Malware Analysis Report

2024-12-07 14:56

Sample ID 241003-wfeb3syckn
Target VTRL_2.2.4_x64_en-US.msi.zip
SHA256 af4d66782380f13455512dd37efb31f2d14ac7093a5a079794e5b9a07bd556b2
Tags
discovery execution persistence privilege_escalation upx defense_evasion evasion exploit ransomware trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

af4d66782380f13455512dd37efb31f2d14ac7093a5a079794e5b9a07bd556b2

Threat Level: Likely malicious

The file VTRL_2.2.4_x64_en-US.msi.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery execution persistence privilege_escalation upx defense_evasion evasion exploit ransomware trojan

Clears Windows event logs

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Possible privilege escalation attempt

Modifies file permissions

Enumerates connected drives

Event Triggered Execution: Image File Execution Options Injection

Indicator Removal: File Deletion

Downloads MZ/PE file

Network Share Discovery

Power Settings

Checks computer location settings

UPX packed file

Event Triggered Execution: Component Object Model Hijacking

Drops file in System32 directory

Enumerates processes with tasklist

Drops file in Windows directory

Hide Artifacts: Ignore Process Interrupts

Checks system information in the registry

Checks installed software on the system

Drops file in Program Files directory

Loads dropped DLL

Executes dropped EXE

Launches sc.exe

System Network Configuration Discovery: Internet Connection Discovery

System Time Discovery

Checks whether UAC is enabled

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of SetWindowsHookEx

Runs .reg file with regedit

System policy modification

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 17:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 17:51

Reported

2024-10-03 17:52

Platform

win7-20240903-en

Max time kernel

39s

Max time network

25s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VTRL_2.2.4_x64_en-US.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VTRL\VTRL.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\VTRL\Uninstall VTRL.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\VTRL\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76c65b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{B61E3611-DC41-415B-8398-57120CD83649}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76c65b.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c65c.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICFAE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{B61E3611-DC41-415B-8398-57120CD83649}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c65e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c65c.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\ProductName = "VTRL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\PackageCode = "4E2D29992B48F664096C3A96513AEF2F" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\Version = "33685508" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\DefaultIcon\ = "C:\\Program Files\\VTRL\\VTRL,1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394\ShortcutsFeature = "MainProgram" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DDBBFE4C2AD1A8154BE26EB564261509 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\vtrl C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394\Environment = "MainProgram" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\ProductIcon = "C:\\Windows\\Installer\\{B61E3611-DC41-415B-8398-57120CD83649}\\ProductIcon" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\vtrl\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\vtrl\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\PackageName = "VTRL_2.2.4_x64_en-US.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DDBBFE4C2AD1A8154BE26EB564261509 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open\command\ = "\"C:\\Program Files\\VTRL\\VTRL\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394\External C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DDBBFE4C2AD1A8154BE26EB564261509\1163E16B14CDB51438897521C08D6394 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\ = "URL:VTRL Protocol" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394\MainProgram C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\Language = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open\command C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VTRL_2.2.4_x64_en-US.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C78E3824154EDB813A961BCF51BAC9A3 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004CC" "00000000000003DC"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\MSI9231.tmp

MD5 cfbb8568bd3711a97e6124c56fcfa8d9
SHA1 d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57
SHA256 7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc
SHA512 860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

memory/2840-18-0x000000013FF60000-0x000000013FF70000-memory.dmp

\Program Files\VTRL\VTRL.exe

MD5 8854573a5ad9f69248491b860a8473a7
SHA1 2112784e8b035413cdbf5b19afcfca90c9da47fb
SHA256 9aae8bfe7cb32e9c247feb67d97d3611c7c377dff7b6c42a779a0fae1bbf11b6
SHA512 21d20ef8bb0884dd0c9f1b9340c331ecd3a9f4127af55444a6fcbd2a49f91c6efdc730824e5529b80c1e9469a172ac140da411fa07268c295d0535921a66df61

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnk

MD5 f0bb30fb0e5ea256f7f34572323ab760
SHA1 34aff58515bb5270e7861f793591551be0a55e7d
SHA256 e340b9d879ecebb1bf9fe08ec339ad55dedd14eaf73154307532fb319774275b
SHA512 f4f44fdd870dad8c999d1d78c44e0549f5060f168cb61b34df4f7a90d2b2b6e6a81e25783cec248208e31c9f472af8d238727adaad4c052ba184be18e71822f9

memory/2840-32-0x000000013F590000-0x000000013F5A0000-memory.dmp

memory/3044-41-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

memory/3044-42-0x0000000002910000-0x0000000002918000-memory.dmp

C:\Windows\Installer\f76c65b.msi

MD5 7853374c6d4f75c1279214f4b843de50
SHA1 3a70bad9f2e54f67d03a9e818cae104f96b91fd6
SHA256 a1b403271c4f1a39c70279f3d73583c508c7211e7606521850b4c27946d5fd7a
SHA512 be2a6ec34dbe59fa5720b0a896793330628e9d7bc32d0aab58b7e9ee1d5a196de22407eb7c6422792f24a7a65f3d365b74ede30c613330d180270c3604ac5fba

memory/2840-65-0x000000013FF60000-0x000000013FF70000-memory.dmp

memory/2840-66-0x000000013F590000-0x000000013F5A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 17:51

Reported

2024-10-03 17:56

Platform

win10v2004-20240802-en

Max time kernel

309s

Max time network

310s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VTRL_2.2.4_x64_en-US.msi

Signatures

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Program Files\VTRL\VTRL.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: N/A N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\taskkill.exe" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe\Debugger = "C:\\Windows\\System32\\taskkill.exe" N/A N/A

Indicator Removal: File Deletion

defense_evasion

Network Share Discovery

discovery

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\sru\SRUDB.dat C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Trust Protection Lists\Sigma\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\Locales\fi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\Locales\ru.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping2572_991686904\protocols.json C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\psmachine_64.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\tt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\fi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\lt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\BHO\ie_to_edge_bho.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files\VTRL\VTRL.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ca.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\el.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\hr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\lv.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Trust Protection Lists\Mu\CompatExceptions C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Installer\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Trust Protection Lists\Sigma\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lt.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\az.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\identity_proxy\win11\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Trust Protection Lists\Mu\Cryptomining C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\mi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\onnxruntime.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Trust Protection Lists\Mu\Analytics C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Trust Protection Lists\Sigma\Social C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ne.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\notification_helper.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\identity_proxy\win11\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_af.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\th.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\identity_proxy\win11\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\VisualElements\Logo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\nb.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\identity_proxy\win11\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_pt-PT.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fr-CA.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\sv.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\Trust Protection Lists\Mu\CompatExceptions C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\oneds.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\VisualElements\SmallLogoCanary.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\cy.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\Locales\cs.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\Locales\sq.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_tt.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\msedge.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\PdfPreview\PdfPreviewHandler.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\libGLESv2.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\lo.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\mr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\ru.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Trust Protection Lists\Mu\CompatExceptions C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\VisualElements\LogoCanary.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\VisualElements\SmallLogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bs.dll C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\zh-TW.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\Locales\en-GB.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\Locales\lv.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\ug.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\oneauth.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Locales\lt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\129.0.2792.65.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57dc56.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDD02.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
File created C:\Windows\Installer\e57dc56.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{B61E3611-DC41-415B-8398-57120CD83649}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57dc58.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File created C:\Windows\Installer\{B61E3611-DC41-415B-8398-57120CD83649}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\565865F6-FAE4-418A-9C06-79CA4AE06FEF\dismhost.exe N/A
File created C:\Windows\Installer\SourceHash{B61E3611-DC41-415B-8398-57120CD83649} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\565865F6-FAE4-418A-9C06-79CA4AE06FEF\dismhost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\VTRL\VTRL.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103" N/A N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724516163672074" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\ = "Google Update Policy Status Class" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\vtrl\DefaultIcon\ = "C:\\Program Files\\VTRL\\VTRL.exe,0" C:\Program Files\VTRL\VTRL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\ = "Google Update Policy Status Class" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ = "Microsoft Edge Update Update3Web" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F} C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\vtrl\DefaultIcon\ = "C:\\Program Files\\VTRL\\VTRL.exe,0" N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ = "Google Update Policy Status Class" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0B4C1840-3931-4AA5-A64F-95339D05E614} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VersionIndependentProgID C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LOCALSERVER32 C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0B4C1840-3931-4AA5-A64F-95339D05E614} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\PROGID C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VTRL\VTRL.exe N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 3972 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1916 wrote to memory of 3972 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1916 wrote to memory of 3972 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1916 wrote to memory of 4072 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1916 wrote to memory of 4072 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1916 wrote to memory of 3624 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3624 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 1372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
PID 3624 wrote to memory of 1372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
PID 3624 wrote to memory of 1372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
PID 1372 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe
PID 1372 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe
PID 1372 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 3516 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 3516 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 3516 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 452 wrote to memory of 4376 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
PID 452 wrote to memory of 4376 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
PID 452 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
PID 452 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
PID 452 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
PID 452 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
PID 3612 wrote to memory of 4884 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 4884 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 4884 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 3112 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 3112 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3612 wrote to memory of 3112 N/A C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3088 wrote to memory of 1348 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3088 wrote to memory of 1348 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3088 wrote to memory of 1348 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
PID 3088 wrote to memory of 2916 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe
PID 3088 wrote to memory of 2916 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe
PID 2916 wrote to memory of 3320 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe
PID 2916 wrote to memory of 3320 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe
PID 3320 wrote to memory of 836 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe
PID 3320 wrote to memory of 836 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe
PID 3572 wrote to memory of 2572 N/A C:\Program Files\VTRL\VTRL.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 3572 wrote to memory of 2572 N/A C:\Program Files\VTRL\VTRL.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
PID 2572 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection N/A N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VTRL_2.2.4_x64_en-US.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E838180BC1802311D6BAC087AC806021 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjRENkJCNjEtNDEyRC00RDI5LUFFQzMtQTU5MjYwRjlDNDlCfSIgdXNlcmlkPSJ7NkRDNzNFRTYtQTU3Qy00MUMzLTk4RDUtMkEwOEZBNTQ4QTk3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0MjA1NzIxMS1GNDU0LTQ4OTQtQkUxNy0yODg5NzExRkU4MzV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS4xNSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMDAwMjYxNjEiIGluc3RhbGxfdGltZV9tcz0iNDU0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{F4D6BB61-412D-4D29-AEC3-A59260F9C49B}" /silent

