt"
    3⤵
    PID:5664
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\FXSTIFFDebugLogFile.txt"
    3⤵
    PID:5676
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\msedge_installer.log"
    3⤵
    PID:5148
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(20240709142536870).log"
    3⤵
    PID:5728
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(20240709142656948).log"
    3⤵
    PID:5720
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(202407091428169B4).log"
    3⤵
    PID:1864
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(202407091429399FC).log"
    3⤵
    PID:5732
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(202407091432049C4).log"
    3⤵
    PID:5792
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(20240709143451A04).log"
    3⤵
    PID:3552
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\officeclicktorun.exe_streamserver(202407091530169A4).log"
    3⤵
    PID:6032
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1419.log"
    3⤵
    PID:5768
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1420.log"
    3⤵
    PID:1408
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1420a.log"
    3⤵
    PID:2156
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1420b.log"
    3⤵
    PID:6024
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1420c.log"
    3⤵
    PID:4464
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1420d.log"
    3⤵
    PID:2912
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1425.log"
    3⤵
    PID:5944
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1427.log"
    3⤵
    PID:5240
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1428.log"
    3⤵
    PID:4864
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1429.log"
    3⤵
    PID:2796
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1431.log"
    3⤵
    PID:5808
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1432.log"
    3⤵
    PID:6108
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1434.log"
    3⤵
    PID:1364
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1525.log"
    3⤵
    PID:1496
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\VOCYMMGW-20240709-1530.log"
    3⤵
    PID:4940
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\MsEdgeCrashpad\settings.dat"
    3⤵
    PID:5124
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\MsEdgeCrashpad\throttle_store.dat"
    3⤵
    PID:5968
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\_70847D66-E396-42FA-8562-8FC88A56227C\WindowsUpdate.20240709.140645.275.1.etl"
    3⤵
    PID:464
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\_70847D66-E396-42FA-8562-8FC88A56227C\WindowsUpdate.20240709.140645.275.2.etl"
    3⤵
    PID:6124
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\_70847D66-E396-42FA-8562-8FC88A56227C\WindowsUpdate.20240709.140645.275.3.etl"
    3⤵
    PID:6092
- - C:\Windows\system32\cmd.exe
    /c del "C:\Windows\Temp\_70847D66-E396-42FA-8562-8FC88A56227C\WindowsUpdate.20240724.140725.181.1.etl"
    3⤵
    PID:5180
- C:\Windows\system32\powercfg.exe
  powercfg -setacvalueindex scheme_current sub_processor 5d76a2ca-e8c0-402f-a133-2158492d58ad 1
  2⤵
  - Power Settings
  PID:2256
- C:\Windows\system32\powercfg.exe
  powercfg -setactive scheme_current
  2⤵
  - Power Settings
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "ForEach($v in (Get-Command -Name \"Set-ProcessMitigation\").Parameters[\"Disable\"].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "Remove-Item -Path \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\" -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Indicator Removal: Clear Persistence
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
  2⤵
  PID:780
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
  2⤵
  PID:1176
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3704
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorLatencyTolerance" /t REG_DWORD /d "0" /f
  2⤵
  PID:5464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "0" /f
  2⤵
  PID:2600
- C:\Windows\system32\fsutil.exe
  fsutil behavior set DisableDeleteNotify 1
  2⤵
  PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil.exe el
  2⤵
  PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe el
    3⤵
    PID:5516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5584
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5620
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:2180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:3976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5664
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:1764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6128
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:1424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5388
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2704
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5568
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:3836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1616
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6128
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4640
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5388
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2704
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5568
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:2360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:6016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1652
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:3644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:1872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:1424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5388
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2704
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5616
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:1456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2188
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1616
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6004
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1652
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:2272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5400
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3128
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5696
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3196
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2928
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3584
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5508
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5556
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5584
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5564
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5620
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2188
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6032
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1616
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5984
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:2488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5400
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2704
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2556
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1372
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6032
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1616
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:2748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5400
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3260
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5772
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5620
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:984
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3840
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5996
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6000
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5808
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4400
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5388
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5228
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4164
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5848
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3704
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5680
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:4076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5584
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5172
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:1836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3024
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:5756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6032
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1880
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1616
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5984
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6004
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:2908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:1424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5400
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:6048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:4756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  - Clears Windows event logs
  PID:2144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:2560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:1176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl
  2⤵
  PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Indicator Removal

T1070

Clear Persistence

T1070.009

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Indirect Command Execution

T1202

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cfd3cfd8ae4b67428c19409d4f4c4e53

SHA1
e9f8a78cfb0893a86fa2431496ae9e1172d8c3b1

SHA256
bdf6c3438d8d6f4aab13e4e8f9dde147669a50b618026b8e78ee638ec31c1a57

SHA512
947c050ac8464679370b870f7c3b79568e2074f680fac9362f656bbf1c5668e747b152a49f6cfb02f07e4f7bbd3cacad06474688f96f9e2dff38fac8b12f0377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e1c42a1b2bd119b8c8959633c661d87c

