fbcfd7b4afa7156b44736bbd88615edd23a8729ef1fd4a0d5aaa26693357333d

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Process not Found

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
1564	Process not Found
1808	Process not Found
4548	wevtutil.exe
1104	Process not Found
3464	Process not Found
4512	Process not Found
4688	wevtutil.exe
3364	Process not Found
892	Process not Found
3668	wevtutil.exe
3556	wevtutil.exe
4764	Process not Found
4732	Process not Found
3004	Process not Found
3580	Process not Found
2084	wevtutil.exe
3632	wevtutil.exe
4220	wevtutil.exe
488	Process not Found
2716	Process not Found
3800	Process not Found
1324	Process not Found
4536	Process not Found
1152	wevtutil.exe
1480	wevtutil.exe
1712	wevtutil.exe
1240	Process not Found
2352	Process not Found
4712	Process not Found
4804	wevtutil.exe
5044	wevtutil.exe
956	wevtutil.exe
3580	Process not Found
4536	Process not Found
2992	Process not Found
2652	wevtutil.exe
2696	wevtutil.exe
248	Process not Found
892	Process not Found
3412	wevtutil.exe
836	wevtutil.exe
1128	Process not Found
4060	wevtutil.exe
864	wevtutil.exe
1260	wevtutil.exe
3164	wevtutil.exe
4764	wevtutil.exe
2532	wevtutil.exe
908	Process not Found
4560	Process not Found
2636	Process not Found
4956	Process not Found
252	Process not Found
1960	Process not Found
580	Process not Found
3308	Process not Found
2520	Process not Found
2408	Process not Found
4956	Process not Found
3896	Process not Found
2052	wevtutil.exe
3368	Process not Found
2300	Process not Found
388	Process not Found

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortniteClient-Win64-Shipping.exe	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortniteClient-Win64-Shipping.exe\PerfOptions\CpuPriorityClass = "3"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortniteClient-Win64-Shipping.exe\PerfOptions	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Process not Found

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
1952	BhaggoQuickCleanerSetup (1) (1).tmp
3156	peformancebooster.exe

Loads dropped DLL 19 IoCs

pid	Process
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe
3156	peformancebooster.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\lnkfile\NeverShowExt	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\NeverShowExt	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 54 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2264	Process not Found
5424	Process not Found
4568	Process not Found
3368	Process not Found
1588	Process not Found
1508	Process not Found
6072	Process not Found
4024	Process not Found
5908	Process not Found
576	Process not Found
4504	Process not Found
5752	Process not Found
4088	Process not Found
2520	Process not Found
3796	Process not Found
1224	Process not Found
2324	Process not Found
1148	Process not Found
3372	Process not Found
540	Process not Found
4504	Process not Found
2632	Process not Found
4708	Process not Found
3780	Process not Found
540	Process not Found
4864	Process not Found
4776	Process not Found
4088	Process not Found
1768	Process not Found
3508	Process not Found
6000	Process not Found
1252	Process not Found
1256	Process not Found
908	Process not Found
200	Process not Found
1148	Process not Found
3960	Process not Found
5644	Process not Found
5152	Process not Found
5260	Process not Found
3504	Process not Found
3820	Process not Found
5360	Process not Found
3880	Process not Found
1952	Process not Found
1508	Process not Found
5844	Process not Found
5604	Process not Found
400	Process not Found
5872	Process not Found
6108	Process not Found
4164	Process not Found
5636	Process not Found
2072	Process not Found

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

Power Settings

T1653

pid	Process
1912	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	Process not Found
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\is-HPTM0.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-VS492.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-DF0I1.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-8857U.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\Qt6Gui.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\opengl32sw.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\qgif.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\qwbmp.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\is-OU5MF.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-JIH2I.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\is-FM3KR.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-UTLAG.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-1QE54.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-L5O3A.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-5HN8B.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\tls\qopensslbackend.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\unins000.dat	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-TMF3F.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-DL64U.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\tls\is-VCU7C.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-BBOMO.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\Qt6Core.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\Qt6Network.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\qtga.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\networkinformation\qnetworklistmanager.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\platforms\is-CK56U.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\styles\is-I4DOL.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-U6B9H.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-ISOBA.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-M7J9N.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\is-9HLDK.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\is-BSTJ7.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\is-9FEQE.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\is-DAQVJ.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\is-PGMER.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\is-E4UP8.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-L9N9S.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\libstdc++-6.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\libgcc_s_seh-1.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\generic\qtuiotouchplugin.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\is-4UR6R.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\tls\is-7N7EO.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\is-NE498.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-6BD9T.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\qicns.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\tls\qcertonlybackend.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\tls\qschannelbackend.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\is-CODQF.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\is-87QQ6.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-CRO61.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\is-991G2.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-D55LK.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\unins000.dat	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\bqcicon.ico	Process not Found
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\bqcicon.ico	Process not Found
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-TQT1E.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-P8QKT.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\Qt6Svg.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File opened for modification	C:\Program Files\Bhaggo's Quick Cleaner\styles\qwindowsvistastyle.dll	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\is-8N3D0.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\imageformats\is-OU048.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\networkinformation\is-6LODL.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-CIG1S.tmp	BhaggoQuickCleanerSetup (1) (1).tmp
File created	C:\Program Files\Bhaggo's Quick Cleaner\translations\is-66SAV.tmp	BhaggoQuickCleanerSetup (1) (1).tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 7 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
4164	Process not Found
5636	Process not Found
5844	Process not Found
3504	Process not Found
2072	Process not Found
5604	Process not Found
3880	Process not Found