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjRENkJCNjEtNDEyRC00RDI5LUFFQzMtQTU5MjYwRjlDNDlCfSIgdXNlcmlkPSJ7NkRDNzNFRTYtQTU3Qy00MUMzLTk4RDUtMkEwOEZBNTQ4QTk3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkY1RDk3NDYtMkIyQy00ODkyLUI1M0YtMjk1NDU0OTc1QzEyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2MiIgaW5zdGFsbGRhdGV0aW1lPSIxNzIyNjAyNzE0IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjcwNzUyNzMwMDQwNjUxIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTAwNTk2Mzc5NCIvPjwvYXBwPjwvcmVxdWVzdD4

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=129.0.6668.71 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=129.0.2792.65 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff7c61276f0,0x7ff7c61276fc,0x7ff7c6127708

C:\Program Files\VTRL\VTRL.exe

"C:\Program Files\VTRL\VTRL.exe"

C:\Program Files\VTRL\VTRL.exe

"C:\Program Files\VTRL\VTRL.exe"

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=3572.1812.4745332957774390525

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=129.0.6668.71 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=129.0.2792.65 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7ffd723c8ee0,0x7ffd723c8eec,0x7ffd723c8ef8

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1816,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1812 /prefetch:2

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1988,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2036 /prefetch:3

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2304,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:8

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3356,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmp6EQzBI\L0DqpV5EvG.bat

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpzUQfgI\4eIvNyqXun.bat

C:\Windows\system32\reg.exe

reg add HKLM /F

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Unrestricted -NoProfile Restore-Computer -Drive 'C:\' -Confirm:$false

C:\Windows\system32\Dism.exe

dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart

C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe {A38E4CF1-3B26-4450-81C3-85D9BF37645B}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'VTRL RESTORE POINT'

C:\Windows\system32\sc.exe

sc start winmgmt

C:\Windows\system32\sc.exe

sc config winmgmt start=auto

C:\Windows\system32\sc.exe

sc start wmi

C:\Windows\system32\Dism.exe

DISM /Online /Add-Capability /CapabilityName:WMIC*

C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe {0CEFDC22-09D3-4281-8D6C-B2A9BA8D3862}

C:\Windows\system32\Dism.exe

DISM /Online /Add-Capability /CapabilityName:WMIC~~~~ΓÇï

C:\Users\Admin\AppData\Local\Temp\565865F6-FAE4-418A-9C06-79CA4AE06FEF\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\565865F6-FAE4-418A-9C06-79CA4AE06FEF\dismhost.exe {818042F0-E9F5-4CEE-B303-8F3E37FEE7CE}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -NoProfile -Command " try { $pcSystemType = (Get-CimInstance -Class Win32_ComputerSystem).PCSystemType if ($pcSystemType -in 1,3) { \"Desktop\" } elseif ($pcSystemType -eq 2) { \"Laptop\" } else { \"Unknown\" # Handle other PCSystemType values as Unknown } } catch { \"Unknown\" # Catch any errors and return Unknown } "

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpGXudH3\wKiQq4y6DZ.bat

C:\Windows\system32\reg.exe

Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpXBF7I8\gMgu0yNcU5.bat

C:\Windows\system32\reg.exe

Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /f

C:\Windows\system32\reg.exe

Reg delete "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /f

C:\Windows\system32\reg.exe

Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /f

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjRENkJCNjEtNDEyRC00RDI5LUFFQzMtQTU5MjYwRjlDNDlCfSIgdXNlcmlkPSJ7NkRDNzNFRTYtQTU3Qy00MUMzLTk4RDUtMkEwOEZBNTQ4QTk3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins3OTEwNDQ5NS1CNjdGLTQ3OTMtOUI1Qi0wNTYwN0NDMTg0QjV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7L3IyNTJwKzZiWjRvaVRGczVZMXd0K3hzcGVaWDNZQ0M2L0w2WjZQSXVlYz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI5LjAuMjc5Mi42NSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA0MzYyMDQ1OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNDM2MjA0NTgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTM3OTQxNTk5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZjA5YWIxOC02N2U3LTQ5ZjMtOTMwOS0xMTAxMWZlMjFhMjI_UDE9MTcyODU4Mjc0MSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1qRjBLOUpUM2pIc0sxNHdqYUNHelhDaHY1NzAybnFZczhKJTJmS1hSV1NRalVURUpuNnlPWVR4TWM1MzQlMmJkcUNtSFRBcGUlMmZnNHhQN0lVR3lZSW0zT0pNZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3Mzk0Mjg0MCIgdG90YWw9IjE3Mzk0Mjg0MCIgZG93bmxvYWRfdGltZV9tcz0iNDMxMDQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTM3OTQxNTk5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU1MTY5MjM4MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjIwNzg4NjE0NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjIxNTYiIGRvd25sb2FkX3RpbWVfbXM9IjQ5NDAxIiBkb3dubG9hZGVkPSIxNzM5NDI4NDAiIHRvdGFsPSIxNzM5NDI4NDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjY1NjIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -NoProfile -Command " try { $pcSystemType = (Get-CimInstance -Class Win32_ComputerSystem).PCSystemType if ($pcSystemType -in 1,3) { \"Desktop\" } elseif ($pcSystemType -eq 2) { \"Laptop\" } else { \"Unknown\" # Handle other PCSystemType values as Unknown } } catch { \"Unknown\" # Catch any errors and return Unknown } "

C:\Windows\system32\powercfg.exe

"powercfg" -list

C:\Windows\system32\powercfg.exe

"powercfg" -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61

C:\Windows\system32\powercfg.exe

"powercfg" -changename d01c16d1-876b-44f7-8dfb-bce19a3625bf "VTRL Optimized" "Powerplan set by VTRL Optimizer"

C:\Windows\system32\powercfg.exe

"powercfg" -setactive d01c16d1-876b-44f7-8dfb-bce19a3625bf

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor THROTTLING 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_none DEVICEIDLE 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor PERFAUTONOMOUS 1

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor PERFAUTONOMOUSWINDOW 1000

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor PERFEPP 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 1

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor PERFBOOSTPOL 100

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor CPMINCORES 100

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current SUB_INTSTEER UNPARKTIME 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current SUB_INTSTEER PERPROCLOAD 10000

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor SHORTSCHEDPOLICY 2

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current sub_processor SCHEDPOLICY 2

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current 54533251-82be-4824-96c1-47b60b740d00 4d2b0152-7d5c-498b-88e2-34345392a2c5 5000

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 d4e98f31-5ffe-4ce1-be31-1b38b384c009 0

C:\Windows\system32\powercfg.exe

"powercfg" /change standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

"powercfg" /change monitor-timeout-ac 0

C:\Windows\system32\powercfg.exe

"powercfg" /change hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current SUB_SLEEP UNATTENDSLEEP 0

C:\Windows\system32\powercfg.exe

"powercfg" -setacvalueindex scheme_current SUB_IR DEEPSLEEP 0

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4884,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:8

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpmksjcq\EFeYB9czGU.bat

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpAJ5gMK\F4EKe4vt8h.bat

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpPasuc2\jVs5MWdSEm.bat

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpQRQLNL\JlY2WPzBPG.bat

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpL7KmBB\18mgT64ipn.bat

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpARs4AS\nYq48zHR9S.bat

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmp5YqoXl\LXorCZ5aOS.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "$srumDatabaseFilePath = """$env:WINDIR\System32\sru\SRUDB.dat"""; if (!(Test-Path -Path $srumDatabaseFilePath)) {; Write-Output """Skipping, SRUM database file not found at `"""$srumDatabaseFilePath`""". No actions are required."""; exit 0; }; $dps = Get-Service -Name 'DPS' -ErrorAction Ignore; $isDpsInitiallyRunning = $false; if ($dps) {; $isDpsInitiallyRunning = $dps.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running; if ($isDpsInitiallyRunning) {; Write-Output """Stopping the Diagnostic Policy Service (DPS) to delete the SRUM database file."""; $dps | Stop-Service -Force; $dps.WaitForStatus([System.ServiceProcess.ServiceControllerStatus]::Stopped); Write-Output """Successfully stopped Diagnostic Policy Service (DPS)."""; }; } else {; Write-Output """Diagnostic Policy Service (DPS) not found. Proceeding without stopping the service."""; }; try {; Remove-Item -Path $srumDatabaseFilePath -Force -ErrorAction Stop; Write-Output """Successfully deleted the SRUM database file at `"""$srumDatabaseFilePath`"""."""; } catch {; throw """Failed to delete SRUM database file at: `"""$srumDatabaseFilePath`""". Error Details: $($_.Exception.Message)"""; } finally {; if ($isDpsInitiallyRunning) {; try {; if ((Get-Service -Name 'DPS').Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Output """Restarting the Diagnostic Policy Service (DPS)."""; $dps | Start-Service; }; } catch {; throw """Failed to restart the Diagnostic Policy Service (DPS). Error Details: $($_.Exception.Message)"""; }; }; }"