SHA1
87f0dfd33fd76c9dc20cfde4db4640e6106a136b

SHA256
9baa2efcc612d320cefa8035766500ae5dc359603325619398c6f7d816b90c4e

SHA512
3dc315515db6829d79dcdd33da5f3914b1d43f8675965388c2d01dc5a041df181be486b4a3bf907271d59040c9511a0cd6194018d5c5ea8a4dd5d0ebd5e9a901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
14aea70ed237d829ddb1b77c2d7e3de3

SHA1
52f2c78152f5c1ed1efbe26b60c92316f1bababe

SHA256
5c7c62e3ccb502f0356df00c6babbfbc865cd37032e8923f86591909d0b442a3

SHA512
1197f5d99c59e716113e64083044dd046fcbaa24dd87a80cb1ba97e43725c570f312c6676e244fdb8bdd93f6f548f72fa50baec57f24455e13e206da2d74f0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a207ba30bffb3a0d71a1b0f61e4ea654

SHA1
31f75a1af6f6666839f1e0bbc9b4eb488989af3b

SHA256
28058c12a6843024f05a50dd094cfd2b4c2e1121489582a87bad6898c51a27d0

SHA512
b23bd0cb363a17f6a4ff8120dce49acb736372e983cbaddcd161ffa37154cf0f874589e84a8da3ac9dae8d3eb321d374dc1abb8ef147d7058c32c0f7ffe7a6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ec2c8277e977c2e78116ef0f258f2d8

SHA1
ed37799190e80c26ac399a33be1b5100eb371ce2

SHA256
23636cdb4255ec91c7eecdad5a3ecfec62bf5c4ca558ff39206b2fe701b05465

SHA512
804f45ceb322b25d4afc26dfee5f4f782bcc92416e4acc8ccece9a3c40e98e68bf37ed5a8086031d63dd9cc14148b94dfa2f577b2d7d443bc9b250666a3c82eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a25023538000d6f949b292cb26f4676

SHA1
23aa177286f40018a3a53a3be6dd1e39e0e00d80

SHA256
6dc7918d198f1ce306808d1db32fb8ef391261563fcd478595b61b7140a78c59

SHA512
d180827eb727b15caafa96b12511dfab6d329b5d76d8d8f1cc302cada1d1c3a2f6948595d36b36afd0df551587c7aba7d7f0781f9d99d427d7793f543c6faf2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d66d1259b9ac6e9d6cb3ae21bd0d4e7

SHA1
f306a30be5066c48e7bb3c78cf0b7161b78aa6f8

SHA256
8f33049396d7f55033054da663e598167900dee91696959356f80787cc2c63ed

SHA512
f9386792dfea52301724448cd9e924b6cf0094aa0c85b1f42c25867bf685d59ed32c9656edf5f4d5a3590597b12fef623e440ba6e68b74305cb253254fb4436a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1acbc5243681ad5e94d9182a2bdb08b9

SHA1
eab9e8b3e55f78362cdb27a5f162b20e43e15e5d

SHA256
a647623b95d9ca45b01670767ee2022306ab572162cfb158b5052a08913f23d4

SHA512
1e118509f0c6c4c2aa1138b516f3009c266f363a620ec436880912341945bfbe6aaa2c176df48b059661ab9e285acaa379c54092405cb3effbb7b48c5c865a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a777e50118a2bd80aec19f8e86b3ecf5

SHA1
fe0263a958a6242a264cd9e48855cf7c5c81e0ca

SHA256
8d0d05329d57be8f5e9bca8357873de53a8e6aaf28170e44b2bd5f2b94ee4c36

SHA512
02cc4fc8f65ea6aeb45584fac435bba3fad16b8bdc720c3776e037840c025ca00373814ab6d1c07f65c8a53fbd22b80b614c8aa9e2096e1f5326a68afb559cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a84a04f91b1f8e90066082397d6432e5

SHA1
40bf09d382eb053dbe68dd9ba80d1153fdb2bb20

SHA256
d82c35eb1df66546f095d8bc99dfc0ab9497ec25b02410e0e35eaeee1c2d528b

SHA512
d057fedae5f03fd77fb7668e50a8e40e310b5081126bce61ee7eb2e490a51230d50ab72af729dc26c5ac07dc9eb04d4ba9352d6f0fb973d0a50bb5ba10c664d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5812c8.TMP

