Analysis Overview
SHA256
af4d66782380f13455512dd37efb31f2d14ac7093a5a079794e5b9a07bd556b2
Threat Level: Likely malicious
The file VTRL_2.2.4_x64_en-US.msi.zip was found to be: Likely malicious.
Malicious Activity Summary
Clears Windows event logs
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
Modifies file permissions
Enumerates connected drives
Event Triggered Execution: Image File Execution Options Injection
Indicator Removal: File Deletion
Downloads MZ/PE file
Network Share Discovery
Power Settings
Checks computer location settings
UPX packed file
Event Triggered Execution: Component Object Model Hijacking
Drops file in System32 directory
Enumerates processes with tasklist
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Checks system information in the registry
Checks installed software on the system
Drops file in Program Files directory
Loads dropped DLL
Executes dropped EXE
Launches sc.exe
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Checks whether UAC is enabled
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Enumerates system info in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Suspicious use of SetWindowsHookEx
Runs .reg file with regedit
System policy modification
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 17:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 17:51
Reported
2024-10-03 17:52
Platform
win7-20240903-en
Max time kernel
39s
Max time network
25s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VTRL\VTRL.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\VTRL\Uninstall VTRL.lnk | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\VTRL\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f76c65b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{B61E3611-DC41-415B-8398-57120CD83649}\ProductIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76c65b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c65c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICFAE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{B61E3611-DC41-415B-8398-57120CD83649}\ProductIcon | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c65e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76c65c.ipi | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\ProductName = "VTRL" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\PackageCode = "4E2D29992B48F664096C3A96513AEF2F" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\Version = "33685508" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\DefaultIcon\ = "C:\\Program Files\\VTRL\\VTRL,1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394\ShortcutsFeature = "MainProgram" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DDBBFE4C2AD1A8154BE26EB564261509 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\vtrl | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394\Environment = "MainProgram" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\ProductIcon = "C:\\Windows\\Installer\\{B61E3611-DC41-415B-8398-57120CD83649}\\ProductIcon" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\vtrl\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\vtrl\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\PackageName = "VTRL_2.2.4_x64_en-US.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DDBBFE4C2AD1A8154BE26EB564261509 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open\command\ = "\"C:\\Program Files\\VTRL\\VTRL\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394\External | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DDBBFE4C2AD1A8154BE26EB564261509\1163E16B14CDB51438897521C08D6394 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\ = "URL:VTRL Protocol" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1163E16B14CDB51438897521C08D6394\MainProgram | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\Language = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VTRL_2.2.4_x64_en-US.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C78E3824154EDB813A961BCF51BAC9A3 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004CC" "00000000000003DC"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
Network
Files
C:\Users\Admin\AppData\Local\Temp\MSI9231.tmp
| MD5 | cfbb8568bd3711a97e6124c56fcfa8d9 |
| SHA1 | d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57 |
| SHA256 | 7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc |
| SHA512 | 860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04 |
memory/2840-18-0x000000013FF60000-0x000000013FF70000-memory.dmp
\Program Files\VTRL\VTRL.exe
| MD5 | 8854573a5ad9f69248491b860a8473a7 |
| SHA1 | 2112784e8b035413cdbf5b19afcfca90c9da47fb |
| SHA256 | 9aae8bfe7cb32e9c247feb67d97d3611c7c377dff7b6c42a779a0fae1bbf11b6 |
| SHA512 | 21d20ef8bb0884dd0c9f1b9340c331ecd3a9f4127af55444a6fcbd2a49f91c6efdc730824e5529b80c1e9469a172ac140da411fa07268c295d0535921a66df61 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnk
| MD5 | f0bb30fb0e5ea256f7f34572323ab760 |
| SHA1 | 34aff58515bb5270e7861f793591551be0a55e7d |
| SHA256 | e340b9d879ecebb1bf9fe08ec339ad55dedd14eaf73154307532fb319774275b |
| SHA512 | f4f44fdd870dad8c999d1d78c44e0549f5060f168cb61b34df4f7a90d2b2b6e6a81e25783cec248208e31c9f472af8d238727adaad4c052ba184be18e71822f9 |
memory/2840-32-0x000000013F590000-0x000000013F5A0000-memory.dmp
memory/3044-41-0x000000001B3C0000-0x000000001B6A2000-memory.dmp
memory/3044-42-0x0000000002910000-0x0000000002918000-memory.dmp
C:\Windows\Installer\f76c65b.msi
| MD5 | 7853374c6d4f75c1279214f4b843de50 |
| SHA1 | 3a70bad9f2e54f67d03a9e818cae104f96b91fd6 |
| SHA256 | a1b403271c4f1a39c70279f3d73583c508c7211e7606521850b4c27946d5fd7a |
| SHA512 | be2a6ec34dbe59fa5720b0a896793330628e9d7bc32d0aab58b7e9ee1d5a196de22407eb7c6422792f24a7a65f3d365b74ede30c613330d180270c3604ac5fba |
memory/2840-65-0x000000013FF60000-0x000000013FF70000-memory.dmp
memory/2840-66-0x000000013F590000-0x000000013F5A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 17:51
Reported
2024-10-03 17:56
Platform
win10v2004-20240802-en
Max time kernel
309s
Max time network
310s
Command Line
Signatures
Clears Windows event logs
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Program Files\VTRL\VTRL.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe | C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" | C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\taskkill.exe" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe\Debugger = "C:\\Windows\\System32\\taskkill.exe" | N/A | N/A |
Indicator Removal: File Deletion
Network Share Discovery
Power Settings
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\sru\SRUDB.dat | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Component Object Model Hijacking
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57dc56.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDD02.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe | N/A |
| File created | C:\Windows\Installer\e57dc56.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{B61E3611-DC41-415B-8398-57120CD83649}\ProductIcon | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57dc58.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File created | C:\Windows\Installer\{B61E3611-DC41-415B-8398-57120CD83649}\ProductIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\565865F6-FAE4-418A-9C06-79CA4AE06FEF\dismhost.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B61E3611-DC41-415B-8398-57120CD83649} | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Loads dropped DLL
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\VTRL\VTRL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Time Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | N/A | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724516163672074" | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\ = "Google Update Policy Status Class" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\vtrl\DefaultIcon\ = "C:\\Program Files\\VTRL\\VTRL.exe,0" | C:\Program Files\VTRL\VTRL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\ = "Google Update Policy Status Class" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ = "Microsoft Edge Update Update3Web" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F} | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\vtrl\DefaultIcon\ = "C:\\Program Files\\VTRL\\VTRL.exe,0" | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ = "Google Update Policy Status Class" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0B4C1840-3931-4AA5-A64F-95339D05E614} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vtrl\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1163E16B14CDB51438897521C08D6394\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VersionIndependentProgID | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LOCALSERVER32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0B4C1840-3931-4AA5-A64F-95339D05E614} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\PROGID | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7} | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files\VTRL\VTRL.exe | N/A |