C:\Windows\system32\reg.exe

reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

C:\Windows\system32\reg.exe

reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

C:\Windows\system32\wevtutil.exe

wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = """$($directoryGlob = 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations'; if ($directoryGlob.EndsWith('\*')) { $directoryGlob } elseif ($directoryGlob.EndsWith('\')) { """$($directoryGlob)*""" } else { """$($directoryGlob)\*""" } )"""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host """Searching for items matching pattern: `"""$($expandedPath)`"""."""; $deletedCount = 0; $failedCount = 0; $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try {; $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host """Initiating processing of $($foundAbsolutePaths.Count) items from `"""$expandedPath`"""."""; foreach ($path in $foundAbsolutePaths) {; if (-not (Test-Path $path)) { <# Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). #>; Write-Host """Successfully deleted: $($path) (already deleted)."""; $deletedCount++; continue; }; try {; Remove-Item -Path $path -Force -Recurse -ErrorAction Stop; $deletedCount++; Write-Host """Successfully deleted: $($path)"""; } catch {; $failedCount++; Write-Warning """Unable to delete $($path): $_"""; }; }; Write-Host """Successfully deleted $($deletedCount) items."""; if ($failedCount -gt 0) {; Write-Warning """Failed to delete $($failedCount) items."""; }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\* | Remove-ItemProperty -Name LastUsedTimeStart -ErrorAction SilentlyContinue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AMSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AirSpaceChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\* | Remove-ItemProperty -Name LastUsedTimeStop -ErrorAction SilentlyContinue"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "FirstUXPerf-Analytic"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\* | Remove-Item -Recurse -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = """$($directoryGlob = 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations'; if ($directoryGlob.EndsWith('\*')) { $directoryGlob } elseif ($directoryGlob.EndsWith('\')) { """$($directoryGlob)*""" } else { """$($directoryGlob)\*""" } )"""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host """Searching for items matching pattern: `"""$($expandedPath)`"""."""; $deletedCount = 0; $failedCount = 0; $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try {; $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host """Initiating processing of $($foundAbsolutePaths.Count) items from `"""$expandedPath`"""."""; foreach ($path in $foundAbsolutePaths) {; if (-not (Test-Path $path)) { <# Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). #>; Write-Host """Successfully deleted: $($path) (already deleted)."""; $deletedCount++; continue; }; try {; Remove-Item -Path $path -Force -Recurse -ErrorAction Stop; $deletedCount++; Write-Host """Successfully deleted: $($path)"""; } catch {; $failedCount++; Write-Warning """Unable to delete $($path): $_"""; }; }; Write-Host """Successfully deleted $($deletedCount) items."""; if ($failedCount -gt 0) {; Write-Warning """Failed to delete $($failedCount) items."""; }"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "General Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "IHM_DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\* | Remove-ItemProperty -Name LastUsedTimeStart -ErrorAction SilentlyContinue"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceMFT"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationFrameServer"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProc"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProcD3D"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationAsyncWrapper"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationContentProtection"

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDS"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMP4"

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMediaEngine"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\* | Remove-ItemProperty -Name LastUsedTimeStop -ErrorAction SilentlyContinue"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformanceCore"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationSrcPrefetch"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Debug"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\* | Remove-Item -Recurse -Force"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\* | Remove-ItemProperty -Name LastUsedTimeStart -ErrorAction SilentlyContinue"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\* | Remove-ItemProperty -Name LastUsedTimeStop -ErrorAction SilentlyContinue"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged\* | Remove-Item -Recurse -Force"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppSruProv"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Call"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe

"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4996,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime/Error"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Store/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 142.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 msedge.sf.dl.delivery.mp.microsoft.com udp
US 152.199.21.175:443 msedge.sf.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 10.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 221.228.151.4.in-addr.arpa udp
US 8.8.8.8:53 msedge.f.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.f.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 vtrl.cc udp
US 104.21.19.193:443 vtrl.cc tcp
US 8.8.8.8:53 vtrl.cc udp
US 8.8.8.8:53 vtrl.cc udp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 193.19.21.104.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 172.67.188.147:443 vtrl.cc tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 147.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:443 dns.google udp
US 104.21.19.193:443 vtrl.cc tcp
US 8.8.8.8:443 dns.google udp
US 204.79.197.239:443 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
DE 2.19.11.120:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 239.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 120.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 104.21.19.193:443 vtrl.cc tcp
US 8.8.8.8:53 vtrl.cc udp
US 8.8.8.8:53 vtrl.cc udp
US 172.67.188.147:443 vtrl.cc tcp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 8.8.4.4:443 dns.google udp
US 13.107.21.239:443 tcp
DE 2.19.11.120:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 239.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI9460.tmp

MD5 cfbb8568bd3711a97e6124c56fcfa8d9
SHA1 d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57
SHA256 7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc
SHA512 860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnk~RFe57ddbd.TMP

MD5 6da2923eba9e39b9f77772f8b87270fd
SHA1 ec372c1a9e35f14f7deee9adb77b4da2e5e01bc0
SHA256 478ed6ab90beba8dd62fbd54ac8052366719551bb32aa278e5055812feaeaa58
SHA512 f1df35ec5e7c3a7034192f17a4469c085a69cb985a905b404004fef317395173b09ae257acd92d13bd08ea6ef694fe77bf88e3deeed16a249cc364a8e2b2f169

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnk

MD5 78889b8ead04549a9377c83d65767fe9
SHA1 ab9a9c219b84a55dbddc678275820f4bae2f5919
SHA256 b8318900429a19e0d4f0c0f501aacce4a36cd203cc713a02cee10e35a7f4a1eb
SHA512 098ad117d6d907269697814b224113f43cc6ab7651db9052947c9281f0d7b9bc0af22d143d147d46d0a3f17e0b1d1800a3751578aeaa407c3cdd583e41baabb3

C:\Program Files\VTRL\VTRL.exe

MD5 8854573a5ad9f69248491b860a8473a7
SHA1 2112784e8b035413cdbf5b19afcfca90c9da47fb
SHA256 9aae8bfe7cb32e9c247feb67d97d3611c7c377dff7b6c42a779a0fae1bbf11b6
SHA512 21d20ef8bb0884dd0c9f1b9340c331ecd3a9f4127af55444a6fcbd2a49f91c6efdc730824e5529b80c1e9469a172ac140da411fa07268c295d0535921a66df61

memory/3624-38-0x00000210F5CC0000-0x00000210F5CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iuv5rovr.jiy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

MD5 d2ebd82a5d3fac11d44d90d8df253bb9
SHA1 ba94b456e111ea9573fe150ad4090a66540c9938
SHA256 04b65aa7b23d0c7ebbd6e022a600fbc43c0ee896ed280e48ac59e17fb0a2311d
SHA512 49e9ef8066200cd6ec079943c1fbcda95cab2d3042f635ed57949e0c0701ecdf34ea8f16324994dc77bc3ec9fc67882ea88b4d543974e90bf4e8cf69b15e073c

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe

MD5 b0d94ffd264b31a419e84a9b027d926b
SHA1 4c36217abe4aebe9844256bf6b0354bb2c1ba739
SHA256 f471d9ff608fe58da68a49af83a7fd9a3d6bf5a5757d340f7b8224b6cd8bddf6
SHA512 d68737f1d87b9aa410d13b494c1817d5391e8f098d1cdf7b672f57713b289268a2d1e532f2fc7fec44339444205affb996e32b23c3162e2a539984be05bb20c4

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdate.dll

MD5 b0da0a3975239134c6454035e5c3ed79
SHA1 fbea5c89ef828564f3d3640d38b8a9662c5260e6
SHA256 c590d1af571d75d85cfe6cb3d1aa0808c702bcefd1b74b93ea423676859fb8ba
SHA512 5fbfa431a855d634bcbef4c54e5cc62b6435629305efee11559f66473c427ad0775c09364d37aaa7a4a8a963800886f6547a52ae680a1ff2c4dcc52c87d994bb

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_mk.dll

MD5 f8866ed0d837e3396ef56449543a3209
SHA1 7d23733ab60539b910a9c4914df113efb2b8ae36
SHA256 2e3822c92f63abc7a3ae9e0d1c3db1c328fba4dc5fa99cc5d3aa1dfac9755ae6
SHA512 8c6cb4377636f72a1b82060c3e0dd2d81b94155a1eb40922d2374e246723ff0fb8ffaf36950ce9efe26c4824fe358aab71ec74788e8daba2d43c6ba66eca75f6

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_mi.dll

MD5 16e6e07283f2fd2c0d9fdf78e4266521
SHA1 252986d2a4ffa7dc982f1d94e3a769a2c9ebfb16
SHA256 91ce7c5b3b5797acb6ceffe03b9ca7a8de50374c4bf6a48a66c4c60906b3ff0d
SHA512 47d09fe059eef1db049c18015c814c98badaeb37981be53280c86d32b30a0cdcefe3177bbe6e824cd08ecde68a11cd29badfad9ae279436ecb873ffa169935f5

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lv.dll

MD5 b329055638a2703204e2caff5c655003
SHA1 85fc0a199663ace9c7e3509f4799e04ef20e71f1
SHA256 55905c16ab32b718a605f51cbb4d58d68ec2cd6dec177b2d5fc43f98418a7e61
SHA512 75b6d1fe26927d31cee1cba894642222c8855dd9517bafefe514aaf930a758372703f20cdcb5abea4626d73d5a3e7d953cd9286d83791c0688bc967eadaf4f79