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4236	Process not Found
2200	Process not Found
2456	Process not Found
540	Process not Found
4032	Process not Found
1964	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BhaggoQuickCleanerSetup (1) (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BhaggoQuickCleanerSetup (1) (1).tmp

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 22 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3244	Process not Found
5832	Process not Found
5360	Process not Found
5688	Process not Found
3368	Process not Found
6072	Process not Found
5708	Process not Found
5820	Process not Found
5744	Process not Found
5880	Process not Found
1524	Process not Found
3632	Process not Found
5752	Process not Found
5796	Process not Found
6048	Process not Found
4756	Process not Found
2264	Process not Found
4024	Process not Found
5424	Process not Found
5908	Process not Found
6000	Process not Found
1140	Process not Found

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3776	Process not Found

Checks SCSI registry key(s) 3 TTPs 61 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	Process not Found

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found

Gathers network information 2 TTPs 64 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
3000	ipconfig.exe
3092	ipconfig.exe
2964	ipconfig.exe
4692	Process not Found
1476	Process not Found
3776	Process not Found
3580	Process not Found
3800	Process not Found
2864	Process not Found
728	ipconfig.exe
4904	Process not Found
280	Process not Found
2384	ipconfig.exe
4616	Process not Found
2352	Process not Found
3456	Process not Found
2500	Process not Found
1140	Process not Found
2812	ipconfig.exe
2836	ipconfig.exe
1540	ipconfig.exe
1948	Process not Found
1476	Process not Found
4488	ipconfig.exe
348	ipconfig.exe
4288	ipconfig.exe
1008	ipconfig.exe
1900	Process not Found
4872	Process not Found
2392	Process not Found
4260	Process not Found
1140	Process not Found
388	Process not Found
1348	ipconfig.exe
1900	ipconfig.exe
4412	ipconfig.exe
4616	Process not Found
4288	Process not Found
4712	ipconfig.exe
4236	Process not Found
908	Process not Found
1976	Process not Found
4704	ipconfig.exe
3280	Process not Found
440	Process not Found
3152	Process not Found
3832	ipconfig.exe
2228	ipconfig.exe
3992	ipconfig.exe
3964	Process not Found
4868	Process not Found
2992	Process not Found
4688	ipconfig.exe
1408	Process not Found
2464	ipconfig.exe
1884	ipconfig.exe
3636	ipconfig.exe
4924	Process not Found
4944	Process not Found
724	ipconfig.exe
792	ipconfig.exe
2268	Process not Found
1912	Process not Found
760	Process not Found