| N/A | N/A | C:\Program Files\VTRL\VTRL.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files\VTRL\VTRL.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VTRL\VTRL.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection | N/A | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VTRL_2.2.4_x64_en-US.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E838180BC1802311D6BAC087AC806021 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjRENkJCNjEtNDEyRC00RDI5LUFFQzMtQTU5MjYwRjlDNDlCfSIgdXNlcmlkPSJ7NkRDNzNFRTYtQTU3Qy00MUMzLTk4RDUtMkEwOEZBNTQ4QTk3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0MjA1NzIxMS1GNDU0LTQ4OTQtQkUxNy0yODg5NzExRkU4MzV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS4xNSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMDAwMjYxNjEiIGluc3RhbGxfdGltZV9tcz0iNDU0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{F4D6BB61-412D-4D29-AEC3-A59260F9C49B}" /silent
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjRENkJCNjEtNDEyRC00RDI5LUFFQzMtQTU5MjYwRjlDNDlCfSIgdXNlcmlkPSJ7NkRDNzNFRTYtQTU3Qy00MUMzLTk4RDUtMkEwOEZBNTQ4QTk3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkY1RDk3NDYtMkIyQy00ODkyLUI1M0YtMjk1NDU0OTc1QzEyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2MiIgaW5zdGFsbGRhdGV0aW1lPSIxNzIyNjAyNzE0IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjcwNzUyNzMwMDQwNjUxIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTAwNTk2Mzc5NCIvPjwvYXBwPjwvcmVxdWVzdD4
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\MicrosoftEdge_X64_129.0.2792.65.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=129.0.6668.71 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BF807E59-5AD2-4453-B72B-8CC83A5073C9}\EDGEMITMP_977F9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=129.0.2792.65 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff7c61276f0,0x7ff7c61276fc,0x7ff7c6127708
C:\Program Files\VTRL\VTRL.exe
"C:\Program Files\VTRL\VTRL.exe"
C:\Program Files\VTRL\VTRL.exe
"C:\Program Files\VTRL\VTRL.exe"
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=3572.1812.4745332957774390525
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=129.0.6668.71 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=129.0.2792.65 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7ffd723c8ee0,0x7ffd723c8eec,0x7ffd723c8ef8
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1816,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1812 /prefetch:2
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1988,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2036 /prefetch:3
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2304,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:8
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3356,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:1
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmp6EQzBI\L0DqpV5EvG.bat
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpzUQfgI\4eIvNyqXun.bat
C:\Windows\system32\reg.exe
reg add HKLM /F
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Unrestricted -NoProfile Restore-Computer -Drive 'C:\' -Confirm:$false
C:\Windows\system32\Dism.exe
dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart
C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\A20F8CF3-7FBF-4D29-8114-842292627EEB\dismhost.exe {A38E4CF1-3B26-4450-81C3-85D9BF37645B}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'VTRL RESTORE POINT'
C:\Windows\system32\sc.exe
sc start winmgmt
C:\Windows\system32\sc.exe
sc config winmgmt start=auto
C:\Windows\system32\sc.exe
sc start wmi
C:\Windows\system32\Dism.exe
DISM /Online /Add-Capability /CapabilityName:WMIC*
C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\dismhost.exe {0CEFDC22-09D3-4281-8D6C-B2A9BA8D3862}
C:\Windows\system32\Dism.exe
DISM /Online /Add-Capability /CapabilityName:WMIC~~~~ΓÇï
C:\Users\Admin\AppData\Local\Temp\565865F6-FAE4-418A-9C06-79CA4AE06FEF\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\565865F6-FAE4-418A-9C06-79CA4AE06FEF\dismhost.exe {818042F0-E9F5-4CEE-B303-8F3E37FEE7CE}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -NoProfile -Command " try { $pcSystemType = (Get-CimInstance -Class Win32_ComputerSystem).PCSystemType if ($pcSystemType -in 1,3) { \"Desktop\" } elseif ($pcSystemType -eq 2) { \"Laptop\" } else { \"Unknown\" # Handle other PCSystemType values as Unknown } } catch { \"Unknown\" # Catch any errors and return Unknown } "
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpGXudH3\wKiQq4y6DZ.bat
C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpXBF7I8\gMgu0yNcU5.bat
C:\Windows\system32\reg.exe
Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /f
C:\Windows\system32\reg.exe
Reg delete "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /f
C:\Windows\system32\reg.exe
Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /f
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjRENkJCNjEtNDEyRC00RDI5LUFFQzMtQTU5MjYwRjlDNDlCfSIgdXNlcmlkPSJ7NkRDNzNFRTYtQTU3Qy00MUMzLTk4RDUtMkEwOEZBNTQ4QTk3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins3OTEwNDQ5NS1CNjdGLTQ3OTMtOUI1Qi0wNTYwN0NDMTg0QjV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7L3IyNTJwKzZiWjRvaVRGczVZMXd0K3hzcGVaWDNZQ0M2L0w2WjZQSXVlYz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI5LjAuMjc5Mi42NSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA0MzYyMDQ1OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNDM2MjA0NTgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTM3OTQxNTk5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZjA5YWIxOC02N2U3LTQ5ZjMtOTMwOS0xMTAxMWZlMjFhMjI_UDE9MTcyODU4Mjc0MSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1qRjBLOUpUM2pIc0sxNHdqYUNHelhDaHY1NzAybnFZczhKJTJmS1hSV1NRalVURUpuNnlPWVR4TWM1MzQlMmJkcUNtSFRBcGUlMmZnNHhQN0lVR3lZSW0zT0pNZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3Mzk0Mjg0MCIgdG90YWw9IjE3Mzk0Mjg0MCIgZG93bmxvYWRfdGltZV9tcz0iNDMxMDQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTM3OTQxNTk5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU1MTY5MjM4MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjIwNzg4NjE0NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjIxNTYiIGRvd25sb2FkX3RpbWVfbXM9IjQ5NDAxIiBkb3dubG9hZGVkPSIxNzM5NDI4NDAiIHRvdGFsPSIxNzM5NDI4NDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjY1NjIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -NoProfile -Command " try { $pcSystemType = (Get-CimInstance -Class Win32_ComputerSystem).PCSystemType if ($pcSystemType -in 1,3) { \"Desktop\" } elseif ($pcSystemType -eq 2) { \"Laptop\" } else { \"Unknown\" # Handle other PCSystemType values as Unknown } } catch { \"Unknown\" # Catch any errors and return Unknown } "
C:\Windows\system32\powercfg.exe
"powercfg" -list
C:\Windows\system32\powercfg.exe
"powercfg" -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
C:\Windows\system32\powercfg.exe
"powercfg" -changename d01c16d1-876b-44f7-8dfb-bce19a3625bf "VTRL Optimized" "Powerplan set by VTRL Optimizer"
C:\Windows\system32\powercfg.exe
"powercfg" -setactive d01c16d1-876b-44f7-8dfb-bce19a3625bf
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor THROTTLING 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_none DEVICEIDLE 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor PERFAUTONOMOUS 1
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor PERFAUTONOMOUSWINDOW 1000
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor PERFEPP 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 1
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor PERFBOOSTPOL 100