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lt.dll

MD5 bb24d428375ec4d138e974adf53f820c
SHA1 f36096d3d0256a21a4ec312a7f293ef1afaea5b4
SHA256 d21bd9565abf453387fecfb7508ada6fbc5ef04a0760cb4d5c167d172d229ef9
SHA512 23549dff4f6cd826d4f7b15d57a72dff10aec200d8b0ab7ace0b7ef833bba6cb116a9f7bf2bc6dcff087d14ec0b072a567b4a8934cff7a15ef627135625994d7

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lo.dll

MD5 ac1b51dbc25646287542c35fc650a363
SHA1 4bf6b818f257d4b823e6d67fcfd572967b46e750
SHA256 8f2b7efe2193b1a87eaf9f36b926df4d5d4d1162e85a18723fcd6e69c581d40a
SHA512 9b7880a06e808bc337e98cfac6f8cf5be7267c6310aea7f3fcbaa87417fb30cb6f7411fc81f780742dc09e59de8cb89bfce227e65d01ce7cb98bd1ba37165df0

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lb.dll

MD5 b426d4d32a6e0b7312459a896581e4b7
SHA1 a027cd7ceed7a610ac2405e2545207dd4627c83e
SHA256 a0be6cc82ada1b0c788f278b6cf4d9177e940b22b2157cf04f22900c71df2d43
SHA512 c400a7b326eb54f97b8680bd137e8e2f7e0ff6ef01da088b2eeeb23f1e01eeed96b17b907e1b1e040f894fd205fa192cd9fcb157e546e7e2d9a121122a633e4e

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_kok.dll

MD5 c4740361d46b87eb618e395552f20b6f
SHA1 62654bb1ef4f6959bc421b1d5c0d4ef7c6651b17
SHA256 869461c0b655d697c5089ef9b5eb842670b5c3e9696aa109ed3ec9c217e31f89
SHA512 0dd00ce5cd4a13a00faa7925e0f3965d059e9b935601408e0b687b764680780d855d9fe13f653c3458bb672b67d039496c7fdf605b2c31613f79a2f7ae24ef4f

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ko.dll

MD5 c89e6395725b3ba0b18d314d54589b92
SHA1 c57c5a8c4841206da919335bc29ab65ce7aca76c
SHA256 771009b26b95c3c6e0391fb78038c632a2475af36b3b48d13882645ab5e91d3b
SHA512 33ebe44cacccd475c958053614f3c179f2d0d3bde8a99e740faee0b87bca0eb2ea27a01501c70ae90367fe158a694edde005920d9ba18d647d0328d0a5f8c27a

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_kn.dll

MD5 b6d73bbacd24928bfe692e2c48522e03
SHA1 8ae460214f623db552fe09944dde5f83e1f3e3ff
SHA256 9be3c751e0f89866599d8d4a6d2bc10db749fabcd6de88922e4b7c4bb1f03ddf
SHA512 762974a13e623435adda030e9f496220ba65e8ebcfbc3aefd896491a4816bd8496cba79dc56f321e4eb98a9fcf71b36160c27f701c5e690c071270065d1f3f14

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_km.dll

MD5 9dc0ee4f6b7e239018d6962b5097669c
SHA1 3b091cd8dc4f46ec7603c56d2ebf73385576031e
SHA256 4d31ba95fb2adf05ea6fb9b1896f09c872c228187bd3d2f979b162097ea18979
SHA512 aca659bcb9dfe59bd23dabcf2051b8529b0a1b9f2c1a0748ff29ffb02307222dc3a5d8b7aa42f6469200992e6cca14886908eb624f9f1959095133b09f3752d6

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_kk.dll

MD5 1c6f35c21ff0afb2f4aa9d4352fc86f2
SHA1 d4bf67c14304add3e7d8218ff66a520a7b1e0a6e
SHA256 779900e90b23d0443e0b93b4ac7c8fa24dd6a0ebddb36cd22bcd7a1a6fce2ecc
SHA512 caf80f4adab14a81bb14e36683772539a6789448ddfcaba2a09e5c6c3e2dae105ce436ca7dd7b412c6c73dcc0768141822b13064d452a48a37721e1e9dd357f2

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ka.dll

MD5 e802f3589731c88d166a8b0e3bae1dc7
SHA1 b94e21b646c26053c19a0e6238f0e4fbde0a2fa6
SHA256 173f78b786cd1a58a47ec9f7c662e403b191fa42cb7308aa7eb6b0f744bfae0b
SHA512 ecf9eb33afb00c6839d6778e36685b904267e6f384a7d307230000a506e6ac6e95132c2f50a4cbe523d834dd6c7ecd1277d47b73188130e097a0b64c0ec64a51

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ja.dll

MD5 ffc1ff9f4cb8fcb529f8580d3b92a80c
SHA1 d0ef21a7407c5eebe1fc21b6549c92c6222bf0cd
SHA256 d508f613bbec62a237a5616959dbc292fe4a79adc8783fb91725f3f2c32658d2
SHA512 6345362f03f3bc4409c1e5875b2e7cb58b5df9737c9c5502a19314046281e682a3ea7ac5adbbb933a130f52efad4da4eb9ad99ebfdd41bdba23d1fbea4180475

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_iw.dll

MD5 dede65e2268976ded6f598ecea661025
SHA1 45c6fd614dac74eecf83709081b4f289c05271dd
SHA256 9379736bb1b621367e42736d311288d33742a9e0ca3e056b4638491fc434a880
SHA512 92a46ca5e3c40bf55fede64aecd7fd05f6419c645d38325546c46632775fe72cff4152e473ffbc15d478da62c76a088ebfb4db91b9a0691a9ce1c763ad3f9285

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_it.dll

MD5 b8b03be1e73e1ccc0df159c48e875038
SHA1 37d1b2216f1e90a69b1be65b2c4f0f5f35e78aef
SHA256 4ee8f48af5136fb80f5d031395f92abb2b3571fdf7c4c98ae833c2ee74c49160
SHA512 ef47c8c0f8aed7a4d912986e2a3fbc34b54fdea25b006bcb63d502a6cefc42bca717a93e16ff1c137892a91b894ea15d95a53dd3b52b850bf1a75ec9bd7b3013

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_is.dll

MD5 b675cc1f6f5f174c265c0887d9591915
SHA1 abb182cfbe1d5723ecc380c5fa08b24c1f421af1
SHA256 c012110ad65f8244494ef2aa70696128a949fbc5797e5139afa7d4195457df1f
SHA512 be1b23a563a2b4f6b658df3f8075d48bf3921c5951a6fbe77c24a0949997e068403f5bcaa3f93030b01d7a69b1aa74ce06f37038c30145e03a9822f4854f7c0d

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_id.dll

MD5 5b5366c7779dc9ce9f3a15b6f22289ac
SHA1 d9995fee337b9696be970a2a48a845ed71bd7d2b
SHA256 da6d5c982387286396f54c043bacf106f78fc76db4a33984c8b2cb88882fc9b3
SHA512 35362a3719833449bd9e757194f9b0b28c3d68a0c62f52d224b1cd5eca5a2343e1db868668e2b30d927a1966b5db5cd0b2230d7f4576627e486eb3a86913b195

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_hu.dll

MD5 e56f98d6b32f82f391d5b087a135a7ec
SHA1 c8de62b4b22a8153cb788e03f7e04c55a5ae5396
SHA256 236252a34d2efdb4e801bd827a791935aadfe6c0a471f1b252d9bf2d291a6bae
SHA512 45b9933478505759e7217a65e3a054885841c5ae9bc58983c6cb216ea2a15c53f45ecfb6b40fee07d54c289819ddc2161a651e5183e244e0f43946176f224c8a

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_hr.dll

MD5 8bbd58f9644187747407b0a18c60aa0a
SHA1 82888f3f2ce1dd7b9b3f5ac26bed0a6da5601dff
SHA256 35008c4ea7f22ac78d28e72311d4b3fa28d6af24072fa94558a9b3771a4b545e
SHA512 1fa7d62692062c1d22e3fe0e5c15bfbb2def115be2991001a998fcc6bbb5983d9343b06172e8f38b245587b15762b655ef58ec508160b576779963e5889efca8

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_hi.dll

MD5 6b97796e1746317567ed7cffe9441d3b
SHA1 dd269b22021eb37fe854ff181a09bf7f9568f7ac
SHA256 a4ce75f6b1de6a2500bfd6b0ebc1c268cb3d7080dc9e7661bedd9361f7215d42
SHA512 f1856ac881de7acb7f61f2d7c1d064458855c3621fcfa951f1d1207f3d85fd6f64b26547ea1391c4145bdeee23e6611acb2fe80b8c1258dd108085e371d34d73

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_gu.dll

MD5 951dfd4709b3fdbe79a6e43828387592
SHA1 0c7bbf1852135456692970639869618fb616ba5e
SHA256 21c72dc48cd33291520e3f432d8d59ec103496ab6508f41fa1b081b3bdf98bb8
SHA512 b338c345db00135ceb3577a67bcbc36b37be742e39aa6a333bac93ba20ab1463df55a381be95c9e9effaed4daa0ce93203ff2994459f9a23813dc0afdff03e8d

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_gl.dll

MD5 be03945025cc2f68f8edd4e1ca3c32b7
SHA1 d4b1c83f6b72796377bfd3b42c55733eed8fc5e4
SHA256 aa95c108db3582a4be98fe83519aab3fed09c8cc9b326469edb89871d6562373
SHA512 a03656acfc123f06a071f0e326ce15bf17e2efe080fa276acd50cb40e35000d74a3d0762da327c59a7564bb3f03532bf04c733ae850852f62ce71fd513e9080a

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_gd.dll

MD5 6de337fa9f131077042f7ce421a9fa42
SHA1 25e21b64cdf60a1da2f940b3c873eefd680a5fc9
SHA256 263e07308785bd7e510eda95499ab3d3d66942f0bfd0a5722258e2a87b5d0a90
SHA512 e747fc105c4ede0d4f73492e3757975a9410499caf867bc149cd43bdbf1be03d3df82fe04c7cf99e3ad6ee06fb5011fc5b069bd502c2f3b3e578f587d0362e3d

