dcrat | hxxps://disk[.]yandex[.]ru/d/vhiKrR_G9A9ovg

Analysis

max time kernel
289s
max time network
289s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/vhiKrR_G9A9ovg

Score

10^/10

dcrat defense_evasion discovery infostealer persistence ransomware rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Clears Windows event logs 1 TTPs 64 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
4364	wevtutil.exe
1612	wevtutil.exe
396	wevtutil.exe
3956	wevtutil.exe
3460	wevtutil.exe
4448	wevtutil.exe
4612	wevtutil.exe
3992	Process not Found
3768	Process not Found
3368	wevtutil.exe
116	wevtutil.exe
4072	wevtutil.exe
2656	wevtutil.exe
3904	wevtutil.exe
992	wevtutil.exe
2688	Process not Found
1240	wevtutil.exe
4884	wevtutil.exe
3700	wevtutil.exe
1508	wevtutil.exe
2200	wevtutil.exe
3520	wevtutil.exe
2276	wevtutil.exe
5108	wevtutil.exe
2512	wevtutil.exe
412	wevtutil.exe
1768	wevtutil.exe
4252	wevtutil.exe
820	wevtutil.exe
5036	wevtutil.exe
4884	wevtutil.exe
1352	wevtutil.exe
1336	wevtutil.exe
4748	wevtutil.exe
3884	wevtutil.exe
1712	wevtutil.exe
764	wevtutil.exe
1444	Process not Found
3988	wevtutil.exe
3524	Process not Found
3120	Process not Found
3520	wevtutil.exe
2340	wevtutil.exe
2512	wevtutil.exe
2980	wevtutil.exe
2232	wevtutil.exe
5028	wevtutil.exe
2784	wevtutil.exe
3688	wevtutil.exe
4660	Process not Found
3384	wevtutil.exe
4116	wevtutil.exe
1596	wevtutil.exe
2992	wevtutil.exe
5000	Process not Found
2904	Process not Found
3904	wevtutil.exe
2776	wevtutil.exe
2908	wevtutil.exe
5092	wevtutil.exe
4912	wevtutil.exe
2148	wevtutil.exe
3748	wevtutil.exe
1184	wevtutil.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TiWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TiWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TiWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TiWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TiWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ComponentBrowserruntimeHostNet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ComponentBrowserruntimeHostNet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TiWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TiWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ComponentBrowserruntimeHostNet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe

Executes dropped EXE 24 IoCs

pid	Process
5092	svhost.exe
3784	DCRatBuild.exe
8	svchost.exe
452	ComponentBrowserruntimeHostNet.exe
528	TiWorker.exe
736	TiWorker.exe
4284	TiWorker.exe
2124	TiWorker.exe
3992	TiWorker.exe
2340	TiWorker.exe
4448	svhost.exe
444	DCRatBuild.exe
1688	svchost.exe
3668	TiWorker.exe
3792	ComponentBrowserruntimeHostNet.exe
4476	svhost.exe
3460	DCRatBuild.exe
2340	svchost.exe
1468	ComponentBrowserruntimeHostNet.exe
2684	TiWorker.exe
820	ComponentBrowserruntimeHostNet.exe
3436	ComponentBrowserruntimeHostNet.exe
4520	1.exe
1112	2.exe

Loads dropped DLL 8 IoCs

pid	Process
4520	1.exe
4520	1.exe
4520	1.exe
4520	1.exe
1112	2.exe
1112	2.exe
1112	2.exe
1112	2.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
992	wevtutil.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Windows\SysWOW64\sr-Latn-RS\cd89ddd3d81b06	ComponentBrowserruntimeHostNet.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4520	1.exe
4520	1.exe
1112	2.exe
1112	2.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Modules\StartMenuExperienceHost.exe	ComponentBrowserruntimeHostNet.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\StartMenuExperienceHost.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\WindowsPowerShell\Modules\55b276f4edf653	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5b884080fd4f94	ComponentBrowserruntimeHostNet.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2744	PING.EXE
960	PING.EXE
1240	PING.EXE
3600	PING.EXE

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3740	wevtutil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133821804312074159"	chrome.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TiWorker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TiWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TiWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DCRatBuild.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TiWorker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	ComponentBrowserruntimeHostNet.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	ComponentBrowserruntimeHostNet.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TiWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DCRatBuild.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TiWorker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TiWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	ComponentBrowserruntimeHostNet.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2796	NOTEPAD.EXE
3384	NOTEPAD.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
960	PING.EXE
1240	PING.EXE
3600	PING.EXE
2744	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe
452	ComponentBrowserruntimeHostNet.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3672	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe
Token: SeShutdownPrivilege	3380	chrome.exe
Token: SeCreatePagefilePrivilege	3380	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe
3380	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4368	3380	chrome.exe	83
PID 3380 wrote to memory of 4368	3380	chrome.exe	83
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 3184	3380	chrome.exe	84
PID 3380 wrote to memory of 4892	3380	chrome.exe	85
PID 3380 wrote to memory of 4892	3380	chrome.exe	85
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86
PID 3380 wrote to memory of 724	3380	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://disk.yandex.ru/d/vhiKrR_G9A9ovg
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa82b5cc40,0x7ffa82b5cc4c,0x7ffa82b5cc58
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4984,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4536,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:8
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5516,i,4782682331094005972,3857288815530614560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2624

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\crak 29.08.2024.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:3900

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\29.08\t.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2796

C:\Users\Admin\Desktop\29.08\svhost.exe
"C:\Users\Admin\Desktop\29.08\svhost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5092
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\vPhH1HnyBxDtrEhpf3GmR9c5gyJWaUrMaFSxCaQ1y.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\y5YWdpxBOATUIqwEb17TtWsIEQj.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3188
    - - C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
        
        "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Tmiznneli.bat"
        6⤵
        
        PID:4280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:796
        
        C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe
        
        "C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5L6QW14j7D.bat"
        8⤵
        
        PID:4912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe
        
        "C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAOW7F8RUK.bat"
        10⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2744
        
        C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe
        
        "C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KPSM4TCvyK.bat"
        12⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:960
        
        C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe
        
        "C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fp8c0TPT53.bat"
        14⤵
        
        PID:4496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1240
        
        C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe
        
        "C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gtOlnDcdUa.bat"
        16⤵
        
        PID:3588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe
        
        "C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\079l6K9pbh.bat"
        18⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:848
        
        C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe
        
        "C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lV5no6Klb5.bat"
        20⤵
        
        PID:5116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3600
        
        C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe
        
        "C:\Windows\SysWOW64\sr-Latn-RS\TiWorker.exe"
        21⤵
        Executes dropped EXE
        