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor CPMINCORES 100
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current SUB_INTSTEER UNPARKTIME 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current SUB_INTSTEER PERPROCLOAD 10000
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor SHORTSCHEDPOLICY 2
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current sub_processor SCHEDPOLICY 2
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current 54533251-82be-4824-96c1-47b60b740d00 4d2b0152-7d5c-498b-88e2-34345392a2c5 5000
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 d4e98f31-5ffe-4ce1-be31-1b38b384c009 0
C:\Windows\system32\powercfg.exe
"powercfg" /change standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
"powercfg" /change monitor-timeout-ac 0
C:\Windows\system32\powercfg.exe
"powercfg" /change hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current SUB_SLEEP UNATTENDSLEEP 0
C:\Windows\system32\powercfg.exe
"powercfg" -setacvalueindex scheme_current SUB_IR DEEPSLEEP 0
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4884,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:8
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpmksjcq\EFeYB9czGU.bat
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpAJ5gMK\F4EKe4vt8h.bat
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpPasuc2\jVs5MWdSEm.bat
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpQRQLNL\JlY2WPzBPG.bat
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpL7KmBB\18mgT64ipn.bat
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmpARs4AS\nYq48zHR9S.bat
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\.tmp5YqoXl\LXorCZ5aOS.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "$srumDatabaseFilePath = """$env:WINDIR\System32\sru\SRUDB.dat"""; if (!(Test-Path -Path $srumDatabaseFilePath)) {; Write-Output """Skipping, SRUM database file not found at `"""$srumDatabaseFilePath`""". No actions are required."""; exit 0; }; $dps = Get-Service -Name 'DPS' -ErrorAction Ignore; $isDpsInitiallyRunning = $false; if ($dps) {; $isDpsInitiallyRunning = $dps.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running; if ($isDpsInitiallyRunning) {; Write-Output """Stopping the Diagnostic Policy Service (DPS) to delete the SRUM database file."""; $dps | Stop-Service -Force; $dps.WaitForStatus([System.ServiceProcess.ServiceControllerStatus]::Stopped); Write-Output """Successfully stopped Diagnostic Policy Service (DPS)."""; }; } else {; Write-Output """Diagnostic Policy Service (DPS) not found. Proceeding without stopping the service."""; }; try {; Remove-Item -Path $srumDatabaseFilePath -Force -ErrorAction Stop; Write-Output """Successfully deleted the SRUM database file at `"""$srumDatabaseFilePath`"""."""; } catch {; throw """Failed to delete SRUM database file at: `"""$srumDatabaseFilePath`""". Error Details: $($_.Exception.Message)"""; } finally {; if ($isDpsInitiallyRunning) {; try {; if ((Get-Service -Name 'DPS').Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Output """Restarting the Diagnostic Policy Service (DPS)."""; $dps | Start-Service; }; } catch {; throw """Failed to restart the Diagnostic Policy Service (DPS). Error Details: $($_.Exception.Message)"""; }; }; }"
C:\Windows\system32\reg.exe
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
C:\Windows\system32\reg.exe
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
C:\Windows\system32\wevtutil.exe
wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = """$($directoryGlob = 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations'; if ($directoryGlob.EndsWith('\*')) { $directoryGlob } elseif ($directoryGlob.EndsWith('\')) { """$($directoryGlob)*""" } else { """$($directoryGlob)\*""" } )"""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host """Searching for items matching pattern: `"""$($expandedPath)`"""."""; $deletedCount = 0; $failedCount = 0; $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try {; $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host """Initiating processing of $($foundAbsolutePaths.Count) items from `"""$expandedPath`"""."""; foreach ($path in $foundAbsolutePaths) {; if (-not (Test-Path $path)) { <# Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). #>; Write-Host """Successfully deleted: $($path) (already deleted)."""; $deletedCount++; continue; }; try {; Remove-Item -Path $path -Force -Recurse -ErrorAction Stop; $deletedCount++; Write-Host """Successfully deleted: $($path)"""; } catch {; $failedCount++; Write-Warning """Unable to delete $($path): $_"""; }; }; Write-Host """Successfully deleted $($deletedCount) items."""; if ($failedCount -gt 0) {; Write-Warning """Failed to delete $($failedCount) items."""; }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\* | Remove-ItemProperty -Name LastUsedTimeStart -ErrorAction SilentlyContinue"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
C:\Windows\system32\wevtutil.exe
wevtutil.exe el
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AMSI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\* | Remove-ItemProperty -Name LastUsedTimeStop -ErrorAction SilentlyContinue"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\* | Remove-Item -Recurse -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = """$($directoryGlob = 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations'; if ($directoryGlob.EndsWith('\*')) { $directoryGlob } elseif ($directoryGlob.EndsWith('\')) { """$($directoryGlob)*""" } else { """$($directoryGlob)\*""" } )"""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host """Searching for items matching pattern: `"""$($expandedPath)`"""."""; $deletedCount = 0; $failedCount = 0; $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try {; $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host """Initiating processing of $($foundAbsolutePaths.Count) items from `"""$expandedPath`"""."""; foreach ($path in $foundAbsolutePaths) {; if (-not (Test-Path $path)) { <# Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). #>; Write-Host """Successfully deleted: $($path) (already deleted)."""; $deletedCount++; continue; }; try {; Remove-Item -Path $path -Force -Recurse -ErrorAction Stop; $deletedCount++; Write-Host """Successfully deleted: $($path)"""; } catch {; $failedCount++; Write-Warning """Unable to delete $($path): $_"""; }; }; Write-Host """Successfully deleted $($deletedCount) items."""; if ($failedCount -gt 0) {; Write-Warning """Failed to delete $($failedCount) items."""; }"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "General Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\* | Remove-ItemProperty -Name LastUsedTimeStart -ErrorAction SilentlyContinue"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationFrameServer"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMP4"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\* | Remove-ItemProperty -Name LastUsedTimeStop -ErrorAction SilentlyContinue"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\* | Remove-Item -Recurse -Force"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\* | Remove-ItemProperty -Name LastUsedTimeStart -ErrorAction SilentlyContinue"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\* | Remove-ItemProperty -Name LastUsedTimeStop -ErrorAction SilentlyContinue"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged\* | Remove-Item -Recurse -Force"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView" --webview-exe-name=VTRL.exe --webview-exe-version=2.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4996,i,16468553901336512072,10546585519134379234,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Store/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | msedge.sf.dl.delivery.mp.microsoft.com | udp |
| US | 152.199.21.175:443 | msedge.sf.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 4.151.228.221:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 221.228.151.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | msedge.f.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.f.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vtrl.cc | udp |
| US | 104.21.19.193:443 | vtrl.cc | tcp |
| US | 8.8.8.8:53 | vtrl.cc | udp |