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ga.dll

MD5 f7b123f6dd6c8d8832a8bb8b7831e42c
SHA1 7e9524b79036568b2b4446ee00c76460fb791c6d
SHA256 119b9e288832f2a4d47d63b693bb195a72f27e9c0aa014b2c3ccd5d185f7afc7
SHA512 6bd457d1e3f943a4ca5a1d36907fe526a4f2965a8411280a2988ef1d264203af0797365c1306e7ce103cabec2ead17d194f20848b4c665e986705c3ed6e291c9

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fr-CA.dll

MD5 8e1793233c6e05eeaf4fe3b0f0a4f67c
SHA1 97697fe9ba6b3cb5cfe87bb94587c724ed879c3b
SHA256 b9caaa668b71964316ee15e6e49f8ae81e5ed167fdb69fc31bc6df834ab4e7a5
SHA512 3d2fbf5e05e7b9e21c85ad7f59db9556046e4c1755f0b138d6de38eeadd3480e772e35798f9339aa7daffbf92afbc385f9c0bb4e4f5c65292dff3b280f52bd6f

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fr.dll

MD5 5e63ac4b5abe6c84f305898a0f9ba0bb
SHA1 e70baf6f175c297a9b491272ce8f131ba781553c
SHA256 711b5968d2116d7e97aa5852ec864db35d3c186f341fb024cd1ef4525256131a
SHA512 c383e4df4337bf9a66f684dabd2faa95cb49abb424c76d0603f91af7b7260be5b2877246da293d5df83fdb59d291d63a7d73303c34682a50ea84a8fcd7d6e874

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fil.dll

MD5 6b2319c3634103272f39fc71d7f95426
SHA1 a1d692a68c5cbb70d29a197ec32c9529c15a0473
SHA256 28c610ba7f8332be050c30e296acaee423bc0a7a9cacc7b3d60618e284ff9cfa
SHA512 51738dd14b410c689ed56530ac555824c773bcb163f4dbaddc86e684e04c1f06271001f0b2bef7d6231f17231b2e3e35f9aba2974c48eff6d1a8ab877e5a6031

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fi.dll

MD5 a9b037f7bc8f5b382bf6c69b993dbeb1
SHA1 7beb733f3561ac3083a3dfca3b7644c5154e1330
SHA256 b498d1b38a81199b62a98a0e36aa9e955e1c0143436908538314089c0e59d128
SHA512 a63c1e1a4d8d2e5043e0cdc420d1c545b0adbcdaa1a65f09454d47cc9642c1ffcb16e76454e90c75fd88f29917024b11418a606acbd560a98b79cd8631186332

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fa.dll

MD5 c4cb44ee190c5aa8dd7749659437e5cc
SHA1 667f4aa01a4262fff2e01838f94330c0ebc285a2
SHA256 dc184d54d00d51d2f8de623c0c4b07e9408f7b02e1f1085107edaf14dcbee136
SHA512 0330d733e89811c4a89deb202ec517de3128ad266483f37bd8d91eb6e45336febf7297da4f3465c683ed1b6e08114d6a3f52ff74484276509b9816ae7dccbb10

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_eu.dll

MD5 c0da1ad8854f64b7988d70c9db199d5f
SHA1 b184335283bf0026615f2a4a120fda87961c774b
SHA256 73190820d59e5bfe769b82ada48b0c9ed353524bd5cab303f5175d7d9bbb74ee
SHA512 424ef2d0ceaba76b64c3349ec1ff5088cb8aff9103fb38da238c80e6452a967f3dca09860b2b8fe9c01e20bebadc539960a5bc241a91bab98bfedf29c2f777ea

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_et.dll

MD5 111118683f6e8ed7ceb11166378aebb0
SHA1 fd3e1cf198885ab5d9082d540d58f983d8a0f5ff
SHA256 5cc4930c50716138e25987baacb9a9aed7d30ff5c0ac927e35f7fc006f5179c4
SHA512 cc3480f05d8d59d3d705204e15ff6453a6d9c77bdb1011d069bb1f83b3d4e14204f19caa7e7ecbb6e3ed92d429ac46940791903440fbfeca2f7e7e12b9a47f6c

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_es-419.dll

MD5 dc8fcfbcd75867bae9dc28246afc9597
SHA1 8fd9361636303543044b2918811dbdab8c55866c
SHA256 3deb382ffdfbd2d96ff344ec4339f13703074f533241f98f0ccd8d3f8c98f4bd
SHA512 ac8fbf033677a6862f3d02cf93bf1838c24f006b40fd44336ae13ecc2287ae4c733cc3d601e39556586131e8a9e2d930814399ac68165a26458a6cbf51b11d32

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_es.dll

MD5 9c0ef804e605832ba0728540b73558a7
SHA1 a305f6b43a3226120d3010ca8c77441f6a769131
SHA256 626835e07c1fc4ab670127682f3e5225881a2d4ddea873c5271e9032668fa641
SHA512 c27a4b24600bdd33a4f9430e8d4d8f7f3718efcaf2d1ec36023e34b996817af79b5a9baeea1506f97d2716c9b2b5509bbc1bf4d7cab779554eebadaa8c942dfe

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_en-GB.dll

MD5 fe685e8edec8a3b3c16e7954b787e118
SHA1 ac71544158bf86d357d78d003f5ff2b4b5fd4ef3
SHA256 4b60ce6e3c8f725ad8e88cd0d0a3f0155a7145915670a532fe1143fb2dfbf49e
SHA512 e30d12a607d1c6fd2060ab38f443af680f8c8655900b0a21f3f0b488033f9300915667bdfa59ff4fd3488f58ac52c7f5598ff5078bf849bd177d1d8c10533f04

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_el.dll

MD5 3d22a75afd81e507e133fe2d97388f2e
SHA1 f7f68cb6867d8c6386438d5a6e26539be493505b
SHA256 823fe6edc1fb0ebdfb8ebbaa2d36f6dc0424c8f26b6594a390ae0eaafd319ab0
SHA512 34a62ebe8d057a6f6e6f6b2672ebb95d4d7c49e739f4beee4bbfb5e917b7176aba4d70b0e84bd727c967d0885c08264dfb42371fe0d3fe4f8f12dbb1e26ca69a

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_de.dll

MD5 970e46bfaca8f697e490e8c98a6f4174
SHA1 2bc396e8f49324dee9eb8cc49cdb61f5313130d9
SHA256 eeff2c2487c6456e6a3ed43fe5fbb9d3b72e301d3e23867b5d64f5941eb36dcb
SHA512 789f29ee2c34d86da5c69225bb8b2fd96273c20146126c28d3d36a880bbda5b16ace479ce59aafdf645328255105133f489278023e63e04e9fa1fb34cc1f3ae1

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_da.dll

MD5 08fb61cf492ccd1236907af7a6b1bd4b
SHA1 9f6e0f7610d42f8a402d3adb7b66374f4d0f3cb5
SHA256 d6261d4bd9ce4011caee1e0efefb5685a5bb5e29130ad8639e4578fc90027631
SHA512 747982680ebc9e3c0993a69923c94382df6bfc113ebb76d31f65f9d824abef1a051a4e351f0f42296fd84e7663fc3bcc784da51dbce0554c3a880ac2258aa16c

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_cy.dll

MD5 1146f59b139b9d810996a1bae978f214
SHA1 cc9d54e6e3ce1efc4ef851eba35222547b996937
SHA256 7b5ce6c7fa03e69a93694fa59c61be88b3eb8cd8951790f3bdd7cba2d99e6b83
SHA512 0c94943646b0a08662eda2d236b7c88ecec0745faff5b9c6097f68e73a20059f8d2de47a9c00e58c6d2083331a34a0fa19b0964f3c62a6b8cfa02bc1e283e75a

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_cs.dll

MD5 8b49a989a56d4a5aabd0a03f179ed92e
SHA1 ca2f84217c867eb853830e95c7717ce35bd997f9
SHA256 849e23c2f53d06462bd0f38e9d7c98e9389486f526a90c461c04c0aa1db7b7be
SHA512 f4861ab9200db234550cd2e355ce200b7746c614e9c326287c0509d152f29d41d7a056e4fd27e3150cb433cd0234c4ae1cbc0c3a8b5892ecb3e8d4632a985aa7

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

MD5 2e9132ee071ca5653baf90b9b1ea382e
SHA1 8a0c1e5a0df6432c50539d68caf697b8adaf1556
SHA256 adf6e6542f1422c431ef92a209886224fbb53b5c67e68ac070d5c8a4c6ee569a
SHA512 0b021758117109e4414c7ef37356106a96b68536ade8d3f1d1fb3dfce7c1132ab6fe02f7292ed225c09814a9c57124f731fd35069d220760678eab565f320976

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ca.dll

MD5 917c18cfa84c8b8e83d8321f03be093b
SHA1 c0a4a743f4059183724fc8c26e84b5a80bb2f7f0
SHA256 6c56355b232c3bd35f397f99648c020733ea2d57db1cd4beafffcd962b896ae4
SHA512 03359c6104e9f0cb2d66b6f1bf5598b2bb00d9e7a62fbd0c5475ca67b5194e96c2e6053a2a1c22323ba0002c614caab0477597fd34b57dd1f5acdb19f70c0854

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bs.dll

MD5 9f4c9469ef1930ec3ca02ea3b305e963
SHA1 e588ffdf150b55bb4ba38e2aaf175aaf6e1826d0
SHA256 fef14de38a4501cf538c89ca2d1ec389031124f69df9090df94fb4461e54ad58
SHA512 c166189ad76cb395a2aeea724f2088f42dd4d361518856166fb92b3335b8fc670e99eb7b1c4c9ac2c872c8283826cc2c88009bd975e690efbcc3d99289557e96