        PID:2684
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:8

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\29.08\123.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3384

C:\Users\Admin\Desktop\29.08\svhost.exe
"C:\Users\Admin\Desktop\29.08\svhost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4448
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:444
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\vPhH1HnyBxDtrEhpf3GmR9c5gyJWaUrMaFSxCaQ1y.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:3160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\y5YWdpxBOATUIqwEb17TtWsIEQj.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4992
    - - C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
        
        "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\079l6K9pbh.bat"
        6⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3644
        
        C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
        
        "C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zYh8fPsglb.bat"
        8⤵
        
        PID:4212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2132
        
        C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
        
        "C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe"
        9⤵
        Executes dropped EXE
        
        PID:3436
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1688

C:\Users\Admin\Desktop\29.08\svhost.exe
"C:\Users\Admin\Desktop\29.08\svhost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4476
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\vPhH1HnyBxDtrEhpf3GmR9c5gyJWaUrMaFSxCaQ1y.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\y5YWdpxBOATUIqwEb17TtWsIEQj.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:464
    - - C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
        
        "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
        5⤵
        Executes dropped EXE
        
        PID:820
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2340

C:\Users\Admin\Desktop\29.08\1.exe
"C:\Users\Admin\Desktop\29.08\1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4520

C:\Users\Admin\Desktop\29.08\2.exe
"C:\Users\Admin\Desktop\29.08\2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\29.08\123.bat" "
1⤵
PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit
  2⤵
  PID:4060
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil.exe el
  2⤵
  PID:1460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe el
    3⤵
    PID:4716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "AMSI/Debug"
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "AirSpaceChannel"
  2⤵
  PID:2232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Analytic"
  2⤵
  PID:1420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Application"
  2⤵
  PID:1352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "DirectShowFilterGraph"
  2⤵
  PID:4732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "DirectShowPluginControl"
  2⤵
  PID:4588
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Els_Hyphenation/Analytic"
  2⤵
  PID:3668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "EndpointMapper"
  2⤵
  PID:3512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "FirstUXPerf-Analytic"
  2⤵
  PID:2172
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "ForwardedEvents"
  2⤵
  PID:2908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "General Logging"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "HardwareEvents"
  2⤵
  PID:116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "IHM_DebugChannel"
  2⤵
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
  2⤵
  PID:3588
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
  2⤵
  PID:3988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
  2⤵
  PID:3056
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Internet Explorer"
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Key Management Service"
  2⤵
  PID:1720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
  2⤵
  PID:2208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationFrameServer"
  2⤵
  - Clears Windows event logs
  PID:4072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MedaFoundationVideoProc"
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MedaFoundationVideoProcD3D"
  2⤵
  - Clears Windows event logs
  PID:4748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationAsyncWrapper"
  2⤵
  PID:4708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationContentProtection"
  2⤵
  - Clears Windows event logs
  PID:4884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationDS"
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationDeviceProxy"
  2⤵
  PID:1976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationMP4"
  2⤵
  - Clears Windows event logs
  PID:2980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationMediaEngine"
  2⤵
  PID:824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPerformance"
  2⤵
  - Clears Windows event logs
  PID:5108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPerformanceCore"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPipeline"
  2⤵
  PID:184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPlatform"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationSrcPrefetch"
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Admin"
  2⤵
  PID:1012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Debug"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Operational"
  2⤵
  PID:2468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
  2⤵
  PID:3100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
  2⤵
  PID:856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
  2⤵
  PID:2124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-IE/Diagnostic"
  2⤵
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
  2⤵
  PID:1076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
  2⤵
  PID:460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
  2⤵
  PID:3768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
  2⤵
  PID:764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
  2⤵
  PID:1688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
  2⤵
  PID:2796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
  2⤵
  PID:4500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
  2⤵
  PID:848
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
  2⤵
  PID:536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
  2⤵
  PID:2232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
  2⤵
  PID:1420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
  2⤵
  - Clears Windows event logs
  PID:1352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
  2⤵
  PID:4732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
  2⤵
  PID:4588
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
  2⤵
  PID:3668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
  2⤵
  PID:3512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
  2⤵
  PID:2172
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:2908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
  2⤵
  PID:2784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
  2⤵
  PID:116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
  2⤵
  PID:2404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
  2⤵
  PID:3980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
  2⤵
  PID:4604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
  2⤵
  PID:2700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
  2⤵
  PID:1924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppSruProv"
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
  2⤵
  PID:3164
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
  2⤵
  PID:3748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
  2⤵
  PID:1440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
  2⤵
  - Clears Windows event logs
  PID:3368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
  2⤵
  PID:3972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
  2⤵
  PID:3556
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
  2⤵
  PID:4992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
  2⤵
  PID:2512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
  2⤵
  PID:4912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
  2⤵
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
  2⤵
  - Clears Windows event logs
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
  2⤵
  PID:4348
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
  2⤵
  PID:3188
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
  2⤵
  PID:4428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
  2⤵
  PID:444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
  2⤵
  PID:2780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
  2⤵
  PID:1596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
  2⤵
  PID:2340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
  2⤵
  PID:3688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
  2⤵
  PID:4804
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
  2⤵
  PID:4208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
  2⤵
  PID:3952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Backup"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
  2⤵
  PID:3384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
  2⤵
  PID:5112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
  2⤵
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
  2⤵
  PID:3588
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
  2⤵
  - Clears Windows event logs
  PID:3988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
  2⤵
  PID:4604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
  2⤵
  PID:3164
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
  2⤵
  PID:3748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
  2⤵
  PID:5092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/Call"
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
  2⤵
  PID:720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
  2⤵
  PID:4484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
  2⤵
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
  2⤵
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
  2⤵
  PID:4348
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
  2⤵
  PID:3188
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
  2⤵
  PID:4428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
  2⤵
  PID:444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
  2⤵
  PID:2780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
  2⤵
  PID:1596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
  2⤵
  PID:2340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
  2⤵
  PID:3688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
  2⤵
  PID:4804
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
  2⤵
  PID:4208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
  2⤵
  PID:3952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
  2⤵
  PID:3384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
  2⤵
  PID:5112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
  2⤵
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
  2⤵
  PID:3588
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
  2⤵
  PID:3988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
  2⤵
  PID:4604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
  2⤵
  PID:3164
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
  2⤵
  - Clears Windows event logs
  PID:3748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
  2⤵
  - Clears Windows event logs
  PID:5092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
  2⤵
  PID:720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
  2⤵
  PID:4484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
  2⤵
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
  2⤵
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
  2⤵
  PID:4348
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
  2⤵
  PID:3188
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
  2⤵
  PID:4428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
  2⤵
  PID:444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
  2⤵