| US | 8.8.8.8:53 | vtrl.cc | udp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | 193.19.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 172.67.188.147:443 | vtrl.cc | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.188.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 104.21.19.193:443 | vtrl.cc | tcp |
| US | 8.8.8.8:443 | dns.google | udp |
| US | 204.79.197.239:443 | tcp | |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| DE | 2.19.11.120:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 239.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 104.21.19.193:443 | vtrl.cc | tcp |
| US | 8.8.8.8:53 | vtrl.cc | udp |
| US | 8.8.8.8:53 | vtrl.cc | udp |
| US | 172.67.188.147:443 | vtrl.cc | tcp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 13.107.21.239:443 | tcp | |
| DE | 2.19.11.120:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 239.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSI9460.tmp
| MD5 | cfbb8568bd3711a97e6124c56fcfa8d9 |
| SHA1 | d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57 |
| SHA256 | 7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc |
| SHA512 | 860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnk~RFe57ddbd.TMP
| MD5 | 6da2923eba9e39b9f77772f8b87270fd |
| SHA1 | ec372c1a9e35f14f7deee9adb77b4da2e5e01bc0 |
| SHA256 | 478ed6ab90beba8dd62fbd54ac8052366719551bb32aa278e5055812feaeaa58 |
| SHA512 | f1df35ec5e7c3a7034192f17a4469c085a69cb985a905b404004fef317395173b09ae257acd92d13bd08ea6ef694fe77bf88e3deeed16a249cc364a8e2b2f169 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnk
| MD5 | 78889b8ead04549a9377c83d65767fe9 |
| SHA1 | ab9a9c219b84a55dbddc678275820f4bae2f5919 |
| SHA256 | b8318900429a19e0d4f0c0f501aacce4a36cd203cc713a02cee10e35a7f4a1eb |
| SHA512 | 098ad117d6d907269697814b224113f43cc6ab7651db9052947c9281f0d7b9bc0af22d143d147d46d0a3f17e0b1d1800a3751578aeaa407c3cdd583e41baabb3 |
C:\Program Files\VTRL\VTRL.exe
| MD5 | 8854573a5ad9f69248491b860a8473a7 |
| SHA1 | 2112784e8b035413cdbf5b19afcfca90c9da47fb |
| SHA256 | 9aae8bfe7cb32e9c247feb67d97d3611c7c377dff7b6c42a779a0fae1bbf11b6 |
| SHA512 | 21d20ef8bb0884dd0c9f1b9340c331ecd3a9f4127af55444a6fcbd2a49f91c6efdc730824e5529b80c1e9469a172ac140da411fa07268c295d0535921a66df61 |
memory/3624-38-0x00000210F5CC0000-0x00000210F5CE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iuv5rovr.jiy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
| MD5 | d2ebd82a5d3fac11d44d90d8df253bb9 |
| SHA1 | ba94b456e111ea9573fe150ad4090a66540c9938 |
| SHA256 | 04b65aa7b23d0c7ebbd6e022a600fbc43c0ee896ed280e48ac59e17fb0a2311d |
| SHA512 | 49e9ef8066200cd6ec079943c1fbcda95cab2d3042f635ed57949e0c0701ecdf34ea8f16324994dc77bc3ec9fc67882ea88b4d543974e90bf4e8cf69b15e073c |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdate.exe
| MD5 | b0d94ffd264b31a419e84a9b027d926b |
| SHA1 | 4c36217abe4aebe9844256bf6b0354bb2c1ba739 |
| SHA256 | f471d9ff608fe58da68a49af83a7fd9a3d6bf5a5757d340f7b8224b6cd8bddf6 |
| SHA512 | d68737f1d87b9aa410d13b494c1817d5391e8f098d1cdf7b672f57713b289268a2d1e532f2fc7fec44339444205affb996e32b23c3162e2a539984be05bb20c4 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdate.dll
| MD5 | b0da0a3975239134c6454035e5c3ed79 |
| SHA1 | fbea5c89ef828564f3d3640d38b8a9662c5260e6 |
| SHA256 | c590d1af571d75d85cfe6cb3d1aa0808c702bcefd1b74b93ea423676859fb8ba |
| SHA512 | 5fbfa431a855d634bcbef4c54e5cc62b6435629305efee11559f66473c427ad0775c09364d37aaa7a4a8a963800886f6547a52ae680a1ff2c4dcc52c87d994bb |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_mk.dll
| MD5 | f8866ed0d837e3396ef56449543a3209 |
| SHA1 | 7d23733ab60539b910a9c4914df113efb2b8ae36 |
| SHA256 | 2e3822c92f63abc7a3ae9e0d1c3db1c328fba4dc5fa99cc5d3aa1dfac9755ae6 |
| SHA512 | 8c6cb4377636f72a1b82060c3e0dd2d81b94155a1eb40922d2374e246723ff0fb8ffaf36950ce9efe26c4824fe358aab71ec74788e8daba2d43c6ba66eca75f6 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_mi.dll
| MD5 | 16e6e07283f2fd2c0d9fdf78e4266521 |
| SHA1 | 252986d2a4ffa7dc982f1d94e3a769a2c9ebfb16 |
| SHA256 | 91ce7c5b3b5797acb6ceffe03b9ca7a8de50374c4bf6a48a66c4c60906b3ff0d |
| SHA512 | 47d09fe059eef1db049c18015c814c98badaeb37981be53280c86d32b30a0cdcefe3177bbe6e824cd08ecde68a11cd29badfad9ae279436ecb873ffa169935f5 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lv.dll
| MD5 | b329055638a2703204e2caff5c655003 |
| SHA1 | 85fc0a199663ace9c7e3509f4799e04ef20e71f1 |
| SHA256 | 55905c16ab32b718a605f51cbb4d58d68ec2cd6dec177b2d5fc43f98418a7e61 |
| SHA512 | 75b6d1fe26927d31cee1cba894642222c8855dd9517bafefe514aaf930a758372703f20cdcb5abea4626d73d5a3e7d953cd9286d83791c0688bc967eadaf4f79 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lt.dll
| MD5 | bb24d428375ec4d138e974adf53f820c |
| SHA1 | f36096d3d0256a21a4ec312a7f293ef1afaea5b4 |
| SHA256 | d21bd9565abf453387fecfb7508ada6fbc5ef04a0760cb4d5c167d172d229ef9 |
| SHA512 | 23549dff4f6cd826d4f7b15d57a72dff10aec200d8b0ab7ace0b7ef833bba6cb116a9f7bf2bc6dcff087d14ec0b072a567b4a8934cff7a15ef627135625994d7 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lo.dll
| MD5 | ac1b51dbc25646287542c35fc650a363 |
| SHA1 | 4bf6b818f257d4b823e6d67fcfd572967b46e750 |
| SHA256 | 8f2b7efe2193b1a87eaf9f36b926df4d5d4d1162e85a18723fcd6e69c581d40a |
| SHA512 | 9b7880a06e808bc337e98cfac6f8cf5be7267c6310aea7f3fcbaa87417fb30cb6f7411fc81f780742dc09e59de8cb89bfce227e65d01ce7cb98bd1ba37165df0 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_lb.dll
| MD5 | b426d4d32a6e0b7312459a896581e4b7 |
| SHA1 | a027cd7ceed7a610ac2405e2545207dd4627c83e |
| SHA256 | a0be6cc82ada1b0c788f278b6cf4d9177e940b22b2157cf04f22900c71df2d43 |
| SHA512 | c400a7b326eb54f97b8680bd137e8e2f7e0ff6ef01da088b2eeeb23f1e01eeed96b17b907e1b1e040f894fd205fa192cd9fcb157e546e7e2d9a121122a633e4e |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_kok.dll
| MD5 | c4740361d46b87eb618e395552f20b6f |
| SHA1 | 62654bb1ef4f6959bc421b1d5c0d4ef7c6651b17 |
| SHA256 | 869461c0b655d697c5089ef9b5eb842670b5c3e9696aa109ed3ec9c217e31f89 |
| SHA512 | 0dd00ce5cd4a13a00faa7925e0f3965d059e9b935601408e0b687b764680780d855d9fe13f653c3458bb672b67d039496c7fdf605b2c31613f79a2f7ae24ef4f |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ko.dll
| MD5 | c89e6395725b3ba0b18d314d54589b92 |
| SHA1 | c57c5a8c4841206da919335bc29ab65ce7aca76c |
| SHA256 | 771009b26b95c3c6e0391fb78038c632a2475af36b3b48d13882645ab5e91d3b |
| SHA512 | 33ebe44cacccd475c958053614f3c179f2d0d3bde8a99e740faee0b87bca0eb2ea27a01501c70ae90367fe158a694edde005920d9ba18d647d0328d0a5f8c27a |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_kn.dll
| MD5 | b6d73bbacd24928bfe692e2c48522e03 |
| SHA1 | 8ae460214f623db552fe09944dde5f83e1f3e3ff |
| SHA256 | 9be3c751e0f89866599d8d4a6d2bc10db749fabcd6de88922e4b7c4bb1f03ddf |
| SHA512 | 762974a13e623435adda030e9f496220ba65e8ebcfbc3aefd896491a4816bd8496cba79dc56f321e4eb98a9fcf71b36160c27f701c5e690c071270065d1f3f14 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_km.dll
| MD5 | 9dc0ee4f6b7e239018d6962b5097669c |
| SHA1 | 3b091cd8dc4f46ec7603c56d2ebf73385576031e |
| SHA256 | 4d31ba95fb2adf05ea6fb9b1896f09c872c228187bd3d2f979b162097ea18979 |
| SHA512 | aca659bcb9dfe59bd23dabcf2051b8529b0a1b9f2c1a0748ff29ffb02307222dc3a5d8b7aa42f6469200992e6cca14886908eb624f9f1959095133b09f3752d6 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_kk.dll
| MD5 | 1c6f35c21ff0afb2f4aa9d4352fc86f2 |
| SHA1 | d4bf67c14304add3e7d8218ff66a520a7b1e0a6e |
| SHA256 | 779900e90b23d0443e0b93b4ac7c8fa24dd6a0ebddb36cd22bcd7a1a6fce2ecc |
| SHA512 | caf80f4adab14a81bb14e36683772539a6789448ddfcaba2a09e5c6c3e2dae105ce436ca7dd7b412c6c73dcc0768141822b13064d452a48a37721e1e9dd357f2 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ka.dll
| MD5 | e802f3589731c88d166a8b0e3bae1dc7 |
| SHA1 | b94e21b646c26053c19a0e6238f0e4fbde0a2fa6 |
| SHA256 | 173f78b786cd1a58a47ec9f7c662e403b191fa42cb7308aa7eb6b0f744bfae0b |
| SHA512 | ecf9eb33afb00c6839d6778e36685b904267e6f384a7d307230000a506e6ac6e95132c2f50a4cbe523d834dd6c7ecd1277d47b73188130e097a0b64c0ec64a51 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ja.dll
| MD5 | ffc1ff9f4cb8fcb529f8580d3b92a80c |
| SHA1 | d0ef21a7407c5eebe1fc21b6549c92c6222bf0cd |
| SHA256 | d508f613bbec62a237a5616959dbc292fe4a79adc8783fb91725f3f2c32658d2 |
| SHA512 | 6345362f03f3bc4409c1e5875b2e7cb58b5df9737c9c5502a19314046281e682a3ea7ac5adbbb933a130f52efad4da4eb9ad99ebfdd41bdba23d1fbea4180475 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_iw.dll