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bn-IN.dll

MD5 afa21b2feee2831c5478e113ed814b76
SHA1 9e883c990a31b8cd0ed2f80f732f404386cc55d9
SHA256 183bcae9e143b78d04c2ed83ab6cac8cbd82f1d2bcf7bbb2506886a3925ac556
SHA512 294838c67f6d87fc3b4975c73d24e1c38173c8ad4a14c215945e9910ddc306e9deb0168f38661c85b5c77929fcbf56093f632a35c1b39181203fbd662d71f7f8

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bn.dll

MD5 8e0ff856270ca13f8c07825e39ae3613
SHA1 b351f8ae0cc13d97d201a268990b75fc9e6cd422
SHA256 18cd8ed69df17e1bcb517285caa88c8a73e093984fecbea2587e7144a8812a73
SHA512 25f3821c20aa222a28143951c9f370d3feceaf41e449f718640dce9af0e88e518bc40d2d02f5e64148d8909feedcfa6a8caf65a87ad12637a8bc13c848b1f178

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bg.dll

MD5 aeb3a05ce4eecdef3d23dbc0094fe21f
SHA1 e2a5c49b4d0fddcad28649bd09d0cc7af4c0b2c8
SHA256 6c874a312ae57b8b0deac8457a200fcfc90aceaaa252628701c92aa8b9a823e8
SHA512 4a7fe6cf8300b394d7471d9a2d759ebed59690ce925270d6ceaa4e14ee06f01b67f8219559e9ec917477f4c5aae03329ae2c6e231f3fd41c645d02d26b29f367

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_az.dll

MD5 ace0925ded0a4507d82e6d32a77c50df
SHA1 c760ff52c71de3080631120c6992dcd0ac4e37bd
SHA256 8e3c517bfc5986310c35f30b9681d9c919a7d62e299014410132ddc2b41f00b3
SHA512 8adec80e179f205d0571625c1a63a0188e6533adefd48691f2fc287a546c12249c2126e6958d1732fa8847492a8287723a0196fbc0f2b9af3c54e1ab418cc3e6

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_as.dll

MD5 87e596d8f0ac9fbe2d3176665eeb68f3
SHA1 1c9364d55b4844cd250504abe30dcff9792ee576
SHA256 c39669e004facfb0c500788747a4427fe26dcdb50ae695562e6e417f4eb190cd
SHA512 ef3708632e19332ddf460e081f8444ff8b4ec483c6b3e57f386df66d5f62d222b1d3f9f3728928701a6e48720133133c43619858853585a7d70b7bd5d8cf847e

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ar.dll

MD5 3374d9bc4467dbdeaf50bbd5a26edcfa
SHA1 6d7bd73ad27148bad7488959d7ebea22b6805436
SHA256 5c8a8755cc0b1213fb0d5b57e10a53702f2091479d3c058d0c756134e548c685
SHA512 c0c02e54d7e0060b6ffa5bedf8d79cf4b40f77711680d2161b5186c5a8a10e521169dfa7ab6b8e4816c98e4aefd136f209a40c78104cb618c21105e095537719

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_am.dll

MD5 ccdf8ae84e25f2df4df2c9dd61b94461
SHA1 64cd90b95a17d9ecf2a44afc0d83730b263ba5fe
SHA256 816c64b37e4c42cd418d05bc34a64e9c4acb4ce08b2a18ac5484374ca7b76e76
SHA512 242a8a93326d3a5ea1fd367ef6cc2b343f08f4ff68d88d91044d0ad7fce490f47524a6e57940991ff0893a590459e96c588944f2b115cee703413ca594046f7f

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_af.dll

MD5 c54dfe1257b6b4e1c6b65dabf464c9fa
SHA1 aef273340160af0470321e36e9c89e1a858e9d39
SHA256 0c426d4d48efff328a0da5497af24e83892a2ed1d6397a6dc42f9548a24dbff5
SHA512 58ae24dfc6045ce1f8ed782a03cb3d02c10b99a2992b9326711fb8700c8e7d05cfbca21e9b47cb4b1f4f806a9bb7667672026c715aad2f175febb6ba2b5f95db

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\EdgeUpdate.dat

MD5 369bbc37cff290adb8963dc5e518b9b8
SHA1 de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA256 3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA512 4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\NOTICE.TXT

MD5 6dd5bf0743f2366a0bdd37e302783bcd
SHA1 e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA256 91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512 f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeComRegisterShellARM64.exe

MD5 3a6b04122205ec351f8fbef3e20f65c4
SHA1 ba2e989a1f1963652405b632f5020e972da76a8c
SHA256 7ba65317643fbc0d03195bdeeba318732823a91ef27f62483d5fc0ed3fea4912
SHA512 2a0dbc91e79c42bf934ce7ab41ff6ed900322706bb71ffa1f3ade4ad85e0e1de2fa31540e1f1e0e979ad749c84343563ebe341585965f2f3a62debd6b4ab0cb0

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

MD5 1d35f02c24d817cd9ae2b9bd75a4c135
SHA1 8e9a8fe8ca927f2b40f751f2f2b1e206f1d0905f
SHA256 0abf4f0fe0033a56ebdaff875b63cc083fd9c8628d2fb2ab5826d3c0c687b262
SHA512 17d8582c96b22372a6e1a925ccc75531f9bab75ebe651a513774a02021801d38e8f49b4e9679a9dfc53ccc29193fed18ab2e2935b9b7423605e63501028240e9

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdateCore.exe

MD5 e468fe744cbaebc00b08578f6c71fbc0
SHA1 2ae65aadb9ab82d190bdcb080e00ff9414e3c933
SHA256 7c75c35f4222e83088de98ba25595eb76013450fc959d7feefcab592d1c9839f
SHA512 184a6f2378463c3ccc0f491f4a12d6cac38b10a916c8525a27acd91f681eb8fb0be956fc4bdb99e5a6c7b76f871069f939c996e93a68ff0a6c305195a6049276

C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_en.dll

MD5 be845ba29484bdc95909f5253192c774
SHA1 70e17729024ab1e13328ac9821d495de1ac7d752
SHA256 28414cd85efe921a07537f8c84c0a98a2a85fdbd5dfa3141e722ed7b433d0a96
SHA512 2800ec29ece429151c4cd463c5042492ac24e82b4999a323607d142a6e1a08cb69258190a6722afbbcfb3c9cdc6eebdedf89ee6549e0f420f6fbae3aa0501fd4

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

MD5 8b4170a3b5052a95d901ab8194b4656e
SHA1 a83d2c55d02c67f29ebd6676d8911efb5e8c0171
SHA256 e1874b6e29777a8937b95a7305723a30f78e82cf04e1d653acf5986115090c65
SHA512 9263a006aec4715b7263626916d445985946110abc6ab06c51ffbc753db844e9de973a0a2dea3627fd9ec0edee785edecf72f1a0004b0dd644d7a808a36f1481

memory/3612-245-0x00000000006C0000-0x00000000006F5000-memory.dmp

memory/3612-246-0x0000000073DB0000-0x0000000073FD5000-memory.dmp

memory/3612-255-0x0000000073DB0000-0x0000000073FD5000-memory.dmp

C:\Program Files\MsEdgeCrashpad\settings.dat

MD5 c2d0d5b989c56d87f7c9af8099ad733d
SHA1 a0bd4bb95a207472b28756bd23523ff8abfde075
SHA256 dbbb65d615afb02f4d644ec7d459beeb256120352aac730e597a421dc5d4f5d0
SHA512 07ed053d306e2615b557f8c512a6ec615a764e17dd659431228ef12f4cb9c624e6bde317133d09e7470b4d0e920e9fda2ea17fbd96e48a2c9696c898b8329122

memory/4848-286-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Installer\setup.exe

MD5 9826817876f5d690339d91533e9af761
SHA1 5e87919aec6a837a7d0d7a26dade5c691ff2e11e
SHA256 1255d4b34db13d2daeb5b442a4784fe568dfc7adb1d5c243a93b9fc93368ed59
SHA512 2e2b93b4245d2a2f82ee195bd26db515e842108e90dd1711ebc0363e3d87812e5f003bfb4609a4a86f36ef273704b4689d7759e2adbdebe0741aaad1f9a9eefa

memory/4848-302-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

memory/3572-303-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

memory/228-312-0x00007FFD9BD30000-0x00007FFD9BD31000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Crashpad\settings.dat

MD5 8f42bd3d68aa4ff1f1649969dde7dc1e
SHA1 0340aca4f9d00ba2ba6b1be2835e5e3158a51762
SHA256 4567fcd72a17cb4cfbafbb48b5bf9ced2cf2fb9546a8d01e239ba7180155311b
SHA512 42aff5d5163fad7f5d88af28790ed84103370d1af76a49854d2074e883669e97ad8d8fc6f0775c348030e5c7d9c1baad4f390544ffc900b877e4300b237117ec

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State

MD5 7f96b43efea589db66b2205d85d94e87
SHA1 e2610644228cac325a884baf3aed02d7d0f104eb
SHA256 97396f26bdd9279e37521f251b257f69e835fb04dc9e209327ae1f72601454c1
SHA512 042f64f166ffbce64eb791a057cb8b102f4743695e4adf42f3ebbabbbf4d667f303bd94b3d53e9495439e4ab015144b5c9d94d0adece71440371a8d5390e641d

memory/4916-337-0x00007FFD9BD30000-0x00007FFD9BD31000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State~RFe592050.TMP