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683828484862122"	chrome.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2870"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8354"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2870"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\NeverShowExt	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1064"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13327"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133670853992658243"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\IE.AssocFile.URL\NeverShowExt	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1064"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\IE.AssocFile.URL	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2870"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHCmdFile\NeverShowExt	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\NeverShowExt	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\NeverShowExt	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\NeverShowExt	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHCmdFile	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4272559161-3282441186-401869126-1000\{7DE6EEE2-A083-44C1-ABC9-A83FCE98AF98}	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1064"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\lnkfile	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.WEBSITE\NeverShowExt	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "13327"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\lnkfile\NeverShowExt	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.WEBSITE	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1097"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8354"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13327"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000300000014000000494c2006030004002c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000808080ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffc057ffffffffff00000000000000000000000000000000808080ff808080ff808080ff808080ff808080ff808080ff808080ff808080ff808080ff808080ff808080ffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff0000c0030000c0030000c0030000c0030000c0030000c0030000c0030000c0030000c0030000c0030000c0030000c0030000c0030000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff00000000000000000000000000000000000000000000000001000000080000000400000004000000340000000100000000000000010000000000000001000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1097"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1097"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8354"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0047006e00660078007a00740065002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e8070800500043004800200031003000300025000d000a005a0072007a00620065006c0020003700340025000d000a0051007600660078002000310025000d000a004100720067006a00620065007800200030002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000005fd9b448bcf0da0100000000000000000000000047006e006600780020005a006e0061006e00740072006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070800420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000008f222156efe4da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3156	peformancebooster.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	BhaggoQuickCleanerSetup (1) (1).tmp
1952	BhaggoQuickCleanerSetup (1) (1).tmp
1444	chrome.exe
1444	chrome.exe
4572	Process not Found
4572	Process not Found
4572	Process not Found
4572	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
1952	Process not Found
1952	Process not Found
1952	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4708	Process not Found
4708	Process not Found
4708	Process not Found
4760	Process not Found
576	Process not Found
576	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	peformancebooster.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	440	wevtutil.exe
Token: SeBackupPrivilege	440	wevtutil.exe
Token: SeSecurityPrivilege	4704	wevtutil.exe
Token: SeBackupPrivilege	4704	wevtutil.exe
Token: SeSecurityPrivilege	756	wevtutil.exe
Token: SeBackupPrivilege	756	wevtutil.exe
Token: SeSecurityPrivilege	2212	wevtutil.exe
Token: SeBackupPrivilege	2212	wevtutil.exe
Token: SeSecurityPrivilege	4792	wevtutil.exe
Token: SeBackupPrivilege	4792	wevtutil.exe
Token: SeSecurityPrivilege	3868	wevtutil.exe
Token: SeBackupPrivilege	3868	wevtutil.exe
Token: SeSecurityPrivilege	3244	wevtutil.exe
Token: SeBackupPrivilege	3244	wevtutil.exe
Token: SeSecurityPrivilege	1652	wevtutil.exe
Token: SeBackupPrivilege	1652	wevtutil.exe
Token: SeSecurityPrivilege	1640	wevtutil.exe
Token: SeBackupPrivilege	1640	wevtutil.exe
Token: SeSecurityPrivilege	2760	wevtutil.exe
Token: SeBackupPrivilege	2760	wevtutil.exe
Token: SeSecurityPrivilege	3804	wevtutil.exe
Token: SeBackupPrivilege	3804	wevtutil.exe
Token: SeSecurityPrivilege	2876	wevtutil.exe
Token: SeBackupPrivilege	2876	wevtutil.exe
Token: SeSecurityPrivilege	3428	wevtutil.exe
Token: SeBackupPrivilege	3428	wevtutil.exe
Token: SeSecurityPrivilege	4292	wevtutil.exe
Token: SeBackupPrivilege	4292	wevtutil.exe
Token: SeSecurityPrivilege	3296	wevtutil.exe
Token: SeBackupPrivilege	3296	wevtutil.exe
Token: SeSecurityPrivilege	4408	wevtutil.exe
Token: SeBackupPrivilege	4408	wevtutil.exe
Token: SeSecurityPrivilege	4644	wevtutil.exe
Token: SeBackupPrivilege	4644	wevtutil.exe
Token: SeSecurityPrivilege	2820	wevtutil.exe
Token: SeBackupPrivilege	2820	wevtutil.exe
Token: SeSecurityPrivilege	3832	wevtutil.exe
Token: SeBackupPrivilege	3832	wevtutil.exe
Token: SeSecurityPrivilege	3836	wevtutil.exe