| MD5 | dede65e2268976ded6f598ecea661025 |
| SHA1 | 45c6fd614dac74eecf83709081b4f289c05271dd |
| SHA256 | 9379736bb1b621367e42736d311288d33742a9e0ca3e056b4638491fc434a880 |
| SHA512 | 92a46ca5e3c40bf55fede64aecd7fd05f6419c645d38325546c46632775fe72cff4152e473ffbc15d478da62c76a088ebfb4db91b9a0691a9ce1c763ad3f9285 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_it.dll
| MD5 | b8b03be1e73e1ccc0df159c48e875038 |
| SHA1 | 37d1b2216f1e90a69b1be65b2c4f0f5f35e78aef |
| SHA256 | 4ee8f48af5136fb80f5d031395f92abb2b3571fdf7c4c98ae833c2ee74c49160 |
| SHA512 | ef47c8c0f8aed7a4d912986e2a3fbc34b54fdea25b006bcb63d502a6cefc42bca717a93e16ff1c137892a91b894ea15d95a53dd3b52b850bf1a75ec9bd7b3013 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_is.dll
| MD5 | b675cc1f6f5f174c265c0887d9591915 |
| SHA1 | abb182cfbe1d5723ecc380c5fa08b24c1f421af1 |
| SHA256 | c012110ad65f8244494ef2aa70696128a949fbc5797e5139afa7d4195457df1f |
| SHA512 | be1b23a563a2b4f6b658df3f8075d48bf3921c5951a6fbe77c24a0949997e068403f5bcaa3f93030b01d7a69b1aa74ce06f37038c30145e03a9822f4854f7c0d |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_id.dll
| MD5 | 5b5366c7779dc9ce9f3a15b6f22289ac |
| SHA1 | d9995fee337b9696be970a2a48a845ed71bd7d2b |
| SHA256 | da6d5c982387286396f54c043bacf106f78fc76db4a33984c8b2cb88882fc9b3 |
| SHA512 | 35362a3719833449bd9e757194f9b0b28c3d68a0c62f52d224b1cd5eca5a2343e1db868668e2b30d927a1966b5db5cd0b2230d7f4576627e486eb3a86913b195 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_hu.dll
| MD5 | e56f98d6b32f82f391d5b087a135a7ec |
| SHA1 | c8de62b4b22a8153cb788e03f7e04c55a5ae5396 |
| SHA256 | 236252a34d2efdb4e801bd827a791935aadfe6c0a471f1b252d9bf2d291a6bae |
| SHA512 | 45b9933478505759e7217a65e3a054885841c5ae9bc58983c6cb216ea2a15c53f45ecfb6b40fee07d54c289819ddc2161a651e5183e244e0f43946176f224c8a |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_hr.dll
| MD5 | 8bbd58f9644187747407b0a18c60aa0a |
| SHA1 | 82888f3f2ce1dd7b9b3f5ac26bed0a6da5601dff |
| SHA256 | 35008c4ea7f22ac78d28e72311d4b3fa28d6af24072fa94558a9b3771a4b545e |
| SHA512 | 1fa7d62692062c1d22e3fe0e5c15bfbb2def115be2991001a998fcc6bbb5983d9343b06172e8f38b245587b15762b655ef58ec508160b576779963e5889efca8 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_hi.dll
| MD5 | 6b97796e1746317567ed7cffe9441d3b |
| SHA1 | dd269b22021eb37fe854ff181a09bf7f9568f7ac |
| SHA256 | a4ce75f6b1de6a2500bfd6b0ebc1c268cb3d7080dc9e7661bedd9361f7215d42 |
| SHA512 | f1856ac881de7acb7f61f2d7c1d064458855c3621fcfa951f1d1207f3d85fd6f64b26547ea1391c4145bdeee23e6611acb2fe80b8c1258dd108085e371d34d73 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_gu.dll
| MD5 | 951dfd4709b3fdbe79a6e43828387592 |
| SHA1 | 0c7bbf1852135456692970639869618fb616ba5e |
| SHA256 | 21c72dc48cd33291520e3f432d8d59ec103496ab6508f41fa1b081b3bdf98bb8 |
| SHA512 | b338c345db00135ceb3577a67bcbc36b37be742e39aa6a333bac93ba20ab1463df55a381be95c9e9effaed4daa0ce93203ff2994459f9a23813dc0afdff03e8d |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_gl.dll
| MD5 | be03945025cc2f68f8edd4e1ca3c32b7 |
| SHA1 | d4b1c83f6b72796377bfd3b42c55733eed8fc5e4 |
| SHA256 | aa95c108db3582a4be98fe83519aab3fed09c8cc9b326469edb89871d6562373 |
| SHA512 | a03656acfc123f06a071f0e326ce15bf17e2efe080fa276acd50cb40e35000d74a3d0762da327c59a7564bb3f03532bf04c733ae850852f62ce71fd513e9080a |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_gd.dll
| MD5 | 6de337fa9f131077042f7ce421a9fa42 |
| SHA1 | 25e21b64cdf60a1da2f940b3c873eefd680a5fc9 |
| SHA256 | 263e07308785bd7e510eda95499ab3d3d66942f0bfd0a5722258e2a87b5d0a90 |
| SHA512 | e747fc105c4ede0d4f73492e3757975a9410499caf867bc149cd43bdbf1be03d3df82fe04c7cf99e3ad6ee06fb5011fc5b069bd502c2f3b3e578f587d0362e3d |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ga.dll
| MD5 | f7b123f6dd6c8d8832a8bb8b7831e42c |
| SHA1 | 7e9524b79036568b2b4446ee00c76460fb791c6d |
| SHA256 | 119b9e288832f2a4d47d63b693bb195a72f27e9c0aa014b2c3ccd5d185f7afc7 |
| SHA512 | 6bd457d1e3f943a4ca5a1d36907fe526a4f2965a8411280a2988ef1d264203af0797365c1306e7ce103cabec2ead17d194f20848b4c665e986705c3ed6e291c9 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fr-CA.dll
| MD5 | 8e1793233c6e05eeaf4fe3b0f0a4f67c |
| SHA1 | 97697fe9ba6b3cb5cfe87bb94587c724ed879c3b |
| SHA256 | b9caaa668b71964316ee15e6e49f8ae81e5ed167fdb69fc31bc6df834ab4e7a5 |
| SHA512 | 3d2fbf5e05e7b9e21c85ad7f59db9556046e4c1755f0b138d6de38eeadd3480e772e35798f9339aa7daffbf92afbc385f9c0bb4e4f5c65292dff3b280f52bd6f |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fr.dll
| MD5 | 5e63ac4b5abe6c84f305898a0f9ba0bb |
| SHA1 | e70baf6f175c297a9b491272ce8f131ba781553c |
| SHA256 | 711b5968d2116d7e97aa5852ec864db35d3c186f341fb024cd1ef4525256131a |
| SHA512 | c383e4df4337bf9a66f684dabd2faa95cb49abb424c76d0603f91af7b7260be5b2877246da293d5df83fdb59d291d63a7d73303c34682a50ea84a8fcd7d6e874 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fil.dll
| MD5 | 6b2319c3634103272f39fc71d7f95426 |
| SHA1 | a1d692a68c5cbb70d29a197ec32c9529c15a0473 |
| SHA256 | 28c610ba7f8332be050c30e296acaee423bc0a7a9cacc7b3d60618e284ff9cfa |
| SHA512 | 51738dd14b410c689ed56530ac555824c773bcb163f4dbaddc86e684e04c1f06271001f0b2bef7d6231f17231b2e3e35f9aba2974c48eff6d1a8ab877e5a6031 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fi.dll
| MD5 | a9b037f7bc8f5b382bf6c69b993dbeb1 |
| SHA1 | 7beb733f3561ac3083a3dfca3b7644c5154e1330 |
| SHA256 | b498d1b38a81199b62a98a0e36aa9e955e1c0143436908538314089c0e59d128 |
| SHA512 | a63c1e1a4d8d2e5043e0cdc420d1c545b0adbcdaa1a65f09454d47cc9642c1ffcb16e76454e90c75fd88f29917024b11418a606acbd560a98b79cd8631186332 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_fa.dll
| MD5 | c4cb44ee190c5aa8dd7749659437e5cc |
| SHA1 | 667f4aa01a4262fff2e01838f94330c0ebc285a2 |
| SHA256 | dc184d54d00d51d2f8de623c0c4b07e9408f7b02e1f1085107edaf14dcbee136 |
| SHA512 | 0330d733e89811c4a89deb202ec517de3128ad266483f37bd8d91eb6e45336febf7297da4f3465c683ed1b6e08114d6a3f52ff74484276509b9816ae7dccbb10 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_eu.dll
| MD5 | c0da1ad8854f64b7988d70c9db199d5f |
| SHA1 | b184335283bf0026615f2a4a120fda87961c774b |
| SHA256 | 73190820d59e5bfe769b82ada48b0c9ed353524bd5cab303f5175d7d9bbb74ee |
| SHA512 | 424ef2d0ceaba76b64c3349ec1ff5088cb8aff9103fb38da238c80e6452a967f3dca09860b2b8fe9c01e20bebadc539960a5bc241a91bab98bfedf29c2f777ea |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_et.dll
| MD5 | 111118683f6e8ed7ceb11166378aebb0 |
| SHA1 | fd3e1cf198885ab5d9082d540d58f983d8a0f5ff |
| SHA256 | 5cc4930c50716138e25987baacb9a9aed7d30ff5c0ac927e35f7fc006f5179c4 |
| SHA512 | cc3480f05d8d59d3d705204e15ff6453a6d9c77bdb1011d069bb1f83b3d4e14204f19caa7e7ecbb6e3ed92d429ac46940791903440fbfeca2f7e7e12b9a47f6c |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_es-419.dll
| MD5 | dc8fcfbcd75867bae9dc28246afc9597 |
| SHA1 | 8fd9361636303543044b2918811dbdab8c55866c |
| SHA256 | 3deb382ffdfbd2d96ff344ec4339f13703074f533241f98f0ccd8d3f8c98f4bd |
| SHA512 | ac8fbf033677a6862f3d02cf93bf1838c24f006b40fd44336ae13ecc2287ae4c733cc3d601e39556586131e8a9e2d930814399ac68165a26458a6cbf51b11d32 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_es.dll
| MD5 | 9c0ef804e605832ba0728540b73558a7 |
| SHA1 | a305f6b43a3226120d3010ca8c77441f6a769131 |
| SHA256 | 626835e07c1fc4ab670127682f3e5225881a2d4ddea873c5271e9032668fa641 |
| SHA512 | c27a4b24600bdd33a4f9430e8d4d8f7f3718efcaf2d1ec36023e34b996817af79b5a9baeea1506f97d2716c9b2b5509bbc1bf4d7cab779554eebadaa8c942dfe |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_en-GB.dll
| MD5 | fe685e8edec8a3b3c16e7954b787e118 |
| SHA1 | ac71544158bf86d357d78d003f5ff2b4b5fd4ef3 |
| SHA256 | 4b60ce6e3c8f725ad8e88cd0d0a3f0155a7145915670a532fe1143fb2dfbf49e |
| SHA512 | e30d12a607d1c6fd2060ab38f443af680f8c8655900b0a21f3f0b488033f9300915667bdfa59ff4fd3488f58ac52c7f5598ff5078bf849bd177d1d8c10533f04 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_el.dll
| MD5 | 3d22a75afd81e507e133fe2d97388f2e |
| SHA1 | f7f68cb6867d8c6386438d5a6e26539be493505b |
| SHA256 | 823fe6edc1fb0ebdfb8ebbaa2d36f6dc0424c8f26b6594a390ae0eaafd319ab0 |
| SHA512 | 34a62ebe8d057a6f6e6f6b2672ebb95d4d7c49e739f4beee4bbfb5e917b7176aba4d70b0e84bd727c967d0885c08264dfb42371fe0d3fe4f8f12dbb1e26ca69a |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_de.dll
| MD5 | 970e46bfaca8f697e490e8c98a6f4174 |
| SHA1 | 2bc396e8f49324dee9eb8cc49cdb61f5313130d9 |