  PID:2780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
  2⤵
  PID:1596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
  2⤵
  - Clears Windows event logs
  PID:2340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
  2⤵
  PID:3688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
  2⤵
  PID:4804
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
  2⤵
  PID:4208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
  2⤵
  PID:3952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
  2⤵
  - Clears Windows event logs
  PID:3384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
  2⤵
  PID:5112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
  2⤵
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
  2⤵
  PID:3588
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
  2⤵
  PID:3988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
  2⤵
  PID:4604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
  2⤵
  PID:3164
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
  2⤵
  PID:3748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
  2⤵
  PID:5092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
  2⤵
  PID:720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
  2⤵
  PID:4484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
  2⤵
  - Clears Windows event logs
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
  2⤵
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
  2⤵
  PID:4348
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
  2⤵
  PID:2752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
  2⤵
  PID:3744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
  2⤵
  PID:848
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
  2⤵
  PID:2992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
  2⤵
  PID:4376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
  2⤵
  PID:2968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
  2⤵
  PID:1420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
  2⤵
  PID:1444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
  2⤵
  PID:2544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
  2⤵
  PID:1452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
  2⤵
  PID:2412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
  2⤵
  PID:4764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
  2⤵
  PID:3784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
  2⤵
  PID:1628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
  2⤵
  PID:2276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
  2⤵
  PID:100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
  2⤵
  PID:3056
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
  2⤵
  PID:2256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
  2⤵
  PID:2700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
  2⤵
  PID:2208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
  2⤵
  PID:2396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
  2⤵
  PID:4708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
  2⤵
  - Clears Windows event logs
  PID:4884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
  2⤵
  PID:2200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
  2⤵
  PID:1040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
  2⤵
  PID:2704
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
  2⤵
  PID:4488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
  2⤵
  PID:5108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
  2⤵
  PID:3672
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
  2⤵
  PID:3556
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
  2⤵
  PID:1012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
  2⤵
  PID:364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
  2⤵
  PID:3100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
  2⤵
  PID:4872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
  2⤵
  PID:856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
  2⤵
  PID:2884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
  2⤵
  PID:2904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
  2⤵
  - Clears Windows event logs
  PID:5036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
  2⤵
  PID:2096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
  2⤵
  PID:2012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
  2⤵
  PID:2464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
  2⤵
  PID:1336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
  2⤵
  - Clears Windows event logs
  PID:4448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Help/Operational"
  2⤵
  PID:1468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
  2⤵
  PID:4036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:2232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
  2⤵
  PID:2408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
  2⤵
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
  2⤵
  PID:3668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
  2⤵
  PID:3512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
  2⤵
  PID:2172
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
  2⤵
  PID:2908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
  2⤵
  PID:2784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
  2⤵
  PID:116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
  2⤵
  PID:2088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
  2⤵
  PID:2404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
  2⤵
  PID:3980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
  2⤵
  PID:3944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
  2⤵
  PID:4756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
  2⤵
  PID:1516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
  2⤵
  PID:2148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
  2⤵
  PID:4748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
  2⤵
  PID:5000
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
  2⤵
  PID:2248
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
  2⤵
  PID:1976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
  2⤵
  PID:824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
  2⤵
  PID:3368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
  2⤵
  PID:4992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
  2⤵
  - Clears Windows event logs
  PID:2512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:4912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
  2⤵
  PID:4044
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
  2⤵
  PID:2904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
  2⤵
  PID:5036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
  2⤵
  PID:2096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
  2⤵
  PID:2012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
  2⤵
  PID:2464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
  2⤵
  - Clears Windows event logs
  PID:1336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
  2⤵
  PID:3744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
  2⤵
  PID:4500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
  2⤵
  PID:3700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
  2⤵
  PID:536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:5028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
  2⤵
  PID:3608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
  2⤵
  PID:4220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
  2⤵
  PID:1352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
  2⤵
  PID:4732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
  2⤵
  PID:4804
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
  2⤵
  PID:4208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
  2⤵
  PID:3992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
  2⤵
  PID:2684
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
  2⤵
  PID:3384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
  2⤵
  PID:4176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
  2⤵
  PID:1220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
  2⤵
  PID:796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
  2⤵
  PID:4148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
  2⤵
  PID:2860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
  2⤵
  PID:1720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
  2⤵
  PID:1924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
  2⤵
  PID:4328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
  2⤵
  PID:3436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
  2⤵
  PID:2980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
  2⤵
  PID:1440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
  2⤵
  PID:3972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
  2⤵
  PID:4984
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
  2⤵
  PID:4344
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
  2⤵
  PID:2744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
  2⤵
  PID:720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
  2⤵
  PID:4484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
  2⤵
  PID:384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
  2⤵
  PID:2040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
  2⤵
  PID:1332
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
  2⤵
  PID:1076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
  2⤵
  PID:2352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
  2⤵
  PID:764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
  2⤵
  PID:1688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
  2⤵
  PID:2796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
  2⤵
  PID:4428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
  2⤵
  - Clears Windows event logs
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
  2⤵
  PID:444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
  2⤵
  PID:2780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
  2⤵
  - Clears Windows event logs
  PID:1596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
  2⤵
  PID:3608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
  2⤵
  PID:4220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
  2⤵
  PID:1240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
  2⤵
  PID:1508
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
  2⤵
  PID:1452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
  2⤵
  PID:2908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
  2⤵
  - Clears Windows event logs
  PID:2784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
  2⤵
  PID:4764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
  2⤵
  - Clears Windows event logs
  PID:116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
  2⤵
  PID:2404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
  2⤵
  PID:2276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
  2⤵
  PID:3588
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
  2⤵
  PID:3944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
  2⤵
  PID:4756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
  2⤵
  PID:1516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:2148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
  2⤵
  PID:3576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
  2⤵
  PID:5000
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
  2⤵
  PID:2248
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
  2⤵
  PID:1976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
  2⤵
  PID:824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
  2⤵
  PID:364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
  2⤵
  PID:1952
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
  2⤵
  - System Time Discovery
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
  2⤵
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
  2⤵
  - Clears Windows event logs
  PID:1768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
  2⤵
  PID:384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
  2⤵
  PID:2040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
  2⤵
  PID:2420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
  2⤵
  PID:3792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
  2⤵
  PID:1336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
  2⤵
  PID:2752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