Token: SeBackupPrivilege	3836	wevtutil.exe
Token: SeSecurityPrivilege	4148	wevtutil.exe
Token: SeBackupPrivilege	4148	wevtutil.exe
Token: SeSecurityPrivilege	4544	wevtutil.exe
Token: SeBackupPrivilege	4544	wevtutil.exe
Token: SeSecurityPrivilege	1424	wevtutil.exe
Token: SeBackupPrivilege	1424	wevtutil.exe
Token: SeSecurityPrivilege	3380	wevtutil.exe
Token: SeBackupPrivilege	3380	wevtutil.exe
Token: SeSecurityPrivilege	3412	wevtutil.exe
Token: SeBackupPrivilege	3412	wevtutil.exe
Token: SeSecurityPrivilege	2388	wevtutil.exe
Token: SeBackupPrivilege	2388	wevtutil.exe
Token: SeSecurityPrivilege	1972	wevtutil.exe
Token: SeBackupPrivilege	1972	wevtutil.exe
Token: SeSecurityPrivilege	2816	wevtutil.exe
Token: SeBackupPrivilege	2816	wevtutil.exe
Token: SeSecurityPrivilege	2084	wevtutil.exe
Token: SeBackupPrivilege	2084	wevtutil.exe
Token: SeSecurityPrivilege	3152	wevtutil.exe
Token: SeBackupPrivilege	3152	wevtutil.exe
Token: SeSecurityPrivilege	2916	wevtutil.exe
Token: SeBackupPrivilege	2916	wevtutil.exe
Token: SeSecurityPrivilege	1848	wevtutil.exe
Token: SeBackupPrivilege	1848	wevtutil.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1952	BhaggoQuickCleanerSetup (1) (1).tmp
3156	peformancebooster.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found
4760	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4072	Process not Found
4868	Process not Found
4972	Process not Found
4660	Process not Found
4868	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 1952	3756	BhaggoQuickCleanerSetup (1) (1).exe	81
PID 3756 wrote to memory of 1952	3756	BhaggoQuickCleanerSetup (1) (1).exe	81
PID 3756 wrote to memory of 1952	3756	BhaggoQuickCleanerSetup (1) (1).exe	81
PID 1952 wrote to memory of 3156	1952	BhaggoQuickCleanerSetup (1) (1).tmp	84
PID 1952 wrote to memory of 3156	1952	BhaggoQuickCleanerSetup (1) (1).tmp	84
PID 3156 wrote to memory of 2576	3156	peformancebooster.exe	85
PID 3156 wrote to memory of 2576	3156	peformancebooster.exe	85
PID 2576 wrote to memory of 5032	2576	cmd.exe	87
PID 2576 wrote to memory of 5032	2576	cmd.exe	87
PID 2576 wrote to memory of 2636	2576	cmd.exe	88
PID 2576 wrote to memory of 2636	2576	cmd.exe	88
PID 2636 wrote to memory of 4800	2636	cmd.exe	89
PID 2636 wrote to memory of 4800	2636	cmd.exe	89
PID 2576 wrote to memory of 2320	2576	cmd.exe	90
PID 2576 wrote to memory of 2320	2576	cmd.exe	90
PID 2320 wrote to memory of 440	2320	cmd.exe	91
PID 2320 wrote to memory of 440	2320	cmd.exe	91
PID 2576 wrote to memory of 4704	2576	cmd.exe	92
PID 2576 wrote to memory of 4704	2576	cmd.exe	92
PID 2576 wrote to memory of 3284	2576	cmd.exe	93
PID 2576 wrote to memory of 3284	2576	cmd.exe	93
PID 2576 wrote to memory of 756	2576	cmd.exe	94
PID 2576 wrote to memory of 756	2576	cmd.exe	94
PID 2576 wrote to memory of 1124	2576	cmd.exe	95
PID 2576 wrote to memory of 1124	2576	cmd.exe	95
PID 2576 wrote to memory of 2212	2576	cmd.exe	96
PID 2576 wrote to memory of 2212	2576	cmd.exe	96
PID 2576 wrote to memory of 3992	2576	cmd.exe	97
PID 2576 wrote to memory of 3992	2576	cmd.exe	97
PID 2576 wrote to memory of 4792	2576	cmd.exe	98
PID 2576 wrote to memory of 4792	2576	cmd.exe	98
PID 2576 wrote to memory of 4712	2576	cmd.exe	99
PID 2576 wrote to memory of 4712	2576	cmd.exe	99
PID 2576 wrote to memory of 3868	2576	cmd.exe	100
PID 2576 wrote to memory of 3868	2576	cmd.exe	100
PID 2576 wrote to memory of 1504	2576	cmd.exe	101
PID 2576 wrote to memory of 1504	2576	cmd.exe	101
PID 2576 wrote to memory of 3244	2576	cmd.exe	102
PID 2576 wrote to memory of 3244	2576	cmd.exe	102
PID 2576 wrote to memory of 1444	2576	cmd.exe	103
PID 2576 wrote to memory of 1444	2576	cmd.exe	103
PID 2576 wrote to memory of 1652	2576	cmd.exe	104
PID 2576 wrote to memory of 1652	2576	cmd.exe	104
PID 2576 wrote to memory of 2996	2576	cmd.exe	105
PID 2576 wrote to memory of 2996	2576	cmd.exe	105
PID 2576 wrote to memory of 1640	2576	cmd.exe	106
PID 2576 wrote to memory of 1640	2576	cmd.exe	106
PID 2576 wrote to memory of 3576	2576	cmd.exe	107
PID 2576 wrote to memory of 3576	2576	cmd.exe	107
PID 2576 wrote to memory of 2760	2576	cmd.exe	108
PID 2576 wrote to memory of 2760	2576	cmd.exe	108
PID 2576 wrote to memory of 1708	2576	cmd.exe	109
PID 2576 wrote to memory of 1708	2576	cmd.exe	109
PID 2576 wrote to memory of 3804	2576	cmd.exe	110
PID 2576 wrote to memory of 3804	2576	cmd.exe	110
PID 2576 wrote to memory of 4936	2576	cmd.exe	111
PID 2576 wrote to memory of 4936	2576	cmd.exe	111
PID 2576 wrote to memory of 2876	2576	cmd.exe	112
PID 2576 wrote to memory of 2876	2576	cmd.exe	112
PID 2576 wrote to memory of 2356	2576	cmd.exe	113
PID 2576 wrote to memory of 2356	2576	cmd.exe	113
PID 2576 wrote to memory of 3428	2576	cmd.exe	114
PID 2576 wrote to memory of 3428	2576	cmd.exe	114
PID 2576 wrote to memory of 3376	2576	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BhaggoQuickCleanerSetup (1) (1).exe
"C:\Users\Admin\AppData\Local\Temp\BhaggoQuickCleanerSetup (1) (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\is-4RAL7.tmp\BhaggoQuickCleanerSetup (1) (1).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4RAL7.tmp\BhaggoQuickCleanerSetup (1) (1).tmp" /SL5="$7024A,20043923,1187328,C:\Users\Admin\AppData\Local\Temp\BhaggoQuickCleanerSetup (1) (1).exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Program Files\Bhaggo's Quick Cleaner\peformancebooster.exe
    "C:\Program Files\Bhaggo's Quick Cleaner\peformancebooster.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C C:/Users/Admin/AppData/Local/Temp/peformancebooster-bkyRUC/ClearCacheButton.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:5032
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit
        6⤵
        