| SHA256 | eeff2c2487c6456e6a3ed43fe5fbb9d3b72e301d3e23867b5d64f5941eb36dcb |
| SHA512 | 789f29ee2c34d86da5c69225bb8b2fd96273c20146126c28d3d36a880bbda5b16ace479ce59aafdf645328255105133f489278023e63e04e9fa1fb34cc1f3ae1 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_da.dll
| MD5 | 08fb61cf492ccd1236907af7a6b1bd4b |
| SHA1 | 9f6e0f7610d42f8a402d3adb7b66374f4d0f3cb5 |
| SHA256 | d6261d4bd9ce4011caee1e0efefb5685a5bb5e29130ad8639e4578fc90027631 |
| SHA512 | 747982680ebc9e3c0993a69923c94382df6bfc113ebb76d31f65f9d824abef1a051a4e351f0f42296fd84e7663fc3bcc784da51dbce0554c3a880ac2258aa16c |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_cy.dll
| MD5 | 1146f59b139b9d810996a1bae978f214 |
| SHA1 | cc9d54e6e3ce1efc4ef851eba35222547b996937 |
| SHA256 | 7b5ce6c7fa03e69a93694fa59c61be88b3eb8cd8951790f3bdd7cba2d99e6b83 |
| SHA512 | 0c94943646b0a08662eda2d236b7c88ecec0745faff5b9c6097f68e73a20059f8d2de47a9c00e58c6d2083331a34a0fa19b0964f3c62a6b8cfa02bc1e283e75a |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_cs.dll
| MD5 | 8b49a989a56d4a5aabd0a03f179ed92e |
| SHA1 | ca2f84217c867eb853830e95c7717ce35bd997f9 |
| SHA256 | 849e23c2f53d06462bd0f38e9d7c98e9389486f526a90c461c04c0aa1db7b7be |
| SHA512 | f4861ab9200db234550cd2e355ce200b7746c614e9c326287c0509d152f29d41d7a056e4fd27e3150cb433cd0234c4ae1cbc0c3a8b5892ecb3e8d4632a985aa7 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ca-Es-VALENCIA.dll
| MD5 | 2e9132ee071ca5653baf90b9b1ea382e |
| SHA1 | 8a0c1e5a0df6432c50539d68caf697b8adaf1556 |
| SHA256 | adf6e6542f1422c431ef92a209886224fbb53b5c67e68ac070d5c8a4c6ee569a |
| SHA512 | 0b021758117109e4414c7ef37356106a96b68536ade8d3f1d1fb3dfce7c1132ab6fe02f7292ed225c09814a9c57124f731fd35069d220760678eab565f320976 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ca.dll
| MD5 | 917c18cfa84c8b8e83d8321f03be093b |
| SHA1 | c0a4a743f4059183724fc8c26e84b5a80bb2f7f0 |
| SHA256 | 6c56355b232c3bd35f397f99648c020733ea2d57db1cd4beafffcd962b896ae4 |
| SHA512 | 03359c6104e9f0cb2d66b6f1bf5598b2bb00d9e7a62fbd0c5475ca67b5194e96c2e6053a2a1c22323ba0002c614caab0477597fd34b57dd1f5acdb19f70c0854 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bs.dll
| MD5 | 9f4c9469ef1930ec3ca02ea3b305e963 |
| SHA1 | e588ffdf150b55bb4ba38e2aaf175aaf6e1826d0 |
| SHA256 | fef14de38a4501cf538c89ca2d1ec389031124f69df9090df94fb4461e54ad58 |
| SHA512 | c166189ad76cb395a2aeea724f2088f42dd4d361518856166fb92b3335b8fc670e99eb7b1c4c9ac2c872c8283826cc2c88009bd975e690efbcc3d99289557e96 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bn-IN.dll
| MD5 | afa21b2feee2831c5478e113ed814b76 |
| SHA1 | 9e883c990a31b8cd0ed2f80f732f404386cc55d9 |
| SHA256 | 183bcae9e143b78d04c2ed83ab6cac8cbd82f1d2bcf7bbb2506886a3925ac556 |
| SHA512 | 294838c67f6d87fc3b4975c73d24e1c38173c8ad4a14c215945e9910ddc306e9deb0168f38661c85b5c77929fcbf56093f632a35c1b39181203fbd662d71f7f8 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bn.dll
| MD5 | 8e0ff856270ca13f8c07825e39ae3613 |
| SHA1 | b351f8ae0cc13d97d201a268990b75fc9e6cd422 |
| SHA256 | 18cd8ed69df17e1bcb517285caa88c8a73e093984fecbea2587e7144a8812a73 |
| SHA512 | 25f3821c20aa222a28143951c9f370d3feceaf41e449f718640dce9af0e88e518bc40d2d02f5e64148d8909feedcfa6a8caf65a87ad12637a8bc13c848b1f178 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_bg.dll
| MD5 | aeb3a05ce4eecdef3d23dbc0094fe21f |
| SHA1 | e2a5c49b4d0fddcad28649bd09d0cc7af4c0b2c8 |
| SHA256 | 6c874a312ae57b8b0deac8457a200fcfc90aceaaa252628701c92aa8b9a823e8 |
| SHA512 | 4a7fe6cf8300b394d7471d9a2d759ebed59690ce925270d6ceaa4e14ee06f01b67f8219559e9ec917477f4c5aae03329ae2c6e231f3fd41c645d02d26b29f367 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_az.dll
| MD5 | ace0925ded0a4507d82e6d32a77c50df |
| SHA1 | c760ff52c71de3080631120c6992dcd0ac4e37bd |
| SHA256 | 8e3c517bfc5986310c35f30b9681d9c919a7d62e299014410132ddc2b41f00b3 |
| SHA512 | 8adec80e179f205d0571625c1a63a0188e6533adefd48691f2fc287a546c12249c2126e6958d1732fa8847492a8287723a0196fbc0f2b9af3c54e1ab418cc3e6 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_as.dll
| MD5 | 87e596d8f0ac9fbe2d3176665eeb68f3 |
| SHA1 | 1c9364d55b4844cd250504abe30dcff9792ee576 |
| SHA256 | c39669e004facfb0c500788747a4427fe26dcdb50ae695562e6e417f4eb190cd |
| SHA512 | ef3708632e19332ddf460e081f8444ff8b4ec483c6b3e57f386df66d5f62d222b1d3f9f3728928701a6e48720133133c43619858853585a7d70b7bd5d8cf847e |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_ar.dll
| MD5 | 3374d9bc4467dbdeaf50bbd5a26edcfa |
| SHA1 | 6d7bd73ad27148bad7488959d7ebea22b6805436 |
| SHA256 | 5c8a8755cc0b1213fb0d5b57e10a53702f2091479d3c058d0c756134e548c685 |
| SHA512 | c0c02e54d7e0060b6ffa5bedf8d79cf4b40f77711680d2161b5186c5a8a10e521169dfa7ab6b8e4816c98e4aefd136f209a40c78104cb618c21105e095537719 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_am.dll
| MD5 | ccdf8ae84e25f2df4df2c9dd61b94461 |
| SHA1 | 64cd90b95a17d9ecf2a44afc0d83730b263ba5fe |
| SHA256 | 816c64b37e4c42cd418d05bc34a64e9c4acb4ce08b2a18ac5484374ca7b76e76 |
| SHA512 | 242a8a93326d3a5ea1fd367ef6cc2b343f08f4ff68d88d91044d0ad7fce490f47524a6e57940991ff0893a590459e96c588944f2b115cee703413ca594046f7f |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_af.dll
| MD5 | c54dfe1257b6b4e1c6b65dabf464c9fa |
| SHA1 | aef273340160af0470321e36e9c89e1a858e9d39 |
| SHA256 | 0c426d4d48efff328a0da5497af24e83892a2ed1d6397a6dc42f9548a24dbff5 |
| SHA512 | 58ae24dfc6045ce1f8ed782a03cb3d02c10b99a2992b9326711fb8700c8e7d05cfbca21e9b47cb4b1f4f806a9bb7667672026c715aad2f175febb6ba2b5f95db |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\EdgeUpdate.dat
| MD5 | 369bbc37cff290adb8963dc5e518b9b8 |
| SHA1 | de0ef569f7ef55032e4b18d3a03542cc2bbac191 |
| SHA256 | 3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3 |
| SHA512 | 4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\NOTICE.TXT
| MD5 | 6dd5bf0743f2366a0bdd37e302783bcd |
| SHA1 | e5ff6e044c40c02b1fc78304804fe1f993fed2e6 |
| SHA256 | 91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5 |
| SHA512 | f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeComRegisterShellARM64.exe
| MD5 | 3a6b04122205ec351f8fbef3e20f65c4 |
| SHA1 | ba2e989a1f1963652405b632f5020e972da76a8c |
| SHA256 | 7ba65317643fbc0d03195bdeeba318732823a91ef27f62483d5fc0ed3fea4912 |
| SHA512 | 2a0dbc91e79c42bf934ce7ab41ff6ed900322706bb71ffa1f3ade4ad85e0e1de2fa31540e1f1e0e979ad749c84343563ebe341585965f2f3a62debd6b4ab0cb0 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
| MD5 | 1d35f02c24d817cd9ae2b9bd75a4c135 |
| SHA1 | 8e9a8fe8ca927f2b40f751f2f2b1e206f1d0905f |
| SHA256 | 0abf4f0fe0033a56ebdaff875b63cc083fd9c8628d2fb2ab5826d3c0c687b262 |
| SHA512 | 17d8582c96b22372a6e1a925ccc75531f9bab75ebe651a513774a02021801d38e8f49b4e9679a9dfc53ccc29193fed18ab2e2935b9b7423605e63501028240e9 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\MicrosoftEdgeUpdateCore.exe
| MD5 | e468fe744cbaebc00b08578f6c71fbc0 |
| SHA1 | 2ae65aadb9ab82d190bdcb080e00ff9414e3c933 |
| SHA256 | 7c75c35f4222e83088de98ba25595eb76013450fc959d7feefcab592d1c9839f |
| SHA512 | 184a6f2378463c3ccc0f491f4a12d6cac38b10a916c8525a27acd91f681eb8fb0be956fc4bdb99e5a6c7b76f871069f939c996e93a68ff0a6c305195a6049276 |
C:\Program Files (x86)\Microsoft\Temp\EUEEA6.tmp\msedgeupdateres_en.dll
| MD5 | be845ba29484bdc95909f5253192c774 |
| SHA1 | 70e17729024ab1e13328ac9821d495de1ac7d752 |
| SHA256 | 28414cd85efe921a07537f8c84c0a98a2a85fdbd5dfa3141e722ed7b433d0a96 |
| SHA512 | 2800ec29ece429151c4cd463c5042492ac24e82b4999a323607d142a6e1a08cb69258190a6722afbbcfb3c9cdc6eebdedf89ee6549e0f420f6fbae3aa0501fd4 |
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
| MD5 | 8b4170a3b5052a95d901ab8194b4656e |
| SHA1 | a83d2c55d02c67f29ebd6676d8911efb5e8c0171 |
| SHA256 | e1874b6e29777a8937b95a7305723a30f78e82cf04e1d653acf5986115090c65 |
| SHA512 | 9263a006aec4715b7263626916d445985946110abc6ab06c51ffbc753db844e9de973a0a2dea3627fd9ec0edee785edecf72f1a0004b0dd644d7a808a36f1481 |
memory/3612-245-0x00000000006C0000-0x00000000006F5000-memory.dmp
memory/3612-246-0x0000000073DB0000-0x0000000073FD5000-memory.dmp
memory/3612-255-0x0000000073DB0000-0x0000000073FD5000-memory.dmp
C:\Program Files\MsEdgeCrashpad\settings.dat
| MD5 | c2d0d5b989c56d87f7c9af8099ad733d |
| SHA1 | a0bd4bb95a207472b28756bd23523ff8abfde075 |
| SHA256 | dbbb65d615afb02f4d644ec7d459beeb256120352aac730e597a421dc5d4f5d0 |