  2⤵
  PID:3744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
  2⤵
  PID:4500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
  2⤵
  - Clears Windows event logs
  PID:3700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
  2⤵
  PID:536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
  2⤵
  PID:5028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
  2⤵
  PID:2968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
  2⤵
  PID:2132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
  2⤵
  - Clears Windows event logs
  PID:3688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
  2⤵
  PID:3668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
  2⤵
  PID:3992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
  2⤵
  PID:2684
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
  2⤵
  PID:1628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
  2⤵
  PID:3980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
  2⤵
  PID:100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
  2⤵
  PID:4612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
  2⤵
  PID:3988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
  2⤵
  PID:2860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
  2⤵
  PID:1720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
  2⤵
  PID:1924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
  2⤵
  PID:4328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
  2⤵
  - Power Settings
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
  2⤵
  PID:2980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
  2⤵
  PID:1440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
  2⤵
  PID:3972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
  2⤵
  PID:4984
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
  2⤵
  PID:4344
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
  2⤵
  PID:2744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
  2⤵
  PID:720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
  2⤵
  PID:4992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
  2⤵
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
  2⤵
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
  2⤵
  PID:1332
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
  2⤵
  PID:3352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
  2⤵
  PID:2464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
  2⤵
  - Clears Windows event logs
  PID:1712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
  2⤵
  - Clears Windows event logs
  PID:764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
  2⤵
  PID:1112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
  2⤵
  PID:3188
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
  2⤵
  PID:3700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
  2⤵
  PID:1468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
  2⤵
  PID:4036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
  2⤵
  PID:1420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
  2⤵
  PID:4220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
  2⤵
  - Clears Windows event logs
  PID:1240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1508
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
  2⤵
  PID:1452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
  2⤵
  PID:2908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
  2⤵
  PID:2784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
  2⤵
  PID:4764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
  2⤵
  PID:116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
  2⤵
  PID:2256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
  2⤵
  PID:2700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
  2⤵
  PID:2208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
  2⤵
  PID:2396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
  2⤵
  PID:4708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
  2⤵
  PID:4884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:2200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
  2⤵
  PID:1040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
  2⤵
  PID:2704
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
  2⤵
  PID:4488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
  2⤵
  PID:5108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
  2⤵
  PID:3100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
  2⤵
  PID:2448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
  2⤵
  PID:4912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
  2⤵
  PID:2884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
  2⤵
  PID:2384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
  2⤵
  PID:5012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
  2⤵
  PID:2012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
  2⤵
  PID:960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
  2⤵
  PID:3768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
  2⤵
  PID:2352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
  2⤵
  PID:4660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
  2⤵
  PID:848
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
  2⤵
  PID:4500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
  2⤵
  PID:3012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
  2⤵
  PID:1596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
  2⤵
  PID:2408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
  2⤵
  PID:1432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
  2⤵
  PID:4732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
  2⤵
  PID:4804
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
  2⤵
  PID:4208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
  2⤵
  PID:1824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
  2⤵
  PID:1512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
  2⤵
  PID:820
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
  2⤵
  PID:4924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
  2⤵
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
  2⤵
  PID:528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
  2⤵
  PID:3980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
  2⤵
  PID:100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
  2⤵
  - Clears Windows event logs
  PID:4612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
  2⤵
  PID:3988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
  2⤵
  PID:2860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
  2⤵
  PID:1720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
  2⤵
  PID:1924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
  2⤵
  PID:4328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
  2⤵
  PID:3964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
  2⤵
  - Clears Windows event logs
  PID:2656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
  2⤵
  - Clears Windows event logs
  PID:2512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
  2⤵
  PID:1612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
  2⤵
  PID:396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
  2⤵
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
  2⤵
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
  2⤵
  PID:1332
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
  2⤵
  PID:3792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:2776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
  2⤵
  PID:1112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
  2⤵
  PID:3188
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
  2⤵
  PID:536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
  2⤵
  PID:5028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
  2⤵
  PID:2132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
  2⤵
  PID:3688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
  2⤵
  PID:3668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
  2⤵
  PID:3992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
  2⤵
  PID:2412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
  2⤵
  - Clears Windows event logs
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
  2⤵
  PID:1628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
  2⤵
  PID:4176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:2276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
  2⤵
  PID:796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
  2⤵
  PID:4148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
  2⤵
  PID:4604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
  2⤵
  - Clears Windows event logs
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
  2⤵
  PID:3576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
  2⤵
  PID:2200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
  2⤵
  PID:3436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
  2⤵
  PID:3964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
  2⤵
  PID:2512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
  2⤵
  PID:1612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
  2⤵
  PID:396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
  2⤵
  - Clears Windows event logs
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
  2⤵
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
  2⤵
  PID:1332
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
  2⤵
  PID:3792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
  2⤵
  PID:2776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Store/Operational"
  2⤵
  PID:1112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
  2⤵
  PID:3188
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
  2⤵
  PID:4376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
  2⤵
  PID:1596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
  2⤵
  PID:1420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
  2⤵
  PID:4220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
  2⤵
  PID:1240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
  2⤵
  PID:4208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
  2⤵
  PID:1452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
  2⤵
  PID:1512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
  2⤵
  - Clears Windows event logs
  PID:820
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
  2⤵
  PID:2784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
  2⤵
  PID:4764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
  2⤵
  PID:2276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
  2⤵
  PID:796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
  2⤵
  PID:4148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
  2⤵
  PID:4604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
  2⤵
  PID:3576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
  2⤵
  PID:2200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
  2⤵
  PID:3436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
  2⤵
  - Clears Windows event logs
  PID:992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
  2⤵
  PID:3964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
  2⤵
  PID:5016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
  2⤵
  PID:2512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
  2⤵
  - Clears Windows event logs
  PID:1612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
  2⤵
  - Clears Windows event logs
  PID:396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
  2⤵
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
  2⤵
  PID:3460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
  2⤵
  PID:1332
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
  2⤵
  - Clears Windows event logs
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
  2⤵
  PID:764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
  2⤵
  PID:2752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
  2⤵
  PID:3744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
  2⤵
  - Clears Windows event logs
  PID:2992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
  2⤵
  PID:1468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
  2⤵
  PID:2232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
  2⤵
  PID:5028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
  2⤵
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Filesize
1.8MB