        PID:4800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AMSI/Debug"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AirSpaceChannel"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Application"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1444
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "FirstUXPerf-Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4936
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "General Logging"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3376
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "IHM_DebugChannel"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4592
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4188
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:2464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:3000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4844
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationFrameServer"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProc"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProcD3D"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationAsyncWrapper"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4280
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationContentProtection"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3456
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDS"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2848
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMP4"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMediaEngine"
        5⤵
        Clears Windows event logs
        
        PID:1152
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        5⤵
        
        PID:2888
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformanceCore"
        5⤵
        
        PID:2504
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        5⤵
        
        PID:688
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationSrcPrefetch"
        5⤵
        
        PID:3088
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
        5⤵
        Clears Windows event logs
        
        PID:4804
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Admin"
        5⤵
        
        PID:4016
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Debug"
        5⤵
        
        PID:4864
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Operational"
        5⤵
        
        PID:240
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
        5⤵
        
        PID:3668
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
        5⤵
        
        PID:2228
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1140
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
        5⤵
        
        PID:2036
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
        5⤵
        
        PID:4840
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
        5⤵
        
        PID:1976
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        5⤵
        
        PID:2976
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:704
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        5⤵
        
        PID:3912
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        5⤵
        
        PID:3484
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2108
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
        5⤵
        
        PID:1900
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        5⤵
        
        PID:3756
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-System-Diagnostics-DiagnosticInvoker/Operational"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
        5⤵
        
        PID:3280
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1704
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
        5⤵
        
        PID:4896
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
        5⤵
        
        PID:3056
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
        5⤵
        
        PID:796
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
        5⤵
        
        PID:4856
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
        5⤵
        
        PID:2772
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
        5⤵
        
        PID:644
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
        5⤵
        
        PID:3160
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
        5⤵
        
        PID:1008
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:784
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
        5⤵
        
        PID:2964
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        5⤵
        
        PID:4732
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
        5⤵
        
        PID:728
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        5⤵
        
        PID:3244
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1444
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        5⤵
        
        PID:884
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
        5⤵
        
        PID:2384
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2676
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
        5⤵
        
        PID:4572
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
        5⤵
        
        PID:2876
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
        5⤵
        
        PID:3428
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
        5⤵
        
        PID:1096
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
        5⤵
        
        PID:3760
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
        5⤵
        
        PID:1440
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        5⤵
        
        PID:2076
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        5⤵
        
        PID:864
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:3832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
        5⤵
        
        PID:1228
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
        5⤵
        
        PID:8
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
        5⤵
        
        PID:836
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2552
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
        5⤵
        
        PID:676
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
        5⤵
        
        PID:3380
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
        5⤵
        
        PID:2816
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4280
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
        5⤵
        Clears Windows event logs
        
        PID:2084
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3456
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
        5⤵
        
        PID:3152
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
        5⤵
        
        PID:2916
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
        5⤵
        
        PID:2828
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2632
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
        5⤵
        
        PID:3332
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppSruProv"
        5⤵
        
        PID:3236
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
        5⤵
        
        PID:4136
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
        5⤵
        
        PID:2796
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
        5⤵
        
        PID:1592
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3360
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
        5⤵
        
        PID:3488
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
        5⤵
        
        PID:4452
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4872
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:4060
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1968
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
        5⤵
        
        PID:280
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
        5⤵
        
        PID:3260
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
        5⤵
        
        PID:3068
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
        5⤵
        
        PID:4788
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        5⤵
        
        PID:792
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
        5⤵
        
        PID:1416
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
        5⤵
        
        PID:2884
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        5⤵
        
        PID:3596
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
        5⤵
        Clears Windows event logs
        
        PID:3632
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
        5⤵
        
        PID:1904
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
        5⤵
        
        PID:2200
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
        5⤵
        
        PID:4236
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
        5⤵
        
        PID:652
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
        5⤵
        
        PID:564
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
        5⤵
        
        PID:580
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4856
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
        5⤵
        
        PID:3744
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
        5⤵
        
        PID:2512
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
        5⤵
        
        PID:4800
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3780
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
        5⤵
        
        PID:4884
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
        5⤵
        
        PID:2220
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3436
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
        5⤵
        
        PID:3148
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
        5⤵
        
        PID:3772
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
        5⤵
        
        PID:624
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
        5⤵
        
        PID:1504
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
        5⤵
        
        PID:1444
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
        5⤵
        
        PID:2996
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
        5⤵
        
        PID:3372
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
        5⤵
        
        PID:2716
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3760
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
        5⤵
        