Filesize
708B

MD5
fe2db44b886c62ccc0d11a92b24f8165

SHA1
d4be606c073de8590b996ed5c575ee019a2d6747

SHA256
17ae2df91a5ec1e4062ab8c7065fff06b63f5726446fb18239afd4054242f670

SHA512
5e2c6bf2bd13aba0a0a798891dec8725b2e8879373ec56e8b0248653834619b3020e56a107a9da61a15cbd31353ad25a7198264ed27b1c6caae66cc17778ed7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bff521c5-573d-4bdd-9ec1-28a9dc5e923e.tmp

Filesize
1KB

MD5
084051d499d0df4b2b7200dd1406a60d

SHA1
2a6e9c8046ed2cf6842c33f4b729f461a0814a9c

SHA256
1846f67c015bc5af2ab055f8125c305ff64f1160ddca7a565b2a975d9b5ea70a

SHA512
58f491e40fd889b4c1378c068c2d53e478eb0026c7e0ac3daf9df65eb9b29cf905f0c2fc622b8200c281666660dc51b7c97818a42de7aa778af8e17f921bb4fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
644f2d98b8ae59933ea13c4250327a0e

SHA1
bc9d98dca4d231a2077dd02a8919acb0260ac870

SHA256
1843036a4f6392865d956d9b74ed48b4d1cf046d2fd794830fee6467ed4c51c8

SHA512
220011d2ebfa72a3a23098c5760effd5f6290c26ce7268f41c6b3457bb558e4870b84724733a9c1ff5c5b227d67e39b40170f5022cb6ad0504448f2743bb5312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
05ea51c5b1ed70225b5c115dcf05913f

SHA1
125ebd7539aabe4000dd64e1426f5133b0663639

SHA256
b4232c2067690364a56fbbc0ca60a987643bfe6a81dc1c579ae9436d079da6a2

SHA512
ae777700555b9633976d999771fc9cc6257d02cd90a8a45617b723aaecb95c4524d0f7623de62e8c6f5dda5a0dcfaba7e817dfdc8ebbce4454f928b8066a1696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a040817a807357680da301bd2686b03

SHA1
c64c748c9893b7dd94e9257a630e54cee4b7c5bb

SHA256
099d57ffde5a65b3cd49d88d2fbb9e444c752ffd9da48cd382bf8aa012eecec1

SHA512
a96f9aebc2b69549bde253747021f2bef370c110d8e2c9028e0db5783baf7e00495a007dc4dae43c2045ccf753086ea9513e20a7e844289e31d2e54c21acf4a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c61688ce6838227bd86c6eb5381b724

SHA1
ce646522b8e7ef148cb524591a3c515fc2181781

SHA256
c0d886760504022c36224fd1b2de9fc34e33c3c6461476a26063e7d1769d1c5e

SHA512
9cfc1fa0a3d0f888a46b63013204ab6b091b47e08a57a25c1aacf403be244893f0f01cd080a7bed66f7c2495c6df14ab5d7814b7c9e9cf4c7b716ae28dbd681a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
561edf33ac4e1643f5832c27b7b148f8

SHA1
daa60bb2fc3da6e9b0ed496ba5959ee119e61c16

SHA256
b27bc58877e3ccad28406714c13a78d81dd2b567af3c7f4d1ded47f15310147e

SHA512
92fd354e582e46ad2383c29ccc0c4af3c7e6a12d43188f7fbbf3320733392049dc1b8906a17d29432838ba4f4dc98ad78f7d058020cf41c00583dff391b7c343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2b2e700b25303bba2469028c2fac99c

SHA1
75a82611da541769b5de30e0d66a8b53de075402

SHA256
4bca3086be034cb33350205941076f087e5ddbf97c8d1b4444ed63d2556fa123

SHA512
a1f55f7f2d5af62148a16d3ab04062e8cad7b8a6a9f026a4379943f858e63de4810307f93054686ccf6ad26d68abc62fa57f796a45143c4191f7e18b1c6f6663

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
882ff259a1fc126ee19572650e7a341a

SHA1
be8d55cd32a34a5106e7df584bc4b410e96d8e6e

SHA256
43f9ceb0a022c4d97f6ec238b42ea75593be182b7728f6e854ea50d0e06dfc8a

SHA512
d6bd8a845186afb2e968f2113d225e4b7de6642f329cd85347d11e1766d8813b4bb1ffcb1b619ee6db9df65597e35dcaf8e633fd278f373c19ff21dcbcb22bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\38365F~1.TMP

Filesize
224KB

MD5
09bd0f4196902acac51ec4fab447da46

SHA1
5d15beebfb17323b8d973546cf9c4cbb4f0cb0c9

SHA256
a252dde73c00028fb3f4ea18340f072dcb19b5ba60286ab8baf936437624dc3e

SHA512
aff8d4e1e746bf8c5cb9054a44f3a516b5110e76295621f40d715831e86d8fbfa34588019f7ea00ee06627205a38c597f677250c190729f03063c5c278eadef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B46040~1.TMP