| SHA512 | 07ed053d306e2615b557f8c512a6ec615a764e17dd659431228ef12f4cb9c624e6bde317133d09e7470b4d0e920e9fda2ea17fbd96e48a2c9696c898b8329122 |
memory/4848-286-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.65\Installer\setup.exe
| MD5 | 9826817876f5d690339d91533e9af761 |
| SHA1 | 5e87919aec6a837a7d0d7a26dade5c691ff2e11e |
| SHA256 | 1255d4b34db13d2daeb5b442a4784fe568dfc7adb1d5c243a93b9fc93368ed59 |
| SHA512 | 2e2b93b4245d2a2f82ee195bd26db515e842108e90dd1711ebc0363e3d87812e5f003bfb4609a4a86f36ef273704b4689d7759e2adbdebe0741aaad1f9a9eefa |
memory/4848-302-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
memory/3572-303-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
memory/228-312-0x00007FFD9BD30000-0x00007FFD9BD31000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Crashpad\settings.dat
| MD5 | 8f42bd3d68aa4ff1f1649969dde7dc1e |
| SHA1 | 0340aca4f9d00ba2ba6b1be2835e5e3158a51762 |
| SHA256 | 4567fcd72a17cb4cfbafbb48b5bf9ced2cf2fb9546a8d01e239ba7180155311b |
| SHA512 | 42aff5d5163fad7f5d88af28790ed84103370d1af76a49854d2074e883669e97ad8d8fc6f0775c348030e5c7d9c1baad4f390544ffc900b877e4300b237117ec |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State
| MD5 | 7f96b43efea589db66b2205d85d94e87 |
| SHA1 | e2610644228cac325a884baf3aed02d7d0f104eb |
| SHA256 | 97396f26bdd9279e37521f251b257f69e835fb04dc9e209327ae1f72601454c1 |
| SHA512 | 042f64f166ffbce64eb791a057cb8b102f4743695e4adf42f3ebbabbbf4d667f303bd94b3d53e9495439e4ab015144b5c9d94d0adece71440371a8d5390e641d |
memory/4916-337-0x00007FFD9BD30000-0x00007FFD9BD31000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State~RFe592050.TMP
| MD5 | afa4e0ea1c6fe4d6d219691477edcbb4 |
| SHA1 | 3d31cb12d4f196ee7028a691e9e604334a26acc0 |
| SHA256 | ab14742b2903c3952976996c124d7d5baafda3d804349a1a3e47ee240cc94845 |
| SHA512 | 7509f744c79e8351dfee541b9bf8fc903569fe3f7ca3aef71cce951b3c6b6bf195194b1a28acd244fc4cf5a0c5816d482023139f9d4c50015236a631a9180a1b |
memory/764-339-0x00007FFD9BDD0000-0x00007FFD9BDD1000-memory.dmp
memory/764-338-0x00007FFD9A640000-0x00007FFD9A641000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State
| MD5 | 43c8ec029cca88ca12408049ff280f0e |
| SHA1 | 7475b0ad07ef9d00a25b991b360e877e99e7b11e |
| SHA256 | 6d17ea709418f35960b97fc4d7d70f7a9cb524745e5527a022e1e30fa652ed1f |
| SHA512 | 65c92a35316f585b7d13578df72af1b73df148343307b6571fdeb2b86bc3a2f6fb285b242aaf5b27fd0ca67460f582ecd149d8eefc9ea0d93d6eeed96e73dffd |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State
| MD5 | 1780f17c8dee49a4db9867fc910781e3 |
| SHA1 | a8ce3e4b45c52b50447101477ff6d738dd9acd18 |
| SHA256 | 323863f8efae1265f2196be6f0da1fa934a04dad6c9ea0fd18bdca8e3945bc25 |
| SHA512 | b5904d976ba7b32b8d2ca23ca6c25d45b4fc72910350c73f1240a752a970edf839b6799ab79d716439ed547a88298e159c905eae77a9c1b85691dc9cdde492d4 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Extension Rules\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Extension Rules\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\GrShaderCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\GrShaderCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\GrShaderCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Roaming\cc.vtrl\settings.json
| MD5 | 511d7a0c43169c383dbc31967ad63e9a |
| SHA1 | 7564062cacdf090f2388de9d7cd4d73284bed225 |
| SHA256 | 1b8f1825c10bb3efffa061f3c67c5bd13b939abadc4370599f3991f605b43657 |
| SHA512 | fde32a6ece6191b995f92aa15716194f66a0e6bd2d82bc60130ba41ae82f315c10b35e172afcabf3a888a4ebbf1b9e27dd769d5dd201d60abbf4b2f947dd043c |
C:\Users\Admin\AppData\Roaming\cc.vtrl\settings.json
| MD5 | dc2c7ed862f4a17fe63d07754b84eaa7 |
| SHA1 | 8dd6590dacc904e0fd2f6e6c79ef067da8f323e7 |
| SHA256 | 4d864f2aae18622bf98184a5678e49da77cb13c6e499eff51e17c8a0e82412d8 |
| SHA512 | d913ec84e11362c9bdc2d3c6ca36bc46d487890f5ca760dd9efe134b111ae1811c9c7d1eb15abd03b2d12365aa357e3d75e2636d4a561b9ab7efa04106d30a32 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 356a82f59787ccf1dcee5315e7b3fbd9 |
| SHA1 | 634ef0e8376c538f16badcc64f84002d4065fbb4 |
| SHA256 | ce64b32d5d492be5226559c4f01ccf32efa3751dcbdd8396a6c1ef24fad729b6 |
| SHA512 | b667ff801bd865ba5ed427ed8998c2ce116474ffcac5d75adfecedf571285da16e50770fdf9a7b2193f60310d9ab104831e6fd3f13aeeb6a1b745478cf337384 |
memory/3572-972-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0CFE3E8B-617F-4D7F-B431-93BAEE7F6B4E\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State
| MD5 | bb4bc4ae7dd01752ba9c629ebcdcdb99 |
| SHA1 | c5c3225a8c917999ba5a30e3c16e49afb7d4a43a |
| SHA256 | f7296e8a0bfefdbc02102163951ab3660cb536904a8db252b2ad7802727eb27d |
| SHA512 | 01d8abfbebef6a57ba78d9a89b20dbbd977fe8be58a238ef4d9cb1c9e6bf965ec9cc412c770d1a0da9aca69c111c039d3a8b2681fd4d973473e90bc7009d7c71 |
memory/228-1130-0x000001D36D540000-0x000001D36D5DE000-memory.dmp
memory/4916-1131-0x000001F82F220000-0x000001F82F2BE000-memory.dmp
memory/5440-1462-0x000001B75FAF0000-0x000001B75FB14000-memory.dmp
memory/5440-1461-0x000001B75FAF0000-0x000001B75FB1A000-memory.dmp
memory/3572-1467-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
memory/228-1468-0x000001D36D540000-0x000001D36D5DE000-memory.dmp
memory/4916-1469-0x000001F82F220000-0x000001F82F2BE000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 89c1492847abfda190b6a3629556c036 |
| SHA1 | 54d923d27b96e9f2038180bbb8f48ed2e3aabf01 |
| SHA256 | f5930d8419c35cf8e4834cc85cc48060b8b1d092dfc17283206d71a89c5e6328 |
| SHA512 | 17546d693ddce06ac9fc0afc6a921a98e47499ec8e56d9a8ded16dd81613482128d30c256ee45ef9d2dbfb25f6dee03c9ed7e74403072096554cb852ac17376c |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 87051a162232b9ad6063d26df9d3ea85 |
| SHA1 | f9334e84ec468ed5b5f750dd97271c453a947d56 |
| SHA256 | bed77912676850ae3b0766de773073b1f527dae38311a78bc2f37f230a279923 |
| SHA512 | c3c2678f6ac9646b1bc814a9880a0d5e9cdfd9623060581fb9b2c6eddfaa2425132302583380980a5a7f89f58d468bbb792d84a9a99519e13ab9c45368f02e08 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\TransportSecurity
| MD5 | 5ad7155af9b89d8d4dbfface472a2175 |
| SHA1 | 6a765cd2ddc1c0d049b07177d3ca9e8c14612039 |
| SHA256 | 79bbd9172d47dd3d16fbdf0ecd462631fc475aabfb53570adc93e71534a5ad0b |
| SHA512 | fa9433e90b5af4c75cbe720fc6337608b0859b95c89d7a12e9bb2bbd1b3a575b02943ade78741448a940f667fb3a140350ea937ec064a10c5bf19af17875fe7a |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\TransportSecurity~RFe597862.TMP
| MD5 | 837e39a101d1744f76e510219b2efce6 |
| SHA1 | 3cd10a0b4e1ef3fbef704e77ed164093ca09b567 |
| SHA256 | a9c39d77c4e977344b8f3867a30434608f1fbf384e3946f18c29304788bc9df0 |
| SHA512 | ab85ca2f1b9aa0fee5d9cbd7058615886ae14929806903f49bcd66b0e59fef130651885e6bdcb343ca957a068f76354c983b62b1dafc3a7f9383701fc21042f5 |
memory/228-1504-0x000001D36D540000-0x000001D36D5DE000-memory.dmp
memory/3572-1509-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\9921ffd9-56ee-40a7-8594-21da33affbb4.tmp
| MD5 | 2f93faa0ff5712a74d65201b816ab3ce |
| SHA1 | 7e613ee0a77630ca3b2bd2c1d5a7440ac2a7d032 |
| SHA256 | d3071943737f3c782686034d0401845be9b4f213d81913015dcffe16ddad5e0f |
| SHA512 | 5c7292f035a6510adfdf70bfa74562e40dd05f20ac1352c81f06a1990a5d30a45352bc47d1997ad4237a9c8b5385f957f4776ae9c4af53d1ddb37b0a68edc17a |
memory/3612-1536-0x00000000006C0000-0x00000000006F5000-memory.dmp
C:\Config.Msi\e57dc57.rbs
| MD5 | 12e5e45468a6ec7d9b1875b7d1d4eb93 |
| SHA1 | 6d8d55b64ff8b00169ad610041f73e1044d2d346 |
| SHA256 | 2d3f403e110fb3f503c790104c53e4fd3d77d8d8f9ac46ea798a3a6dc28ce6ff |
| SHA512 | 66c339e73e417e09fc59bbf7218d1c505148cf4140f2caa44ac547997c8e5d67529753112ce1ffbc7e4cdc1f83e0a8835f6aab642969afa6e91b878b11687fda |
C:\Windows\Installer\e57dc56.msi
| MD5 | 7853374c6d4f75c1279214f4b843de50 |
| SHA1 | 3a70bad9f2e54f67d03a9e818cae104f96b91fd6 |
| SHA256 | a1b403271c4f1a39c70279f3d73583c508c7211e7606521850b4c27946d5fd7a |
| SHA512 | be2a6ec34dbe59fa5720b0a896793330628e9d7bc32d0aab58b7e9ee1d5a196de22407eb7c6422792f24a7a65f3d365b74ede30c613330d180270c3604ac5fba |
memory/3572-1550-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
memory/4916-1552-0x000001F82F220000-0x000001F82F2BE000-memory.dmp
memory/3572-1584-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State
| MD5 | f7b570b80e7dcbcaf0254ae751041f61 |
| SHA1 | f7c3ae1c54356853bb8d32562fbb48a0b29365b3 |
| SHA256 | 1821dc7faac56553fa34c3c534b24799a4038164ddf8d7687ec7dd1ac0fa68e3 |
| SHA512 | 3571617d6eb5be35abd3b36c9fbf9880fc30ff34869b464e17a38ed5604334a661ac4b48f7133f7276c59785d35aab358feca3478e346a21146541605858e66f |
C:\Program Files\chrome_Unpacker_BeginUnzipping2572_991686904\manifest.json
| MD5 | 58d3ca1189df439d0538a75912496bcf |
| SHA1 | 99af5b6a006a6929cc08744d1b54e3623fec2f36 |
| SHA256 | a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437 |
| SHA512 | afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2 |
C:\Program Files\chrome_Unpacker_BeginUnzipping2572_991686904\manifest.fingerprint
| MD5 | 0c9218609241dbaa26eba66d5aaf08ab |
| SHA1 | 31f1437c07241e5f075268212c11a566ceb514ec |
| SHA256 | 52493422ac4c18918dc91ef5c4d0e50c130ea3aa99915fa542b890a79ea94f2b |
| SHA512 | 5d25a1fb8d9e902647673975f13d7ca11e1f00f3c19449973d6b466d333198768e777b8cae5becef5c66c9a0c0ef320a65116b5070c66e3b9844461bb0ffa47f |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json
| MD5 | 6bbb18bb210b0af189f5d76a65f7ad80 |
| SHA1 | 87b804075e78af64293611a637504273fadfe718 |
| SHA256 | 01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c |
| SHA512 | 4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d |
memory/3572-1705-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
memory/4916-1707-0x000001F82F220000-0x000001F82F2BE000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\Network Persistent State
| MD5 | ffa48ab1039a97c5a6ee39b2470716ce |
| SHA1 | 163e5a5b84a2eff0b7b6703a6ba074c60d4ba922 |
| SHA256 | e8d22b4e9b0b6bb36f73f152f9b6fc02ffe235c2c55eb29470b0858350397a95 |
| SHA512 | a5396ac66eb976532bfba598f908e9bc2990d5400b566779d9d2c07d3c5a4003f25e37c385c69eb71ce00358e6920efcdb7bd270942fce6a394bfd2956818f9c |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\Network Persistent State~RFe5a347f.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Program Files\chrome_Unpacker_BeginUnzipping2572_118285297\manifest.json
| MD5 | 55cf847309615667a4165f3796268958 |
| SHA1 | 097d7d123cb0658c6de187e42c653ad7d5bbf527 |
| SHA256 | 54f5c87c918f69861d93ed21544aac7d38645d10a890fc5b903730eb16d9a877 |
| SHA512 | 53c71b860711561015c09c5000804f3713651ba2db57ccf434aebee07c56e5a162bdf317ce8de55926e34899812b42c994c3ce50870487bfa1803033db9452b7 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\DawnGraphiteCache\data_1
| MD5 | bd75ee81c8f39479c37781ff34eb33bf |
| SHA1 | 221e9f6c35a24c6a78c25db7c037a14e98b3df24 |
| SHA256 | e159f0e167caaed08c80135cc2b49b3347a1db103010f36af23f4f776ff07df2 |
| SHA512 | 25e9ea3faf2a4ea36f3f1f36caec446d1a1feeba2cb4dfec17f6a990a7e1da32cc44e27e37cf1829ec0518e042f6015e91a791a9835163a936289bfddbf3595f |
memory/3572-1855-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State
| MD5 | a1f4e9a125d27f8c770a0d7af334f080 |
| SHA1 | d2ce6b160a4e950d3579b266be4fb5e4bd2ee3d6 |
| SHA256 | b5bc4d560e46ace226dd412ed89683469764ff16e3244848ec30fe166090cf16 |
| SHA512 | 5870575e18425c1fbf901e6cff06b5ac9c038b308945a4043567ca7979fd9d77d8be531f8c8e14f2f6ecc516983f4f4c57c1dff62a360fd3f4a2378fda2579dd |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Preferences
| MD5 | 39d5716de459895fabecb9031973651a |
| SHA1 | 798be74fa2b5ebf9c3772ec9ac894ffbaea730b5 |
| SHA256 | 6649f7b7f00885337cc1387c882726b2ea44ea11342215d10916db69e18dfd37 |
| SHA512 | 1f5b12f20dca6dff69dd9eefccff1ae7e6c2e20d22592011ff76f3383a5227d312d2b08bb157df655b273bd0d4eb05ff651917f439f92ffd8e4f52380579de59 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\Network Persistent State
| MD5 | 4c0ec71fa861823eb5756d19946b2ddc |
| SHA1 | 63877a71180a367034c4153b3b7b0d39101e7fbf |
| SHA256 | cf17732626f2236f3c268603beda2b9ec21e56199a942219e2a66d30f93ea459 |
| SHA512 | 1fcdc7086e4a46b7be9ef151a1dfd6a11536a6878190d151f7857ca3bb02767c17dc0a6af55cc624a6600a3a4e7466726271b68a84735f37a56954f71f5dac7b |
memory/228-1977-0x000001D36D540000-0x000001D36D5DE000-memory.dmp
memory/2496-1982-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Crashpad\settings.dat
| MD5 | 83f2901d472e23f5801afb1507afdf38 |
| SHA1 | 7ef9a700d14e3f13ce16f0e93c2e23c85f94fdac |
| SHA256 | 0deb80f0e8ee2979ddf4b1ba166952a732f4c9ed54ae1c7d96239ce06f4843fb |
| SHA512 | 12dff0ecd8203c2a3f41af816fb46f925781113d62d7a719fdf3b4eb8a2905d26eaeab4d0ee0a79e6c8e846a6c4897c90ed092f1f865f15115b1ba3b8c7d6125 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Crashpad\settings.dat
| MD5 | 53e3a28a9d69c73acbdca9ac9967ae1d |
| SHA1 | 572331c01e699e49c3665d2d9ee6b5cc146933b0 |
| SHA256 | 01093a483ec28437607f3cd16e98dc8fdcf8a3895fc3ddd5fa4c4faf1db2a72e |
| SHA512 | da9d2de87667e8c1373a553bfc3cf8bb657696de0d69ba4c6530aeda6b89034eb4ad21cfd8026d841aa96b0483f917273b81f7e5a2ab75f3b4faa02dae5fc774 |
memory/2496-2041-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Preferences
| MD5 | 426c17492505118e11297f0aa28b927a |
| SHA1 | d18d05e2b01cd1f98abeaf300e4dfba93bb14609 |
| SHA256 | 00c742caae60dd30a9c6336e85b239ab5ff73d0ff493c770bb0448e29aec68c6 |
| SHA512 | 9a87fc4d7e79e2879ad4d778f93c1d29bdccd5bacc4ac52d27167cc88752450b61fcab80dadf45ee51db7d098e05fd451272201639d1c3463ee1e2fc679588af |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\cbb8ec97-2c17-4e02-ac4f-fde4bc502876.tmp
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\TransportSecurity
| MD5 | 01a4ee33f2573ca492266e66e89e26f5 |
| SHA1 | f873d93307217cd1b2311fe3be3dfe49883d8610 |
| SHA256 | 07fcfab11e8819825e899a1d4408397885184ffeaf5bc92ea794cc7ae108b3b0 |
| SHA512 | 2d0c5fe9a9554ede6deb44bea0e90a6098d7a0231f811bb5aa55f6965fef4964a0147e6c4575b470627adf12fa23619698f5196d59fad94447a7bf797d7d61d5 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ff9f56d8f953f4d3174735bfa4c65f60 |
| SHA1 | 999f918079cefe511228162f3e42b58030e1c090 |
| SHA256 | 8d93964f8145f129392aed931b6bad9a0849d4bc30da5163b30d31ed75a414ce |
| SHA512 | 2c124d3d0e98846f6acc36a31578523f5562423e87b29c59ee71dac3937e679e3f208a3c8c2986fa4c30c12609c52eb3d37a55f956e2dafb46b5b356bf9968e3 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\TransportSecurity
| MD5 | 792b3b60c85fa2c49f3e0976921e61d7 |
| SHA1 | 5ce89edd104f5928e1665544ee3cf72a05898635 |
| SHA256 | 79acdceeef737ce7b9527c6ac3f4841ef8c8e04255d883e69101f0cba6268ce3 |
| SHA512 | 968439f500c0781b8d30b2b3dd8ab0f5d85e8dfb38191b38e13e0b5237d1d707344993a7ad6342f303b31a96ccbc1286f009f52add4e7a8dea8d10f4ccb22f3e |
memory/6076-2177-0x000001961FD00000-0x000001961FD08000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Network\Network Persistent State
| MD5 | afc25f7b0457c6b36067730b6259f026 |
| SHA1 | 979cec5932286c33d8420fbed5ddae15f90578a1 |
| SHA256 | d4c5abb7915f5bb456e6cdf8ae2d998c8c25cd8079b250d72c444c929279ad70 |
| SHA512 | 94b377a6d9958b1f6092a5562b2c7d01e4a38b1077732d7092e3b04891b6ce13cc975ae3bd7626ea80346eefc7fcfe0c9c90351e29cabeb768c00ed7dd85a87d |
C:\Program Files\chrome_Unpacker_BeginUnzipping5376_126559017\manifest.json
| MD5 | b6911958067e8d96526537faed1bb9ef |
| SHA1 | a47b5be4fe5bc13948f891d8f92917e3a11ebb6e |
| SHA256 | 341b28d49c6b736574539180dd6de17c20831995fe29e7bc986449fbc5caa648 |
| SHA512 | 62802f6f6481acb8b99a21631365c50a58eaf8ffdf7d9287d492a7b815c837d6a6377342e24350805fb8a01b7e67816c333ec98dcd16854894aeb7271ea39062 |
C:\Program Files\chrome_Unpacker_BeginUnzipping5376_126559017\crl-set
| MD5 | d246e8dc614619ad838c649e09969503 |
| SHA1 | 70b7cf937136e17d8cf325b7212f58cba5975b53 |
| SHA256 | 9dd9fba7c78050b841643e8d12e58ba9cca9084c98039f1ebff13245655652e1 |
| SHA512 | 736933316ee05520e7839db46da466ef94e5624ba61b414452b818b47d18dcd80d3404b750269da04912dde8f23118f6dfc9752c7bdf1afc5e07016d9c055fdb |
memory/2496-2575-0x00007FF6F0AA0000-0x00007FF6F103C000-memory.dmp
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Default\Preferences
| MD5 | d199e62ac4adf32d2e86808dea98e64f |
| SHA1 | b96f3994896a35779a44f484a220aef34e13bb13 |
| SHA256 | 3f8309388cb2de07b3830c18aea37b1991fb3e984b39076d482a3eb5a4527fa9 |
| SHA512 | bea7b0ea147dba532a5cf0b960c4d15b24d72d607429d8887e3c8f9b7c16ffa9ecf3ae164c39180e5f467220ce74cab691c51c42d44df3f04b120f973b2669c2 |
C:\Users\Admin\AppData\Local\cc.vtrl\EBWebView\Local State
| MD5 | f20828e93d2d367c9a1fbf3d61dd8987 |
| SHA1 | c02a057eff2494c784361b238402ca7a1b0a8737 |
| SHA256 | b47a9a33fc13a404ae4eedf761cba51b9e62c36882c28f78084dc4773a077162 |
| SHA512 | 41e95c1c3a0b25295d8a318eed8d1ff852f171a37f42ffa5327d1466ea72cf53277c247d18236847160797378d1fae875855454cf1955e3aba5f956d6de26987 |