        PID:3164
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
        5⤵
        
        PID:8
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
        5⤵
        
        PID:836
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
        5⤵
        
        PID:1424
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
        5⤵
        
        PID:4532
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
        5⤵
        
        PID:4412
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
        5⤵
        
        PID:4752
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2500
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Backup"
        5⤵
        
        PID:4904
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
        5⤵
        
        PID:4764
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
        5⤵
        
        PID:2800
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
        5⤵
        
        PID:3008
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
        5⤵
        
        PID:3340
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        5⤵
        
        PID:544
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        5⤵
        
        PID:4964
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
        5⤵
        
        PID:3752
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
        5⤵
        
        PID:4736
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2044
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
        5⤵
        
        PID:2696
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4804
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
        5⤵
        
        PID:3268
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
        5⤵
        
        PID:3948
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4864
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
        5⤵
        
        PID:1588
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1968
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
        5⤵
        
        PID:280
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
        5⤵
        
        PID:3260
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        5⤵
        
        PID:1140
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
        5⤵
        
        PID:2268
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4788
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        5⤵
        
        PID:3416
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        5⤵
        
        PID:4256
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
        5⤵
        
        PID:2276
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2108
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
        5⤵
        
        PID:4076
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
        5⤵
        
        PID:5028
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
        5⤵
        
        PID:2532
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
        5⤵
        
        PID:4056
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
        5⤵
        
        PID:2352
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
        5⤵
        
        PID:652
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Call"
        5⤵
        
        PID:4896
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
        5⤵
        
        PID:1880
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2788
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
        5⤵
        
        PID:796
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
        5⤵
        
        PID:4220
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
        5⤵
        
        PID:2772
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
        5⤵
        
        PID:3468
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4444
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
        5⤵
        
        PID:4800
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3780
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
        5⤵
        
        PID:440
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
        5⤵
        
        PID:756
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        5⤵
        
        PID:2212
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
        5⤵
        
        PID:4792
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3776
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
        5⤵
        
        PID:1504
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        5⤵
        
        PID:1444
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
        5⤵
        
        PID:3576
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
        5⤵
        
        PID:1708
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:2384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
        5⤵
        
        PID:3804
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
        5⤵
        
        PID:4644
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
        5⤵
        Clears Windows event logs
        
        PID:864
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
        5⤵
        
        PID:2804
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4188
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
        5⤵
        
        PID:1520
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3552
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
        5⤵
        
        PID:2988
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
        5⤵
        
        PID:832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
        5⤵
        Clears Windows event logs
        
        PID:2652
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
        5⤵
        
        PID:1996
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3380
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
        5⤵
        
        PID:2388
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
        5⤵
        
        PID:3240
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2500
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
        5⤵
        
        PID:4280
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
        5⤵
        Clears Windows event logs
        
        PID:1260
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
        5⤵
        
        PID:5104
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2848
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
        5⤵
        
        PID:1848
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:2812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
        5⤵
        
        PID:1152
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
        5⤵
        
        PID:1772
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
        5⤵
        
        PID:2888
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        5⤵
        
        PID:3236
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        5⤵
        
        PID:724
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3172
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
        5⤵
        
        PID:2796
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
        5⤵
        
        PID:2044
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1592
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
        5⤵
        
        PID:4244
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3268
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
        5⤵
        
        PID:4260
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
        5⤵
        
        PID:1964
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
        5⤵
        
        PID:1176
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3668
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
        5⤵
        
        PID:5044
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
        5⤵
        
        PID:1140
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2376
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4788
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
        5⤵
        
        PID:2080
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
        5⤵
        
        PID:4256
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
        5⤵
        
        PID:2276
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
        5⤵
        
        PID:4076
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
        5⤵
        
        PID:1412
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
        5⤵
        
        PID:3756
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
        5⤵
        
        PID:1704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
        5⤵
        
        PID:3692
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
        5⤵
        
        PID:4108
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
        5⤵
        
        PID:564
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
        5⤵
        
        PID:4516
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
        5⤵
        
        PID:4220
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
        5⤵
        
        PID:2772
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
        5⤵
        
        PID:3468
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
        5⤵
        
        PID:2320
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
        5⤵
        
        PID:908
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
        5⤵
        
        PID:3436
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:784
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
        5⤵
        
        PID:4704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
        5⤵
        
        PID:1212
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
        5⤵
        
        PID:1248
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
        5⤵
        
        PID:1444
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
        5⤵
        
        PID:3980
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
        5⤵
        
        PID:3804
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2096
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
        5⤵
        
        PID:4644
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
        5⤵
        
        PID:3836
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
        5⤵
        
        PID:8
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4820
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
        5⤵
        
        PID:3000
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
        5⤵
        
        PID:832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:2836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
        5⤵
        
        PID:4796
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
        5⤵
        
        PID:3648
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
        5⤵
        
        PID:4828
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
        5⤵
        
        PID:4752
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5108
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
        5⤵
        Clears Windows event logs
        