MD5 afa4e0ea1c6fe4d6d219691477edcbb4
SHA1 3d31cb12d4f196ee7028a691e9e604334a26acc0
SHA256 ab14742b2903c3952976996c124d7d5baafda3d804349a1a3e47ee240cc94845
SHA512 7509f744c79e8351dfee541b9bf8fc903569fe3f7ca3aef71cce951b3c6b6bf195194b1a28acd244fc4cf5a0c5816d482023139f9d4c50015236a631a9180a1b

memory/764-339-0x00007FFD9BDD0000-0x00007FFD9BDD1000-memory.dmp

memory/764-338-0x00007FFD9A640000-0x00007FFD9A641000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State

MD5 43c8ec029cca88ca12408049ff280f0e
SHA1 7475b0ad07ef9d00a25b991b360e877e99e7b11e
SHA256 6d17ea709418f35960b97fc4d7d70f7a9cb524745e5527a022e1e30fa652ed1f
SHA512 65c92a35316f585b7d13578df72af1b73df148343307b6571fdeb2b86bc3a2f6fb285b242aaf5b27fd0ca67460f582ecd149d8eefc9ea0d93d6eeed96e73dffd

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State

MD5 1780f17c8dee49a4db9867fc910781e3
SHA1 a8ce3e4b45c52b50447101477ff6d738dd9acd18
SHA256 323863f8efae1265f2196be6f0da1fa934a04dad6c9ea0fd18bdca8e3945bc25
SHA512 b5904d976ba7b32b8d2ca23ca6c25d45b4fc72910350c73f1240a752a970edf839b6799ab79d716439ed547a88298e159c905eae77a9c1b85691dc9cdde492d4

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Extension Rules\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Extension Rules\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\GrShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\GrShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\GrShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Roaming\cc.vtrl\settings.json

MD5 511d7a0c43169c383dbc31967ad63e9a
SHA1 7564062cacdf090f2388de9d7cd4d73284bed225
SHA256 1b8f1825c10bb3efffa061f3c67c5bd13b939abadc4370599f3991f605b43657
SHA512 fde32a6ece6191b995f92aa15716194f66a0e6bd2d82bc60130ba41ae82f315c10b35e172afcabf3a888a4ebbf1b9e27dd769d5dd201d60abbf4b2f947dd043c

C:\Users\Admin\AppData\Roaming\cc.vtrl\settings.json

MD5 dc2c7ed862f4a17fe63d07754b84eaa7
SHA1 8dd6590dacc904e0fd2f6e6c79ef067da8f323e7
SHA256 4d864f2aae18622bf98184a5678e49da77cb13c6e499eff51e17c8a0e82412d8
SHA512 d913ec84e11362c9bdc2d3c6ca36bc46d487890f5ca760dd9efe134b111ae1811c9c7d1eb15abd03b2d12365aa357e3d75e2636d4a561b9ab7efa04106d30a32

C:\Windows\Logs\DISM\dism.log

MD5 356a82f59787ccf1dcee5315e7b3fbd9
SHA1 634ef0e8376c538f16badcc64f84002d4065fbb4
SHA256 ce64b32d5d492be5226559c4f01ccf32efa3751dcbdd8396a6c1ef24fad729b6
SHA512 b667ff801bd865ba5ed427ed8998c2ce116474ffcac5d75adfecedf571285da16e50770fdf9a7b2193f60310d9ab104831e6fd3f13aeeb6a1b745478cf337384

memory/3572-972-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\DismHost.exe

MD5 e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1 dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256 e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA512 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State

MD5 bb4bc4ae7dd01752ba9c629ebcdcdb99
SHA1 c5c3225a8c917999ba5a30e3c16e49afb7d4a43a
SHA256 f7296e8a0bfefdbc02102163951ab3660cb536904a8db252b2ad7802727eb27d
SHA512 01d8abfbebef6a57ba78d9a89b20dbbd977fe8be58a238ef4d9cb1c9e6bf965ec9cc412c770d1a0da9aca69c111c039d3a8b2681fd4d973473e90bc7009d7c71

memory/228-1130-0x000001D36D540000-0x000001D36D5DE000-memory.dmp

memory/4916-1131-0x000001F82F220000-0x000001F82F2BE000-memory.dmp

memory/5440-1462-0x000001B75FAF0000-0x000001B75FB14000-memory.dmp

memory/5440-1461-0x000001B75FAF0000-0x000001B75FB1A000-memory.dmp

memory/3572-1467-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

memory/228-1468-0x000001D36D540000-0x000001D36D5DE000-memory.dmp

memory/4916-1469-0x000001F82F220000-0x000001F82F2BE000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Code Cache\js\index-dir\the-real-index

MD5 89c1492847abfda190b6a3629556c036
SHA1 54d923d27b96e9f2038180bbb8f48ed2e3aabf01
SHA256 f5930d8419c35cf8e4834cc85cc48060b8b1d092dfc17283206d71a89c5e6328
SHA512 17546d693ddce06ac9fc0afc6a921a98e47499ec8e56d9a8ded16dd81613482128d30c256ee45ef9d2dbfb25f6dee03c9ed7e74403072096554cb852ac17376c

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Code Cache\js\index-dir\the-real-index

MD5 87051a162232b9ad6063d26df9d3ea85
SHA1 f9334e84ec468ed5b5f750dd97271c453a947d56
SHA256 bed77912676850ae3b0766de773073b1f527dae38311a78bc2f37f230a279923
SHA512 c3c2678f6ac9646b1bc814a9880a0d5e9cdfd9623060581fb9b2c6eddfaa2425132302583380980a5a7f89f58d468bbb792d84a9a99519e13ab9c45368f02e08

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\TransportSecurity

MD5 5ad7155af9b89d8d4dbfface472a2175
SHA1 6a765cd2ddc1c0d049b07177d3ca9e8c14612039
SHA256 79bbd9172d47dd3d16fbdf0ecd462631fc475aabfb53570adc93e71534a5ad0b
SHA512 fa9433e90b5af4c75cbe720fc6337608b0859b95c89d7a12e9bb2bbd1b3a575b02943ade78741448a940f667fb3a140350ea937ec064a10c5bf19af17875fe7a

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\TransportSecurity~RFe597862.TMP

MD5 837e39a101d1744f76e510219b2efce6
SHA1 3cd10a0b4e1ef3fbef704e77ed164093ca09b567
SHA256 a9c39d77c4e977344b8f3867a30434608f1fbf384e3946f18c29304788bc9df0
SHA512 ab85ca2f1b9aa0fee5d9cbd7058615886ae14929806903f49bcd66b0e59fef130651885e6bdcb343ca957a068f76354c983b62b1dafc3a7f9383701fc21042f5

memory/228-1504-0x000001D36D540000-0x000001D36D5DE000-memory.dmp

memory/3572-1509-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\9921ffd9-56ee-40a7-8594-21da33affbb4.tmp

MD5 2f93faa0ff5712a74d65201b816ab3ce
SHA1 7e613ee0a77630ca3b2bd2c1d5a7440ac2a7d032
SHA256 d3071943737f3c782686034d0401845be9b4f213d81913015dcffe16ddad5e0f
SHA512 5c7292f035a6510adfdf70bfa74562e40dd05f20ac1352c81f06a1990a5d30a45352bc47d1997ad4237a9c8b5385f957f4776ae9c4af53d1ddb37b0a68edc17a

memory/3612-1536-0x00000000006C0000-0x00000000006F5000-memory.dmp

C:\Config.Msi\e57dc57.rbs

MD5 12e5e45468a6ec7d9b1875b7d1d4eb93
SHA1 6d8d55b64ff8b00169ad610041f73e1044d2d346
SHA256 2d3f403e110fb3f503c790104c53e4fd3d77d8d8f9ac46ea798a3a6dc28ce6ff
SHA512 66c339e73e417e09fc59bbf7218d1c505148cf4140f2caa44ac547997c8e5d67529753112ce1ffbc7e4cdc1f83e0a8835f6aab642969afa6e91b878b11687fda

C:\Windows\Installer\e57dc56.msi

MD5 7853374c6d4f75c1279214f4b843de50
SHA1 3a70bad9f2e54f67d03a9e818cae104f96b91fd6
SHA256 a1b403271c4f1a39c70279f3d73583c508c7211e7606521850b4c27946d5fd7a
SHA512 be2a6ec34dbe59fa5720b0a896793330628e9d7bc32d0aab58b7e9ee1d5a196de22407eb7c6422792f24a7a65f3d365b74ede30c613330d180270c3604ac5fba

memory/3572-1550-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

memory/4916-1552-0x000001F82F220000-0x000001F82F2BE000-memory.dmp

memory/3572-1584-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State

MD5 f7b570b80e7dcbcaf0254ae751041f61
SHA1 f7c3ae1c54356853bb8d32562fbb48a0b29365b3
SHA256 1821dc7faac56553fa34c3c534b24799a4038164ddf8d7687ec7dd1ac0fa68e3
SHA512 3571617d6eb5be35abd3b36c9fbf9880fc30ff34869b464e17a38ed5604334a661ac4b48f7133f7276c59785d35aab358feca3478e346a21146541605858e66f

C:\Program Files\chrome_Unpacker_BeginUnzipping2572_991686904\manifest.json

MD5 58d3ca1189df439d0538a75912496bcf
SHA1 99af5b6a006a6929cc08744d1b54e3623fec2f36
SHA256 a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437
SHA512 afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

C:\Program Files\chrome_Unpacker_BeginUnzipping2572_991686904\manifest.fingerprint