Filesize
2.4MB

MD5
81cd58065f5d06e9b98a7e58cf9b6a15

SHA1
1e6408cce5d81187573a598eb8414e22bd5871bd

SHA256
9adc47d8ceefa595f5d284f17ad14bc3d41a937ce926f6dec03c62db9bd07d26

SHA512
c9592223fe95e4cb39889bf99806f31c5c991246ec736339b4ffe382dc1c617e3935193f938a2498fc30bd36c5ca3ebd5564b2f476a8901de373f24f04066743

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duwslbte.mjg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ULTIMATE_TWEAKS_PREMIUM\UltimateTweaks GO PRO Pack\3 REGISTRY TWEAKS\Decrease Delay.reg

Filesize
319B

MD5
a33a770344437b9a6e7032734f0a2d9d

SHA1
16572654cea038e615c82490a9517c222394d86c

SHA256
230888c9d1bdabbf898e44aea761e5c747e472c12982b56d29edf35fab089a5e

SHA512
670f7fd00319272c191e04e434304b6f137e9d270fd749b15cc101f5a7eef578bf969617a5411adc80f7f6884a163a32f3b7d7c7c7dab583e9c84694f9ca06c9

Download Submit
C:\Users\Admin\Downloads\ULTIMATE_TWEAKS_PREMIUM\UltimateTweaks GO PRO Pack\9 KBM\M2 MarkC Windows 10 Mouse Fix.reg

Filesize
543B

MD5
a48aaf7ba97a1fb48d8899b9550162b0

SHA1
2ad3dc2623567c95119bb7ee19f6dab30cf6f813

SHA256
71ea670cd357049f9bb80ca7db08b4f70e088c86c865e3595e2bfa5629be9ab0

SHA512
b17c18ca142b3af7e76c55241cff784dcc73ee159405e2cf014038d42fe3e31600346e6097e76604562722038410c5acc56e65edc061acca07e13f5fe1a59bbc

Download Submit
C:\Users\Admin\Downloads\ULTIMATE_TWEAKS_PREMIUM\UltimateTweaks GO PRO Pack\9 KBM\Mouse Tweaks 1.reg

Filesize
149B

MD5
2794cd1b8b3d3ee8e39a6eb713778d97

SHA1
a5c596d5ca5d6482a1520cf5dd4551b59f1f8bbf

SHA256
5285d637aec56bde3c9327808df9e3e72997235f95f33b2c5d118b0914e6b260

SHA512
dfd055e5d91a86e5879ed4db094447a7d91c165fbe7f7af6c83e82d2d735f104bac5b27860c4f5b990b8408875ce6bbbc1545f222577cc7a8a072bfc75f1c480

Download Submit
C:\Users\Admin\Downloads\ULTIMATE_TWEAKS_PREMIUM\UltimateTweaks GO PRO Pack\9 KBM\Mouse Tweaks 2.reg

Filesize
613B

MD5
8a6b240342b179e9e4c025f9e1159d13

SHA1
1a1597aab7dfe31eb1afc6e449ed6a9b5e36c6fe

SHA256
cdd074abd0623b5fb266c9bd92bad301d57d916f626f64c2c815b3e08e7531f1

SHA512
cc52a1fb4ff8a6648830fb204eb9fba9facfed27fd09cdbdbacb7534bd7771eb77637f82afef25bf891fc22e09b4fc865a1bd38e98dcea0ccb2b97f6eca2c0d8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 862484.crdownload

Filesize
1003KB

MD5
8811614b7b47f281c073aab4994a4d98

SHA1
f632162f424c5396d53f5477d642ab8d54f2cd7a

SHA256
ec670174f50de61b39849b4776e385800c55ef7ae1929425f6476d45c90eec4e

SHA512
367c25c7ddbe054159c57f58da4d780a28c5fdf721a597ae514af351b6bbb34b78dcb65d7d29c2dd727b217847f3a194995be37728f4125fcdf3a7f394a6c10f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 969025.crdownload

Filesize
5KB

MD5
ef740387f30475f0784b3f7db05f5ea8

SHA1
ca6caf586bb3582fe30ece0a548087858e4055c5

SHA256
0bb8c19ac576625bdf63488af2e205f7c8f0986d79d8b978f406cea9bc1aa186

SHA512
028fb9553ead0dcae3740cbcfff702e6ba778d97e5402ad8587ff912f68d56a2c7f286593ae517976d43fb54c695344730a153f5c6e1202462f93cb81e555a17

Download Submit
memory/2036-561-0x000002531B1B0000-0x000002531B1CE000-memory.dmp

Filesize
120KB

Download
memory/5648-507-0x0000014AD1EB0000-0x0000014AD1ED2000-memory.dmp

Filesize
136KB

Download