        PID:1480
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot"
        5⤵
        
        PID:2412
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
        5⤵
        Clears Windows event logs
        
        PID:1712
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
        5⤵
        
        PID:2476
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
        5⤵
        
        PID:724
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
        5⤵
        
        PID:436
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
        5⤵
        
        PID:2044
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1592
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
        5⤵
        
        PID:2300
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3268
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
        5⤵
        
        PID:4260
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
        5⤵
        
        PID:4864
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
        5⤵
        
        PID:1176
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
        5⤵
        
        PID:3668
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
        5⤵
        
        PID:5044
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
        5⤵
        
        PID:1140
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1976
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
        5⤵
        
        PID:4460
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
        5⤵
        
        PID:704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
        5⤵
        
        PID:2884
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
        5⤵
        
        PID:1048
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
        5⤵
        
        PID:1952
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
        5⤵
        
        PID:2968
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
        5⤵
        
        PID:1704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
        5⤵
        
        PID:3692
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:4488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
        5⤵
        
        PID:3560
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
        5⤵
        
        PID:564
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
        5⤵
        
        PID:580
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        5⤵
        
        PID:3744
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
        5⤵
        
        PID:2772
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4444
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        5⤵
        
        PID:3468
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
        5⤵
        
        PID:4884
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
        5⤵
        
        PID:908
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        5⤵
        Clears Windows event logs
        
        PID:2052
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        5⤵
        
        PID:3772
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3776
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
        5⤵
        
        PID:1248
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
        5⤵
        
        PID:2760
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
        5⤵
        
        PID:4936
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        5⤵
        
        PID:1372
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        5⤵
        
        PID:2164
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        5⤵
        
        PID:2588
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
        5⤵
        
        PID:3836
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4188
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
        5⤵
        
        PID:2464
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:836
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
        5⤵
        
        PID:3472
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
        5⤵
        
        PID:4424
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
        5⤵
        
        PID:4796
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
        5⤵
        
        PID:3648
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
        5⤵
        
        PID:2388
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
        5⤵
        
        PID:3240
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:4688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
        5⤵
        
        PID:420
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
        5⤵
        
        PID:3172
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        5⤵
        
        PID:224
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1516
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
        5⤵
        
        PID:2044
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1592
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
        5⤵
        
        PID:4016
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3268
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
        5⤵
        
        PID:240
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        5⤵
        
        PID:760
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        5⤵
        
        PID:1176
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
        5⤵
        
        PID:3668
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
        5⤵
        Clears Windows event logs
        
        PID:5044
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
        5⤵
        
        PID:2268
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
        5⤵
        
        PID:2376
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:4288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
        5⤵
        
        PID:3344
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
        5⤵
        
        PID:924
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
        5⤵
        
        PID:3596
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4076
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        5⤵
        
        PID:2664
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
        5⤵
        
        PID:3964
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
        5⤵
        
        PID:1704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
        5⤵
        
        PID:4108
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
        5⤵
        
        PID:564
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
        5⤵
        
        PID:4856
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
        5⤵
        
        PID:4220
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
        5⤵
        
        PID:460
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
        5⤵
        
        PID:2220
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
        5⤵
        
        PID:3148
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
        5⤵
        
        PID:4704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
        5⤵
        
        PID:3992
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3776
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
        5⤵
        
        PID:728
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
        5⤵
        
        PID:1240
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
        5⤵
        
        PID:4760
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
        5⤵
        
        PID:4936
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
        5⤵
        
        PID:2076
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3760
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3164
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
        5⤵
        
        PID:3832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
        5⤵
        
        PID:2272
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
        5⤵
        
        PID:4544
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
        5⤵
        
        PID:2956
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
        5⤵
        
        PID:1424
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2516
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorClass/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3556
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
        5⤵
        
        PID:4880
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:4412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
        5⤵
        
        PID:3016
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
        5⤵
        
        PID:2116
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
        5⤵
        
        PID:1860
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
        5⤵
        
        PID:4732
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
        5⤵
        
        PID:3848
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
        5⤵
        
        PID:1480
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
        5⤵
        Clears Windows event logs
        
        PID:4688
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
        5⤵
        
        PID:544
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        5⤵
        
        PID:2084
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3172
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        5⤵
        
        PID:4860
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
        5⤵
        
        PID:3488
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
        5⤵
        
        PID:4452
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
        5⤵
        
        PID:4016
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
        5⤵
        
        PID:1964
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
        5⤵
        
        PID:4124
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
        5⤵
        
        PID:3260
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:2228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
        5⤵
        
        PID:4036
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
        5⤵
        
        PID:3844
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1140
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
        5⤵
        
        PID:2036
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4772
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
        5⤵
        
        PID:1416
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
        5⤵
        
        PID:1900
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4076
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
        5⤵
        
        PID:2664
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3280
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
        5⤵
        