MD5 0c9218609241dbaa26eba66d5aaf08ab
SHA1 31f1437c07241e5f075268212c11a566ceb514ec
SHA256 52493422ac4c18918dc91ef5c4d0e50c130ea3aa99915fa542b890a79ea94f2b
SHA512 5d25a1fb8d9e902647673975f13d7ca11e1f00f3c19449973d6b466d333198768e777b8cae5becef5c66c9a0c0ef320a65116b5070c66e3b9844461bb0ffa47f

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

MD5 6bbb18bb210b0af189f5d76a65f7ad80
SHA1 87b804075e78af64293611a637504273fadfe718
SHA256 01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c
SHA512 4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

memory/3572-1705-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

memory/4916-1707-0x000001F82F220000-0x000001F82F2BE000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\Network Persistent State

MD5 ffa48ab1039a97c5a6ee39b2470716ce
SHA1 163e5a5b84a2eff0b7b6703a6ba074c60d4ba922
SHA256 e8d22b4e9b0b6bb36f73f152f9b6fc02ffe235c2c55eb29470b0858350397a95
SHA512 a5396ac66eb976532bfba598f908e9bc2990d5400b566779d9d2c07d3c5a4003f25e37c385c69eb71ce00358e6920efcdb7bd270942fce6a394bfd2956818f9c

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\Network Persistent State~RFe5a347f.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Program Files\chrome_Unpacker_BeginUnzipping2572_118285297\manifest.json

MD5 55cf847309615667a4165f3796268958
SHA1 097d7d123cb0658c6de187e42c653ad7d5bbf527
SHA256 54f5c87c918f69861d93ed21544aac7d38645d10a890fc5b903730eb16d9a877
SHA512 53c71b860711561015c09c5000804f3713651ba2db57ccf434aebee07c56e5a162bdf317ce8de55926e34899812b42c994c3ce50870487bfa1803033db9452b7

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\DawnGraphiteCache\data_1

MD5 bd75ee81c8f39479c37781ff34eb33bf
SHA1 221e9f6c35a24c6a78c25db7c037a14e98b3df24
SHA256 e159f0e167caaed08c80135cc2b49b3347a1db103010f36af23f4f776ff07df2
SHA512 25e9ea3faf2a4ea36f3f1f36caec446d1a1feeba2cb4dfec17f6a990a7e1da32cc44e27e37cf1829ec0518e042f6015e91a791a9835163a936289bfddbf3595f

memory/3572-1855-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State

MD5 a1f4e9a125d27f8c770a0d7af334f080
SHA1 d2ce6b160a4e950d3579b266be4fb5e4bd2ee3d6
SHA256 b5bc4d560e46ace226dd412ed89683469764ff16e3244848ec30fe166090cf16
SHA512 5870575e18425c1fbf901e6cff06b5ac9c038b308945a4043567ca7979fd9d77d8be531f8c8e14f2f6ecc516983f4f4c57c1dff62a360fd3f4a2378fda2579dd

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Preferences

MD5 39d5716de459895fabecb9031973651a
SHA1 798be74fa2b5ebf9c3772ec9ac894ffbaea730b5
SHA256 6649f7b7f00885337cc1387c882726b2ea44ea11342215d10916db69e18dfd37
SHA512 1f5b12f20dca6dff69dd9eefccff1ae7e6c2e20d22592011ff76f3383a5227d312d2b08bb157df655b273bd0d4eb05ff651917f439f92ffd8e4f52380579de59

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\Network Persistent State

MD5 4c0ec71fa861823eb5756d19946b2ddc
SHA1 63877a71180a367034c4153b3b7b0d39101e7fbf
SHA256 cf17732626f2236f3c268603beda2b9ec21e56199a942219e2a66d30f93ea459
SHA512 1fcdc7086e4a46b7be9ef151a1dfd6a11536a6878190d151f7857ca3bb02767c17dc0a6af55cc624a6600a3a4e7466726271b68a84735f37a56954f71f5dac7b

memory/228-1977-0x000001D36D540000-0x000001D36D5DE000-memory.dmp

memory/2496-1982-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Crashpad\settings.dat

MD5 83f2901d472e23f5801afb1507afdf38
SHA1 7ef9a700d14e3f13ce16f0e93c2e23c85f94fdac
SHA256 0deb80f0e8ee2979ddf4b1ba166952a732f4c9ed54ae1c7d96239ce06f4843fb
SHA512 12dff0ecd8203c2a3f41af816fb46f925781113d62d7a719fdf3b4eb8a2905d26eaeab4d0ee0a79e6c8e846a6c4897c90ed092f1f865f15115b1ba3b8c7d6125

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Crashpad\settings.dat

MD5 53e3a28a9d69c73acbdca9ac9967ae1d
SHA1 572331c01e699e49c3665d2d9ee6b5cc146933b0
SHA256 01093a483ec28437607f3cd16e98dc8fdcf8a3895fc3ddd5fa4c4faf1db2a72e
SHA512 da9d2de87667e8c1373a553bfc3cf8bb657696de0d69ba4c6530aeda6b89034eb4ad21cfd8026d841aa96b0483f917273b81f7e5a2ab75f3b4faa02dae5fc774

memory/2496-2041-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Preferences

MD5 426c17492505118e11297f0aa28b927a
SHA1 d18d05e2b01cd1f98abeaf300e4dfba93bb14609
SHA256 00c742caae60dd30a9c6336e85b239ab5ff73d0ff493c770bb0448e29aec68c6
SHA512 9a87fc4d7e79e2879ad4d778f93c1d29bdccd5bacc4ac52d27167cc88752450b61fcab80dadf45ee51db7d098e05fd451272201639d1c3463ee1e2fc679588af

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\cbb8ec97-2c17-4e02-ac4f-fde4bc502876.tmp

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\TransportSecurity

MD5 01a4ee33f2573ca492266e66e89e26f5
SHA1 f873d93307217cd1b2311fe3be3dfe49883d8610
SHA256 07fcfab11e8819825e899a1d4408397885184ffeaf5bc92ea794cc7ae108b3b0
SHA512 2d0c5fe9a9554ede6deb44bea0e90a6098d7a0231f811bb5aa55f6965fef4964a0147e6c4575b470627adf12fa23619698f5196d59fad94447a7bf797d7d61d5

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Code Cache\js\index-dir\the-real-index

MD5 ff9f56d8f953f4d3174735bfa4c65f60
SHA1 999f918079cefe511228162f3e42b58030e1c090
SHA256 8d93964f8145f129392aed931b6bad9a0849d4bc30da5163b30d31ed75a414ce
SHA512 2c124d3d0e98846f6acc36a31578523f5562423e87b29c59ee71dac3937e679e3f208a3c8c2986fa4c30c12609c52eb3d37a55f956e2dafb46b5b356bf9968e3

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\TransportSecurity

MD5 792b3b60c85fa2c49f3e0976921e61d7
SHA1 5ce89edd104f5928e1665544ee3cf72a05898635
SHA256 79acdceeef737ce7b9527c6ac3f4841ef8c8e04255d883e69101f0cba6268ce3
SHA512 968439f500c0781b8d30b2b3dd8ab0f5d85e8dfb38191b38e13e0b5237d1d707344993a7ad6342f303b31a96ccbc1286f009f52add4e7a8dea8d10f4ccb22f3e

memory/6076-2177-0x000001961FD00000-0x000001961FD08000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\Network Persistent State

MD5 afc25f7b0457c6b36067730b6259f026
SHA1 979cec5932286c33d8420fbed5ddae15f90578a1
SHA256 d4c5abb7915f5bb456e6cdf8ae2d998c8c25cd8079b250d72c444c929279ad70
SHA512 94b377a6d9958b1f6092a5562b2c7d01e4a38b1077732d7092e3b04891b6ce13cc975ae3bd7626ea80346eefc7fcfe0c9c90351e29cabeb768c00ed7dd85a87d

C:\Program Files\chrome_Unpacker_BeginUnzipping5376_126559017\manifest.json

MD5 b6911958067e8d96526537faed1bb9ef
SHA1 a47b5be4fe5bc13948f891d8f92917e3a11ebb6e
SHA256 341b28d49c6b736574539180dd6de17c20831995fe29e7bc986449fbc5caa648
SHA512 62802f6f6481acb8b99a21631365c50a58eaf8ffdf7d9287d492a7b815c837d6a6377342e24350805fb8a01b7e67816c333ec98dcd16854894aeb7271ea39062

C:\Program Files\chrome_Unpacker_BeginUnzipping5376_126559017\crl-set

MD5 d246e8dc614619ad838c649e09969503
SHA1 70b7cf937136e17d8cf325b7212f58cba5975b53
SHA256 9dd9fba7c78050b841643e8d12e58ba9cca9084c98039f1ebff13245655652e1
SHA512 736933316ee05520e7839db46da466ef94e5624ba61b414452b818b47d18dcd80d3404b750269da04912dde8f23118f6dfc9752c7bdf1afc5e07016d9c055fdb

memory/2496-2575-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Preferences

MD5 d199e62ac4adf32d2e86808dea98e64f
SHA1 b96f3994896a35779a44f484a220aef34e13bb13
SHA256 3f8309388cb2de07b3830c18aea37b1991fb3e984b39076d482a3eb5a4527fa9
SHA512 bea7b0ea147dba532a5cf0b960c4d15b24d72d607429d8887e3c8f9b7c16ffa9ecf3ae164c39180e5f467220ce74cab691c51c42d44df3f04b120f973b2669c2

C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State

MD5 f20828e93d2d367c9a1fbf3d61dd8987
SHA1 c02a057eff2494c784361b238402ca7a1b0a8737
SHA256 b47a9a33fc13a404ae4eedf761cba51b9e62c36882c28f78084dc4773a077162
SHA512 41e95c1c3a0b25295d8a318eed8d1ff852f171a37f42ffa5327d1466ea72cf53277c247d18236847160797378d1fae875855454cf1955e3aba5f956d6de26987