MD5
93c2d73f29b59757c930215391b00b3a

SHA1
15db9a8926351a0b188bbb016fcca5f9eec8b542

SHA256
2f728fae3921228c8b37a84bb79e1738460bebba94b4d1b427f047a80e3c4c03

SHA512
b26e500f0c02ef62157de5266b25adf693ff385ec0c551091ce82005184e3933e9946e55c6b7ee23ed431fbac39d6ab493280d08538d7efe5e16931390278a6e

Download Submit
C:\HypercontainerServerhostDll\vPhH1HnyBxDtrEhpf3GmR9c5gyJWaUrMaFSxCaQ1y.vbe

Filesize
232B

MD5
2efa5d862a87d0d008284e52b1f78f34

SHA1
acc5a6713f64658f92646e60dee478217d91cfdd

SHA256
66d3d70662af4e3d55bf831a4e5f773e4cd241caa9e81991109896adf6902634

SHA512
7ecf24884eaaacf1e93ae453f6e132e40369092a37cb0786f60f43cb3b9627505e724f609de0eed8211398f66cecc74650ba17e87e0d496512b4c152cdfd08d7

Download Submit
C:\HypercontainerServerhostDll\y5YWdpxBOATUIqwEb17TtWsIEQj.bat

Filesize
107B

MD5
f7816dc3cf7e2b7d8ab1cc6603b644b1

SHA1
5c247f78a4712d7616797033d4eefa89b36eb893

SHA256
5a5a23d84f0937276647b25e848937cfcee9f9c33b69865bdf9405d219029531

SHA512
80f7864e7689f6cb70cb81fa403f629838c0a74675f33b1576e5d785cc9b9f97e9f6fcb5dd08ba779b20c471b3b9529f675f0454806e3d7b6f0adbc62a34990d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b3b5c17ae956966d6e568962a557998e

SHA1
05a26e53a8dd16983d6f095347cfab169c5f16d2

SHA256
c5306bb65cd44ae57261a42d46ffef8ae8d3dfdfc48d98a1ff3412a1180a9bdd

SHA512
bb6d3a7888ab2e390d09bbaa8b3b61785a210e5d09b1bc06788b329ed9ba1f6c62a0f32eafdb23baf3a882a9da8ed3eaffd482fdcdfed44b289f3240d1ef083f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
a6402961f993919c515ac74dd2d6a40a

SHA1
544bdf987efb933dd6c1b2f64e0f5ccd672d2141

SHA256
4d09a3175757ba8199c70d3c1196cefe1d3561e4fa9348154758410814d04cde

SHA512
e51d969901dacd48a8d580d8d8ffd0660af6fbbc6689816100c2366e4636b8de2147367f1c48e01222d30983a9d51ecc752d2cb3e9003d65bc0653a521a34a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
15cbedd65c4288f9789c307d19e9bd64

SHA1
74dbbce17f52e5176ae24a88af64b728dcedf328

SHA256
7a6b91ccb80786ed3e8e2a2936688866ef299ecf56f82556ebf990145b656753

SHA512
dcf4065f122035a16edc0879e2ab8fc85ba35a90058e3024a97910898b839698530bc20b3bb2786301e58888c3bb32118f97575a4fcc37a9dbd513f5a8b3dba4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
236f5c56b33ccbdd5467c0cf107d1576

SHA1
636d92f5dc53a012a3ca4db2a7f256aa1a7d99dc

SHA256
3a00f3d91df30b5c421e833531cbba74fdec4da22d036f7eae5a89947133335e

SHA512
460764cfcf3544232e06c5c2a825cfdab1e742d8fb2e69e5bd11623d3b38c28fbb1128f266e2e3e775b9c3a98b2a87b697804679568e9fdc01de9ce3c8a3c134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c77497c5e17e07deb15e7a802c3fa31f

SHA1
f4855baa826e9c4688059cd3279ad857d7fc7c9d

SHA256
573588f89461c9e0cf31ac5c4158a792b0c16116a4d549d0bffcc6c46087a645

SHA512
2156b7f888e0a43f5864dd536167e251bf356bf49d1a45981e62838d9f8fa8062b575e4fae5ac48e95c5f3ab8dcf0b13d99731df1e31f2d3c080d796bbdc34b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
39aae4082a54d69ca0b142a699f32244

SHA1
9813a934f61bb806ab8a2c15120d240ddf3243ca

SHA256
750e20517f9d6e16ee0e42afdc1f783e9661eacc220d287bb5ab84656fe9fec3

SHA512
80c56cd1f434f9b2b8186847faed758df6e6c4a8a28fbc7cf5e5355fccfa2291e473a96e9c3018692979151d5254c34b9db5f0feed6e4e29978ac3490c5f17a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5d8f1bc34b56d10afed4bbabbade05e5

SHA1
765497f3ad57db51e0c8eda69e40637d55f03592

SHA256
22724ba0762dd0d79ac494a1eea614c5e8ce4c981743d14a803922ecedd3cb80

SHA512
0b4795a78b8bc0f4dc46531b6c677c850c84ab5c297d3175e17bc1141d60f708e8ad99383d2e44025144ad2fd0255e4535945cf2bb42c485a4692878410295b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
97b5a074fe2f68aed17eb527e767abf8

SHA1
de8fb0370302efb2bb2362b0581e1b9ae599b93f

SHA256
e024bf3df2d206b9b8c99d5034e2b451635482091ea94abfe0361d295178f29c

SHA512
3582aa0b0472f759deaf8a604e963fc367f95c0cf5a36d95454ca4b6a2da02175069c67f7eeb3197d2c82910535c246222520ec4fde9d8bdf4ca568bb2b5696d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ef89b8727da5d398fc54c2bf3aaa4b59

SHA1
e91f6771a33d9068da2c2ce550a42c75b43e5ca2

SHA256
95ec40d02d3d5176d43cd1feabe82ee007b4eab5fac19f94b171c51d01993d5e

SHA512
553d34bcdeed27529d399c6ffa374845a0c484cbcf6b2c5453af3d36788d11fbb5177734382675b421f4a61d91b7e68fceae669eab9ffacef4a4a189dfc8e027

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
298d33937f8994217d8e6a034b136596

SHA1
6941167bd5a369389a124f1e47a9ff001d979ee1

SHA256
8e8dbf479443a035334d1bd7fec0d55b1b42889ef67dffb16d879078456d1823

SHA512
94464d02eb672932ec6eafa4f25cf47694247cb59323cf40afb0cc4fcf6f3cc69ac9324af3f0fdc6c843ceabd995cae1c48d708e5fd87cb4313f9b37904b4ac2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2daa52a0796470c65a69efefc0ac992

SHA1
fb18de14cad57b8b394190980933b37d38282305

SHA256
c53079a1869f88a825a4407912eba33c1b61c461acf0675a79dde106b2e7a356

SHA512
232f13194cf87029c1e61d6449697004291e322c1d9c4b4da07cfd1c82e7121f32a9e351b540864d497a686c31ff7ac766e2d131d83fd9ae91e8f9e0b76c6123

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b2af04b12d729b0f7d0b78a2a77d848

SHA1
605fe370f85ea087e33e05a4c0ebc0c94800da7e

SHA256
61b2fb538758aba2e825fc327c565360cbad5491ff80b4c4b1d2eefa35911f50

SHA512
5535cda591adc5f1b1b6acfd2d769ce8c77f7c9af141250a7d3bb4892ddf18d0e0b0f7b5fe2fc27417afac25ca362be705f287380fe7ccfc2762774b01957927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a243ef7aee3a94e91688451f2e252f0

SHA1
59774ebe1149c307aa2a89636c1bf37ad366185f

SHA256
7a8511619a888fcb80961b4882aa6d344af5d2e2518b1f8a41725070001bc142

SHA512
c54205fb8155b2a201ece342b19b79ea4da75ac74ba8c6b0ba9c451684111eb170a14b49682ce7fac5a6d1d557eb6dea5cabecb5e910265eb9401ef111c10009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb395a8c177e01732f6f4d6796a09845

SHA1
b09173183d29c147d9f179cf76f5703c43ff7727

SHA256
4ddca73f97433348b49266cdbf5870d51a1f94deacd95a2948e2e95257e26f0c

SHA512
84d1353bba88155f7423341dfee1587664b2ef7c1f32bac4543a19a7d0fa5fbce9f76c2fb16f51c2e35ed6171869a00d45308043725f90728006345d4728f9c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
859f2f5e8eeb93cfad1896393f241086

SHA1
016288ff9da9c708968940a091d5563ee3792208

SHA256
b244d364c35321a474d445e58a175e7ec713994c65173809f561288162e16e94

SHA512
79d63e86e5078f084dc3c44817521c2fe36f3de4fd2728176443d1c43bf207b576ec38f582de28feca23f71e570ef9c448408ddaa896ae2710e8671b001dd812

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d469a5e23009f3238c52379b4767841

SHA1
bc9bd8bde3ca56bc63a188f56d8dc40aec5a75e6

SHA256
847e30e552276f1327e1726aa090dce81eea92c1639ef399c90d668d34092de3

SHA512
b2d20d825b84195c7a16fd51b408fe5b5f8b8d7e170335b27b822ce84eb3baf5bd4d73dff30cb6a815831213a0c553f2c8ab82892c7e3231ccbdd06eed437ad3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87fa17c2e3dd3ccffc9680be6a1238be

SHA1
d955896a011c5259dbca3dec14d32dd0da0a7091

SHA256
32d653d4f330944ad57c9db122096bffe9a4f2413fade2a0d7d0a2e26cfd1f2b

SHA512
b4095645f3b55232763ad7b1c0f24bed40fde98e0bdf05e74e2029ea65c88abb0dd6498b06fac761bd80f5f3709d7d98eabdcd2325d629b770792f9698fa569b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3872323ccacc127bc4cea6cdfb2c6a67

SHA1
f78efe985736db140dfd2c5b3c24cd6ecdf4fd49

SHA256
c676c7094cfcc8efd3b74234fc1edb11ee86dd7c5e34c2e18a5272c8c97b1d92

SHA512
37c65e80f7230265a99390ce6caa8d0e70d50f2aba2972c79dd291c5f314c830b27c843ec1428448351ae5185c946ab1069b7fceb88d5d608c62214624c4c440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a94537930c22474115c94ff8ffac1d28

SHA1
7c64749978cd7391d72b26f8c1b222b28e258b2e

SHA256
76728406aab0cbd20ac31d885684ed76c2dbe4c317269a7fc0ab2a915a35e2a6

SHA512
4d67c3c043ee2f7be613b9b30390c9a45254ea2f2059390a1a870bcf22427677dabd86fb5267518ac75db49be39b3b328a638d92725c14fcf3d2044dd8b90073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5df4909e666bf2305b9028de175d84f3

SHA1
a3d82924ee0edff638afe0facff548d4c431c387

SHA256
9346a658027c6460351bf048ffd1b43c2f643160badd97175fc1523d62fb8a05

SHA512
d9e89c2b106c6eeee1840e5d058adac7f145b01e0d914e77a47f1ffde84d12a1f17d67baca3d06eb40f98b613a96f27bec240fc568e1d9de965f1ae7d2514311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b8278003762c7bb4db05ccac8c775a9

SHA1
e8ad0517feb954dd414e2d75c8c47d98ea034f16

SHA256
acadfe615402f9f60733c254bb99c89a049357191985233ee88062a8d694a054

SHA512
d85240c9c3115234fa11aedd884c78889afb534d62b2b8cbda6b2cd712a8ad7800a93693879ee5e72ed4e4e0d62fb3dabca2ab89193a1a4357feb8436bcfc895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4bc43f4378c28b6fd3d9da5169b78f38

SHA1
c2ed2446cd4d3a2a5b794bc11d2e707588ddf4fe

SHA256
57ad747dc78b45b63408290c05e574dcdf71ee28581de0ae413b0d4c9c0b19a8

SHA512
362c9da8168d3174bbb9bba245fa4e8cdf0ec0acebe6d386ba745dabd7ff9e74f7828db6b62281d1928464028dc7f2d04e6315e92af87b7ebb5083864d5be157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a85e60d71b5f3514fbb4b26f4d35b2aa

SHA1
528623678d1c95d260bea7a46ca1723e589f4d7b

SHA256
16bc9631b58cb6a63dcdcac029dd15feb9aa3c2ffce652385123f8dbe924f851

SHA512
2d9431210dbfbd8c75804245771d90dc8e69f4aa68ffec7b9b74a33a7641166809cce7624fcde4ac51cd0b799035b051f5f6a1ac4c5a040ad4d2eaebc200b933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c88615e01cb66682d63a502118041b3

SHA1
f995752c9e412277753dcc513e6cdf1f66fe2ed6

SHA256
6d843e48b1d1a53c97335a4ae2be4d50e66a1d1370c636af01251cdcfe866e49

SHA512
76d7b227ce8b1dd60cb9d0787e61e88bfe80804f5bb7826e0b22c9634906124c2a5aef2b76fd358fa31b6c430be309184597be8c8d1322df1c6b756f25ae6812

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0bea55e7e93ba0be5e9b926465ccf7fa

SHA1
b79f86f39e228da92fe30c07cee0b0e6f9b097a0

SHA256
cc68301c40bfc0116f4466ab2610283277c254b46cecb0b5a28c2db5368e91b4

SHA512
7dc1a08f119486ba6b5722117ff0bd75e911325013bede013e5c9d94650294b5fa2e8dd8eebf7e9b1182ff23c72a6f42197957338fd1a5f9dd398036643b1c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6126e99fdb60cb2efc01dcea95c4d3b

SHA1
762e747d27ee35d18404ec814e8a21e9e820f2fd

SHA256
1b7f20d2e5db7e91af867577f270771b644c2713198a49c9a870a88c7e47de22

SHA512
06c47c59ba1eba14929b82a452d2c521dceb482883ef9d17518db54caf232a4867621552f03febf11c3a590632cc5f03912ae447112c6b37e1ba37ba347e3ce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
096680119fcf84beccd329fadbaa9986

SHA1
b5a1f5815c617cd30c00c73506dd6ad66bc358d3

SHA256
cc374371aa40c7c1efa5a9f5340b417cec7660463d78637e9bf9b42404f97283

SHA512
a08203e3363072607b7a05d8834e1b14e281bb0e46f8a23675ad05e2099629fc149cefffbb60ab77729944a0a883be773627e9f8a1ad443ff2ad7834c89c294c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f1fadf93-8fea-4d4d-b45c-d60e78686f25.tmp

Filesize
9KB

MD5
c02b24e4858861458a9b43e6c15a4079

SHA1
8695ec29c382b25848903f18f3249d89461a2cdd

SHA256
d2f180ef651e690c4717211319c6109333793c44523f83240a645e0340b3f185

SHA512
dba6f202e30be6383b5ed28c94905377103cb8b53f4cb348a2dc31e525f37445df307cecb60eb2913bb4b473f95546dcd05ba5655e4f4663de570ddfd67147fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
80670eddc3d179750eb920af3941d7e0

SHA1
bc85a457755102a1e5761bca38055eb878b925a1

SHA256
4042d04c0893f8b9f76d2350395a74d116665af2c9b817f7284532ffc10551ce

SHA512
f13648f02b95b7bcb22533f849af024cc2072bd124d3c0f1ed1afbb897c410e0cc64c27e9240ce8b4a03101d84b9943402e310c47181196b87cc65883c547325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
29ec33432183c5c1f1b92977ee841908

SHA1
77671c8ad6a9509d1819f11d916e5400c96936bf

SHA256
2dcc5fc6f05ef3f37664aae1a763e4dd80cc6176a2eeda3aacc92c5b6acf14a1

SHA512
b852e5102f40abc2535aa35cf6092a5aed6300356ddbd475c2cb2574d1def802a14f3b272ec6ded9168e22a9a03c483551284951af2ee5bb4388f06ce92ed63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComponentBrowserruntimeHostNet.exe.log

Filesize
1KB

MD5
1eff74e45bb1f7104e691358cb209546

SHA1
253b13ffad516cc34704f5b882c6fa36953a953f

SHA256
7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

SHA512
44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TiWorker.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\079l6K9pbh.bat

Filesize
241B

MD5
ac70b682a0fe01eadd12cd58adfa6223

SHA1
277cc4ac0c15a403d5c47e1fea36922d9905b5e4

SHA256
45890a446ca594ae7f2de14f5087f8a58bd0db3614c3a966af3aa0d33cbc2bbb

SHA512
a4f1beedc307e2bca884eed9e844bcfa122b3c92ebaca1ffa650a80422eea5c0e340eecaa3af2ec283ae61ee2c665112d598db2de07f9c1e1178855db8a8befe

Download Submit
C:\Users\Admin\AppData\Local\Temp\079l6K9pbh.bat

Filesize
219B

MD5
12c03743d1287b038bf27ed9e9f520b2

SHA1
e968afbe84422955fa9cd927a6cdfd39da7cd6e5

SHA256
c40102ff85ea6c5c72adb0729a94117292d6afd1490557c4430262211a6c25a5

SHA512
3f6fe56f2e7e042541bb9984e07fca32b31e175975cf722c36e5dae1324ba48363a24a5e19e9336118e0de062cbfd520afd0fe6cbad88509c06d16023cf06fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5L6QW14j7D.bat

Filesize
219B

MD5
fe51d55f7f32d61240554a38c4ce9799

SHA1
47d48d6c933ee4f80a0050df020edabb89ddcf29

SHA256
286f4469fb2af39f26bdcd0b39b66cd23d5288edc1317c9d33af3a2f20d18b2c

SHA512
11464e1749a04869fb871b3955f4001a6632eb01e39a8e66b72b6390f036f2b8085460acbb11b0ef3dbadd3276661c204ddc52d46041b74ea7b16e598f675f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Tmiznneli.bat

Filesize
219B

MD5
6a57d3ac2a6ea9911a455c99e6edbcfa

SHA1
b2059d106d63ff71b637cb7fcbd8d770718bcfe4

SHA256
c93a4cd7f544e78c7db5e486b1f53550827edb0b76f7393eff3b0d720a927273

SHA512
46923514c7846b774190921da0deab20532aa28fabd820d94450789ad954f4e3ce1725151a4b628db5e6d69dbf17e8cc5e2d76978017181c744f46337c0e19b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.1MB

MD5
e58901382c8a3964a25542e842d7a76d

SHA1
80dde27a2ba93af164bf02f62fc7a5eea31b197a

SHA256
ff79f078ed43c84f723490322814f501984bba434e6879f3702acf01080a5c7c

SHA512
37c6853d24b7d758149849e9358b9adcb89a846d400459b0bd34161ab8d8b1a897e44182e696112f96f23336a8efea3372233d8c6f1e06218d0c1743acfdf371

Download Submit
C:\Users\Admin\AppData\Local\Temp\KPSM4TCvyK.bat

Filesize
171B

MD5
3c21723cca9a86af412f55bcc7f957f8

SHA1
a6983c836955a0dd68484307538907c3cfaf7bd1

SHA256
4c0d6f1513143c7240190474cbf8ddcb57267e7694812e0a2cbbac0b135bec69

SHA512
7c8441dd9ac1f33baeaa6346b71c70206e68d59e7ef4e7012d0691c6d368a75473425f6b2c7727b88597042c2762e1aa35886497117488fddbdf0703ea63c1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtOlnDcdUa.bat

Filesize
219B

MD5
6bfee4a50cee8b62c15808c35420efd4

SHA1
5ffb9c640a03f948bdd72935e76766b9f64c56bf

SHA256
6b50666e70a0544efc9e9e2afdcf1e2784a4fed91c9015a6ca9a25a68a68623d

SHA512
4f74aea739b125a55fe193fded542296ffbaacd038f795f48ded0609604d600e2a419ecf5acc8dc576bb4521a2bdd4ec4dd39aefd7075808d87a2c8b154330c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lV5no6Klb5.bat

Filesize
171B

MD5
f84f1615cc37f1840040e1714c360898

SHA1
cb052cb76b642138cd796b498e43c49306ef0963

SHA256
1e3234f619c557924dd90fb3712a7e52dd94fcf844590993abc23541add65f3b

SHA512
2a61b41613909db069959e844688c4074f8a6090b933c558ebd73e4c1c7c612720f591145e0b0fdb4c5e0949b52878b3da3c3a74c7a3d95d73c29c41c21b2993

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
40.5MB

MD5
cb0f1a45937299ef4baf75241a5845b1

SHA1
4f38f7e88df74b1f296f4270f70160aab02bf8f1

SHA256
866fb869c20a5fbfd422d10d495153f92158cdf2ba1b7ff57a1450e4b2db7a2d

SHA512
d70fa3039688f59acf38e4d2aa3f4a31511b1c9bcee0bbd090d90928582ba524f6e112db9a7835bdc795f73fdcc1eeb4a3c27cd149fb472440e93a02859329d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAOW7F8RUK.bat

Filesize
171B

MD5
2d43bef524d5db0f82f6a1b8f4bf4f18

SHA1
1e8d845f501a6b34dd52335c5021304ed3557927

SHA256
bec3263c503a24877c59699fc554241d4fa6042012e3ae0cc9e5444548003395

SHA512
31cd67536635076d65f284c3590f131c61cbb2da51be6050759bd41c2566a96a3bfb181592d93f3acc3880994c89c2acca23f6a14b5d3179f40bea9b02595c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYh8fPsglb.bat

Filesize
241B

MD5
6bd3942e190210e9f1232fba2a67d5cb

SHA1
778ee2441d9abdfbcae1956d216f7d7a85ff74d3

SHA256
1d2d7ecfa30985b974a8b388a7b3b43b7afeee6f9aa872cb18eac33b852e0f82

SHA512
8d68e19b8334fce5b9f4643f894a411072664bfc3d1683b91f2e3792f2b65fc917529ea13ed9358e0c753c4cbcaf844f28c82cf37d907504df64c08621317e99

Download Submit
C:\Users\Admin\Desktop\29.08\1.exe

Filesize
12.8MB

MD5
f6976495ad2bd7f792c7456ddd3662e8

SHA1
5df8f040036213dce1dfe23145cacbc3d2eb698c

SHA256
20f59d742919c66a0f9f85ddab4c57af595591ec6efe4c75b17bf1de48472124

SHA512
e891fc89e2748d045891f064df0cc9499c87fdc8c58e7c8a198da26217a9281f8e56f4568641a85a206818e066342feeb5aa5a1904ce2ec92309e59cf06cee8f

Download Submit
C:\Users\Admin\Desktop\29.08\123.bat

Filesize
5KB

MD5
b8c06eaa1da2f19108a8aab3ccbf5206

SHA1
2bc8461115e63db1c8e57aa5678c8b72cb741078

SHA256
aa191cf68f601baf2f18e838afa5bff3d37e9773d3eeac4d8b1a668f58a5085b

SHA512
388eb7730e7ec92abf77957fafad22f1b594d2499bafb6310a433b380339b63b0a8310cc61f726e7b4f485895506f7115c861817470bd0778259c8322f71102b

Download Submit
C:\Users\Admin\Desktop\29.08\jsoncpp.dll

Filesize
196KB

MD5
904589f6c72235b985720b696e21d733

SHA1
051a163b8fdcda5709a727c4baabecf5c6e29d25

SHA256
73fd40586c57870d1f6f83be0559f4392e50f1c0496977e84ef61deaaaaba64f

SHA512
a45ee81ff6cd5402f444976654073da02cddebcbf54aa74ae452c08b09ae2618723aebd895526fb4d41fbaebbd8c378db540c9328202bf339905c0eb721e518b

Download Submit
C:\Users\Admin\Desktop\29.08\msvcp140.dll

Filesize
576KB

MD5
01b946a2edc5cc166de018dbb754b69c

SHA1
dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46

SHA256
88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5

SHA512
65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5

Download Submit
C:\Users\Admin\Desktop\29.08\svhost.exe

Filesize
41.6MB

MD5
8a2ccc0f266b40d1b839a6e3cb14567c

SHA1
024d34b8929ff6e8556068ef3d7023c44f854590

SHA256
319d62b2a3ddc2c3332259c5d436af9cac48e0aa95b6b005b7e4dce9b08e01a8

SHA512
c2b26a41be9af319f2f294b4ff0132a545016891a56904d94a7b00b4b3d6c6a8c8cf9a997672bbc0fb5f93e907b6bb2fc093b59bae175d0c70104d4a8a9266ab

Download Submit
C:\Users\Admin\Desktop\29.08\t.txt

Filesize
2B

MD5
02e74f10e0327ad868d138f2b4fdd6f0

SHA1
bc33ea4e26e5e1af1408321416956113a4658763

SHA256
670671cd97404156226e507973f2ab8330d3022ca96e0c93bdbdb320c41adcaf

SHA512
14f70566435cea4309176ad6a8aebb69ac8f99e9e211df66227522b5bb37c7a52e1f4de42543e4bb5346dbce23a636c7237a42e67ff4888befcc2167f7c2b451

Download Submit
C:\Users\Admin\Desktop\29.08\vcruntime140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\Desktop\29.08\vcruntime140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
memory/452-515-0x000000001B300000-0x000000001B30E000-memory.dmp

Filesize
56KB

Download
memory/452-513-0x0000000000570000-0x000000000074A000-memory.dmp

Filesize
1.9MB

Download
memory/452-517-0x000000001B350000-0x000000001B36C000-memory.dmp

Filesize
112KB

Download
memory/452-518-0x000000001B710000-0x000000001B760000-memory.dmp

Filesize
320KB

Download
memory/452-520-0x000000001B6C0000-0x000000001B6D8000-memory.dmp

Filesize
96KB

Download
memory/452-522-0x000000001B310000-0x000000001B31C000-memory.dmp

Filesize
48KB

Download
memory/1112-775-0x0000000140000000-0x0000000141B4A000-memory.dmp

Filesize
27.3MB

Download
memory/4520-769-0x00007FFA92010000-0x00007FFA92012000-memory.dmp

Filesize
8KB

Download
memory/4520-770-0x00007FFA92020000-0x00007FFA92022000-memory.dmp

Filesize
8KB

Download
memory/4520-771-0x0000000140000000-0x0000000141463000-memory.dmp

Filesize
20.4MB

Download