        PID:4236
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
        5⤵
        
        PID:1704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
        5⤵
        
        PID:488
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
        5⤵
        
        PID:1880
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
        5⤵
        
        PID:564
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
        5⤵
        
        PID:956
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
        5⤵
        
        PID:1948
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
        5⤵
        
        PID:2320
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2220
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
        5⤵
        
        PID:756
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:2964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
        5⤵
        
        PID:4792
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:3992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Help/Operational"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1248
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        5⤵
        
        PID:2464
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3456
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
        5⤵
        
        PID:4764
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
        5⤵
        
        PID:4688
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
        5⤵
        
        PID:3924
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
        5⤵
        
        PID:704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
        5⤵
        
        PID:1416
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2108
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
        5⤵
        
        PID:2276
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
        5⤵
        
        PID:5028
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
        5⤵
        
        PID:1904
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1856
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
        5⤵
        
        PID:2352
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
        5⤵
        
        PID:4112
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1704
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
        5⤵
        
        PID:3036
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:492
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
        5⤵
        
        PID:4108
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-KMCL-Child/Analytic"
        5⤵
        
        PID:4516
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
        5⤵
        
        PID:4020
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4220
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
        5⤵
        
        PID:2636
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
        5⤵
        
        PID:4444
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3780
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
        5⤵
        
        PID:3160
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
        5⤵
        
        PID:440
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
        5⤵
        
        PID:3436
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
        5⤵
        
        PID:3772
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
        5⤵
        
        PID:4048
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1240
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
        5⤵
        
        PID:4760
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
        5⤵
        
        PID:3832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:3636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
        5⤵
        
        PID:4732
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:4764
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
        5⤵
        
        PID:5116
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
        5⤵
        
        PID:792
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
        5⤵
        
        PID:1900
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
        5⤵
        
        PID:2276
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
        5⤵
        
        PID:4076
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
        5⤵
        
        PID:2968
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
        5⤵
        
        PID:3568
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        5⤵
        
        PID:252
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
        5⤵
        
        PID:1704
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
        5⤵
        
        PID:492
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4108
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
        5⤵
        
        PID:564
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
        5⤵
        
        PID:580
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
        5⤵
        
        PID:4444
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
        5⤵
        
        PID:460
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        5⤵
        
        PID:784
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2212
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
        5⤵
        
        PID:3436
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:4704
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
        5⤵
        
        PID:1240
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4760
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
        5⤵
        
        PID:3608
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4820
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
        5⤵
        
        PID:3456
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        5⤵
        
        PID:4280
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
        5⤵
        
        PID:724
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2044
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
        5⤵
        
        PID:4256
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:2696
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
        5⤵
        
        PID:3344
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2976
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
        5⤵
        
        PID:3052
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:2532
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-CPU-Starvation/Operational"
        5⤵
        
        PID:3964
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Cache/Operational"
        5⤵
        
        PID:3412
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
        5⤵
        
        PID:4896
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Dump/Operational"
        5⤵
        
        PID:4488
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2788
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
        5⤵
        
        PID:1040
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4516
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:956
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:4220
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
        5⤵
        
        PID:3768
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
        5⤵
        
        PID:1044
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
        5⤵
        
        PID:756
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
        5⤵
        
        PID:3436
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
        5⤵
        
        PID:3992
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PRM/Operational"
        5⤵
        
        PID:1240
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
        5⤵
        
        PID:4532
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
        5⤵
        
        PID:2500
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
        5⤵
        
        PID:4280
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
        5⤵
        
        PID:724
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
        5⤵
        
        PID:792
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:4548
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Management"
        5⤵
        
        PID:1064
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
        5⤵
        
        PID:2884
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
        5⤵
        
        PID:5028
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
        5⤵
        
        PID:2532
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        5⤵
        
        PID:4236
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        5⤵
        
        PID:4896
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
        5⤵
        
        PID:3036
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:492
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        5⤵
        
        PID:2764
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
        5⤵
        
        PID:2512
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
        5⤵
        
        PID:4220
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
        5⤵
        
        PID:3780
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3160
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
        5⤵
        
        PID:784
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        5⤵
        
        PID:4740
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:4704
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
        5⤵
        
        PID:1364
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
        5⤵
        
        PID:4792
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
        5⤵
        
        PID:2520
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
        5⤵
        
        PID:1240
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:2552
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
        5⤵
        
        PID:4732
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
        5⤵
        
        PID:4764
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
        5⤵
        
        PID:1592
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        
        PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82c8ecc40,0x7ff82c8ecc4c,0x7ff82c8ecc58
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,1314050242489792631,4311210783782266214,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,1314050242489792631,4311210783782266214,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,1314050242489792631,4311210783782266214,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,1314050242489792631,4311210783782266214,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,1314050242489792631,4311210783782266214,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,1314050242489792631,4311210783782266214,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,1314050242489792631,4311210783782266214,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4968,i,1314050242489792631,4311210783782266214,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:2084

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery